[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


EXT3 Data recovery and activity Audit

Posted on 2008-11-13
Medium Priority
Last Modified: 2012-08-13

We have a production/testing server (Ubuntu 606) which is open to all our developers and they have unrestricted access to certain directories on the server. These directories they usually mount into a location on there Worstations (ubuntu).
Some one has gone and deleted a few very important files and directories out of these directories and we need those files back - urgently (the backups are to old and useless) We believe they were deleted through one of the users mounts on their local machine and we are unable to see who or when these files were deleted as history and other logs only show the commands ran from the shell and locally on the server only.

Is there some way I can trace/audit/check what has happened with the files (if is is not possible, how can I configure something to monitor/audit the activity on the servers files and directories?)

Then also is there a way to easily recover the deleted files? (Raid 0; ext 3) We have tried tools like TestDisk and PhotoRec, but it dumps out way to many files making it close to impossible to find the right stuff.
Question by:Rigged
  • 3
  • 2
LVL 88

Assisted Solution

rindi earned 600 total points
ID: 22948162
You could try the following to recover the files. You'll have to register the tool to actually do the recovery, but you can scan the disk with the test version to show you the files.


The other part of the Q I hope someone else can help.

Author Comment

ID: 22948213
Thanks rindi, will give it a go. And let you know how it went.
LVL 19

Accepted Solution

jools earned 900 total points
ID: 22948334
Without process auditing or accounting configured on your system I'm afraid finding out what happened will be near impossible.

Check out;
and also the link lower on the page for process accounting;

Before you do this you should have a backup policy in place, auditing is fine but it wont stop it from happening again.
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks


Author Comment

ID: 22957541
Rindi, the app works 100% though it is a bit risky to use with the raid 0. We tested it for interest sake on a few other boxes (without registering) and it found a lot of files. Though lucky for us one of the other technicians here made a backup of everything before he did a few other things. Thus saved on that front :D Thanks anyways.

Hey Jools
Thanks the one link for Process Accounting was quite useful, but the Link you supplied above for file auditing I can't get working for Ubuntu (page is for Fedora/RH and I still a bit stupid with Linux).
There isn't perhaps something similar for Ubuntu?

LVL 19

Expert Comment

ID: 22957984
I believe the instructions are pretty much the same for all linux distros, for Ubuntu you will however need to use apt-get to install the packages and there may be some differences in the file locations which you could use `find` to locate them for you.

Author Closing Comment

ID: 31516286
Thanks For the Help Guys. Much Apretiated. The box where the fun happened uses specific Libc librarys for our development enviroment thus making it a bit dificult for the audit package to run. The boks is dew for replacement and we have tested if AuditD will run on the new one and it seams to be good.

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Your data is at risk. Probably more today that at any other time in history. There are simply more people with more access to the Web with bad intentions.
"Any files you do not have backed up in at least two [other] places are files you do not care about."
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question