[BBLISA] Q on post-rm / fsys (dd,split,strings,whatever)

Doug Mildram dmildram at gmail.com
Thu Apr 8 22:25:00 EDT 2010 

Hi! I'm helping recover someelse's torched /  fsys at work
             (redhat9,ext3...have "dump" format of the BROKEN / also)

I had a USB external disk (ext3 fs, 200g) to dump onto, and I know this fsys
needs reloading,
   but some body parts might (or might not) be worth looking for.
Seriously if you've tried any post-mortem (HEALTY ext3 filesystem, torched
with "rm -rf /" (which is no prob for the fsys itself,
  but leaves the data in free blocks, which are
how-badly-scattered-i-wonder.

(background; the root perl script "system" rm -rf $variable/something
         did a few dirs and stopped....I have the perl script stderr logfile
for fun)

Would you guess the overall idea, or the rough steps below, might work well,
or not?
I would not dare to ask, but suspect a few of you may have tried something
LIKE this.

Since /boot and /etc (at least; I believe it was rm -rf / )
                got wiped  a few hours ago, I have the RAW FILESYSTEM too.
So the QUESTION is about recovering pieces of the REMOVED files perhaps e.g.


# dd if=/dev/sda2 of=FILEname01   count=500mb       ( "bs=8k"  not needed
these days right?)

#dd if=/dev/sda2  of=FILEname02 skip=500mb count=500mb   ( 2nd of roughly 60
pieces )

=================
thought the above might be smarter than "split --bytes=

So using plain tools like "split", "strings", "grep" I wonder if I could
recreate parts of a few files.

dump of /    had 3-5 gb (I'm home now, I forgot: took 1 hour to "dump" it to
usb2)
           has the files WITHOUT  /etc

(dd of 31gb / filesystem :     31gb. Not a problem.
        Maybe split it into ~ 500mb pieces with "split" ,,,,or "dd
count=(whatever500mb)
Then (havent really done this yet)  idea#  strings 500mbfile01 > strings01

Will be fun to see if "strings" is useful here.  Any tips?
--
(other ideas are fun topics too, since I'm holding the firehose, not the
torch)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.bblisa.org/pipermail/bblisa/attachments/20100408/286d516c/attachment.htm

More information about the bblisa mailing list