[Techtalk] Undelete utilities

[JD Sqrd]

If all you want to do is undelete, you can look into
the script e2recover found at:
http://www.praeclarus.demon.co.uk/tech/e2-undel/
The author gives a fairly decent explanation of how
you can use debugfs to do it by hand or use his
script.

If you want a more point and clickish route, you can
use the undelete option in mc (midnight commander). 
Just remember two things: 1 - umount the device with
the data you need to undelete and 2- after you gather
the un-associated data from the free inodes, you need
to save it elsewhere. (The interface is the same as
the old Norton's Commander, but I think I'm showing my
age.)

The Coroner's ToolKit, known as TCT is pretty good:
http://www.porcupine.org/forensics/tct.html
Be careful, you can get bogged down in options and
their vocabulary is a little depressing (the corpse,
the body, grave digging, etc.).

Another option for when you know what that data is,
but don't know where it is, and this can actually be
fairly quick, is to search the raw device using xxd,
or even grep, and just pull the data out.

Hope that helps
JD

--- Samantha Jo Moore <sjmoore at SysNetSpecialists.com>
wrote:
> Hi all,
> 
> I am in search of computer forensics tools for
> Linux.  Does anybody
> know of any "undelete" utilities that work with ext2
> file systems,
> similar to the "Norton Utilities for Windows"?
> 
> Thanks in advance for any info.
> Samantha Jo Moore
> SysNet, Inc.
> sjmoore at SysNetSpecialists.com
> www.SysNetSpecialists.com
> 
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
>
http://mailman.linuxchix.org/mailman/listinfo/techtalk

talk


__________________________________________________
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions! 
http://auctions.yahoo.com