On Wed, Feb 12, 2003 at 03:25:54PM +0100, Francesco Pirozzi wrote: > I understand... But, one last thing: do you think that the first block > of each overwritten file is somewhere intact - so that I can search > the disk for format headers - or do I have to rebuild the puzzle > from the second block (or deeper)? Was the filesystem mounted as ext2 or ext3 when you truncated all of the files to zero? If it was ext2, something that you might be able to do is to write a program which looks for indirect blocks. They have a very distinctive signature --- essentially, a series of 4 byte integers, that fall within the range of valid block numbers for the filesystem. That will give you information for files that are larger than 12 blocks (i.e., either 12k or 48k depending on whether you using 1k or 4k blocksizes). And if the filesystem was mostly unfragmented, then you can try looking 12 blocks before the identified indirect block to find the beginning of the file, and then use the indirect block to find the rest of the file. (And again, if the filesystem is mostly unfragmented, then the if there is more than one indirect block, it should be immediately after the data blocks allocated for the first indirect block.) If the filesystem was mounted as ext3, then unfortunately the indirect blocks will have been zero'ed out as part of the truncation process. But you can still search for the blocks which are all zero's, since they have a possibility of being a zero'ed out indirect block. So if the files were mostly unfragmented, you can try looking 12k before the indirect block, and see if you're at the beginning of a file. The limitation of this technique is that it won't help you recover smaller files. But it might help you recover something that's useful. - Ted P.S. I should close with an obligatory plug for regular backups... _______________________________________________ Ext3-users@redhat.com https://listman.redhat.com/mailman/listinfo/ext3-users
