Hi,
We are a team of
prefinal year computer science engineering students from kerala.We are trying to design an application which can
recover deleted data from the ext3 filesystem. And we are doing it by
editing the inode of the deleted file with the help of debugfs. As you
told the 'modify_inode' in debugfs will be help ful we have written
code to recover data . We could recover files of fairly larger size, we
tried recovering files over 1Gb and we are sure to recover files of 4Gb
in size if its not over-written.
But in the middle we are having little doubts and little problems
in recovery. Like , after we recover the file,it appears in the disk as
not accessible but when we unmout and remount the device the file is
available. I shallbrief what we are doing, in the following
lines. Please do go through it if you see it interesting. We have
regestered the project in sourceforge and we will be uploading the code
soon so that you can have your advices if you are interested.
* useing debugfs list the deleted files and their inode and select the file to be recovered.
* using logdump the details of the file inode, journal entry, size, links , blockcount.
*if logdump yields a number of entries of none-zero size, the appropriate one is selected.
*then the inode is set using command 'seti'
*the inode is modified with the direct and indirect pointers which are taken from the journal.
*now the inode is linked to a file in name of the deletd one.
Here when the file is recovered it is appearing in the device but when
we click on it, it will disappear but if the device is unmounted and
remounted again, the file will behave as a usual file itself.
And
if we ever delete a file which is recovered like this then all other
files in the device will become read-only , untill it is remounted.
Regards,
Ranju.
--
http://www.ranjithkannikara.blogspot.com/
