Link to home
Start Free TrialLog in
Avatar of prasen120998
prasen120998

asked on

How to retrieve files once deleted

Is there any way to get back the files once deleted with rm command in Solaris?
Avatar of NTIVER
NTIVER

Not as far as I know - the rm command doesn't usually save a copy anywhere like Windows does.

I use a script to remove my files which first copies them to a folder called recbin:

script:

cp $1 /home/recbin
rm $1
date >> /home/recbin/$1.txt
who am i >> /home/recbin/$1.txt
echo $1 >> /home/recbin/$1.txt
echo "-----" >> /home/recbin/$1.txt
echo
echo $1 has been deleted to recycle bin
echo

Tis very basic, but it essentially takes a copy of the file (taken as the argument passed to the script when called), copies it to the recycle area, makes a log file of user & date etc and deletes the file.

I then have another script that preens this folder every so often so that it never gets too big.

This way you've always got a copy of the file, and a log of who splatted it and when.

Sorry I can't be of much other help.

Do you keep regular backups?

Neil
no, except from backup
As has been pointed out above, the general answer is no. However, depending on what Unix you are running and when the files were deleted it is sometimes possible to recover a deleted file or files. To be able to recover a deleted file it is generally necessary to take the system down immediately before the deleted data gets over written by other file system activity. Then you have to use a file system debugger to scan the drive for the data. Linux has a file system debugger that makes this fairly easy.
ASKER CERTIFIED SOLUTION
Avatar of chris_calabrese
chris_calabrese

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If you use Solaris, I don't think so. For Linux however, there is some preliminary support for undeletion (undelete flag). I never tested that and I don't think it will work; at least not well. But for Linux there is also an Ext2Fs diskeditor (search lde on freshmeat). It won't be easy with it but it's definitely the tool to do such job. I remember I did this on a couple of small files few years ago.
You may try to search for a Solaris diskeditor (solaris uses an UFS derivative as filesystem if I remember well)

----
Radu-Adrian Feurdean
Brainbench Linux MVP
If you really need the files, you could try fsdb (man fsdb_ufs for ufs specific information); it's really low level so you will have to be really desperate or really crazy (make a good backup before attempting as you could really screw up your FS).
Your best change of rescuing your data is if the filesystem has been very quiet since the deletion.

If it is a matter of extreme importance I would be inclined to remove the filesystem immediately.  If it is on a hot swapable disk, then just unplug it and send it off to a professional company for retrieval.

If it's not too critical and you can unplug the disk without shutting down the system (which will write to the disk), unplug it and put it into another powered up system with an identical disk.  Then use 'dd' to copy slice 2 to the identical disk.  Make sevaral copies of the 1st copy and use one for each attempt at retrieval.

If you made the dd image into a file you could run 'strings' on it and look for some text that was in the file that you deleted.  It would take a long time for sure.

Hope this helps,

Regards, Nisus
http://www.omnimodo.com
look at the Coroners ToolKit (www.fish.com/security/)
it has programs for recovery of data from slack-space etc.

If it is linux then this may help...
Do as Nisus has suggested - (even though he doesnt respond to my emails!) - dd the disk to another for analysis - or mount the partition as read only.

(method described in detail in sys admin magazine
article "Recovering Deleted Files in Linux")

If you need to get back a running program:
find it's PID and do the following:
cp /proc/PID/exe /tmp/recoveredfile

if you have a process running that references a deleted file:
there will be a file as follows:
/proc/PID/fd/4 -> /home/mydeletedfile
(a list of open files can be gathered from lsof)

if the above does not help then you may need to
enter into the world of debugfs:
limitation - you can pull back files maximum size (12*block size) - use the following command to find the systems block size: (where hdc6 is the device mounted read-only):
echo stats| debugfs /dev/hdc6

to generate a list of deleted inodes we use the following command:
echo lsdel | debugfs /dev/hdc6 > /tmp/deletedinodes.out

get an inode number and do this (eg 110121)
debugfs /dev/hdc6
debugfs: stat <110121>

this will show Links: number (probably 0) as well as all of the blocks that make up the file:
these can be recovered individually as follows:
debugfs /dev/hdc6
debugfs: dump <110121> /tmp/resurrected.1

there are other ways if you have problems with the above.

Regards,
Festive (Nisus - email me)
I know you're not running Linux, but FYI for everyone following this thread - I'm taking the Forensics track of classes from SANS this week and we've been using a really cool Linux tool called e2recover.  You simply run debugfs to get the list of deleted inodes and e2recover will recover their contents.  Very slick.
No comment has been added lately, so it's time to clean up this Topic Area.
I will leave a recommendation for this question in the Cleanup topic area as follows:

- Answered by chris_calabrese
(All excellent comments, but if I recommended an 8-way point split, the moderators would shoot me; This thread should be the FAQ on data recovery :-)

Please leave any comments here within the next 7 days

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER !

tfewster (I don't work here, I'm just an Expert :-)
Finalized as proposed
(left the gun in the holster LOL)

modulo

Community Support Moderator
Experts Exchange
For completeness, I should also mention that there are professional data recovery companies that can help, even recovering data that has been overwritten.

Just type "data recovery" into Google and look for a local company.