Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

comp.unix.aix Frequently Asked Questions (Part 1 of 5)
Section - 1.146: How do I recover deleted files?

( Part1 - Part2 - Part3 - Part4 - Part5 - Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Forum archive ]


Top Document: comp.unix.aix Frequently Asked Questions (Part 1 of 5)
Previous Document: 1.145: What is a checkstop error?
Next Document: 1.147: What questions are on the AIX Certified User/SystemAministrator/etc., exam?
See reader questions & answers on this topic! - Help others by sharing your knowledge
Preferably from a backup.  If you don't have a backup, at least one
company, Compunix, claims to have a product that will recover deleted
files.  More information is available at <http://www.compunix.com/>.

From: Bernard.Kozyra@bull.net

[Editor's note: this one appears to be for the really desperate ones,
but it might be helpful if you really need it the most.]

RECOVERING REMOVED FILES AND DIRECTORIES IN A FILESYSTEM

If a file is Deleted from the system, the filesytem blocks composing 
that file still exist, but are no longer allocated. As long as no new
files are created or existing files extended within the same filesystem, 
the blocks will remain untouched. It is possible to reallocate the 
blocks to the previous file using the "fsdb" command (filesystem debugger).


 MAKE A BACKUP OF THE ENTIRE FILESYSTEM BEFORE PERFORMING THESE STEPS!!!
 ELSE ( BANG !!!!! ).

 It is possible to send a mail for have some informations ...

                   Bernard.Kozyra@bull.net


Steps to recover a deleted file
-------------------------------

1) "ls -id {dir}" 
   (where dir is directory where file resided)
   Record INODE number for next step.

2) Unmount the filesystem.

3) "fsdb /{Mountpoint}" or "fsdb /dev/{LVname}"
   (where Mountpoint is the filesystem mount point, and LVname is 
   the logical volume name of the filesystem)

4) "{INODE}i"
   (where INODE is the inode number recorded in step 1)
   This will display the inode information for the directory. The
   field a0 contains the block number of the directory.
   The following steps assume only field a0 is used. If a value 
   appears in a1, etc, it may be necessary to repeat steps #5 and 
   #6 for each block until the file to be recovered is found.

5) "a0b"
   (moves to block pointed to by field "a0" of this inode)

6) "p128c"
   (prints 128 bytes of directory in character format)
   Look for missing filename. If not seen, repeat this step until
   filename is found. Record address where filename begins. Also
   record address where PRIOR filename begins. If filename does 
   not appear, return to step #5, and selecting a1b, a2b, etc.

   Note that the address of the first field is shown to the far left.
   Increment the address by one for each position to the right,
   counting in octal.

7) "a0b"
   (moves to block pointed to by field "a0" of this inode)
   If the filename was found in block 1, use a1b instead, etc.

8) "p128e"
   (prints first 128 bytes in decimal word format)
   Find the address of the file to recover (as recorded in step 6) 
   in the far left column. If address is not shown, repeat until found.

9) Record the address of the file which appeared immediately PRIOR to 
   the file you want to recover.

10) Find the ADDRESS of the record LENGTH field for the file in step 
   #9 assuming the following format:

   {ADDRESS}:  x    x    x    x    x    x    x    x    x    x  ...
               |    |    |    |    |-------- filename ------|
     inode # --+----+    |    |
                         |    +-- filename length
         record LENGTH --+

   Note that the inode number may begin at any position on the line.
   Note also that each number represents two bytes, so the address
   of the LENGTH field will be `{ADDRESS} + (#hops * 2) + 1'

11) Starting with the first word of the inode number, count in OCTAL
    until you reach the inode number of the file to be restored, 
    assuming each word is 2 bytes.

12) "0{ADDRESS}B={BYTES}"
    (where ADDRESS is the address of the record LENGTH field found
    in step #10, and BYTES is the number of bytes [octal] counted 
    in step #11)

13) If the value found in the LENGTH field in step #10 is greater than
    255, also type the following:

    "0{ADDRESS-1}B=0"
    (where ADDRESS-1 is one less than the ADDRESS recorded in step #10)
    This is necessary to clear out the first byte of the word.

14) "q"
    (quit fsdb)

15) "fsck {Mountpoint}" or "fsck /dev/{LVname}"
    This command will return errors for each recovered file asking if
    you wish to REMOVE the file. Answer "n" to all questions.
    For each file that is listed, record the associated INODE number.

16) "fsdb /{Mountpoint}" or "fsdb /dev/{LVname}"

17) {BLOCK}i.ln=1
    (where BLOCK is the block number recoded in step #15)
    This will change the link count for the inode associated with
    the recovered file. Repeat this step for each file listed in
    step #15.

18) "q"
    (quit fsdb)

19) "fsck {Mountpoint}" or "fsck /dev/{LVname}"
    The REMOVE prompts should no longer appear. Answer "y" to
    all questions pertaining to fixing the block map, inode map,
    and/or superblock.

20) If the desired directory or file returns, send money to the author
    of this document.

User Contributions:

1
ukrainewomenyul
But remnants' crop burning hits harvesting hard

This sunday, quite possibly 28, 2019 snapshot, Provided by the city service group, jointly for Jarniyah, contains been authenticated based on its contents and other AP reporting, Shows Syrians lifetime extinguish a fire in a field of crops, wearing Jaabar, Raqqa state, Syria. Thousands of acres of wheat and barley fields in both Syria and Iraq have been scorched by the fires within harvest season, that typically runs until mid June. "The life that we live here is already bitter, " stated Hussain Attiya, A farmer from Topzawa Kakayi in upper Iraq. "If the outcome continues like this, I would say that no one will continue to be here. I plant 500 to 600 acres on a yearly basis. still, I won't be able to do that because I can't stay here and guard the land day and night. "ISIS militants have a history of working with a "Scorched earth insurance coverage " In areas from that they can retreat or where they are defeated. Ahmed al Hashloum thoughts Inmaa, Arabic for benefits, A local civil group that supports farming. all it takes is a cigarette butt to set haystacks on fire, He brought up. Said the fires are threatening to disrupt normal food production cycles and potentially reduce food to protect months to come. The crop burning remains localized and can't be compared to pre war devastation, Beals considered that. "suffice to say, It is only the beginning of the summer and if the fires continue it could lead to a crisis, " Beals recounted,AlternativeHeadline,prepared crop burning blamed on ISIS remnants compounds misery in war torn Iraq and Syria"}

But good news is short lived in this part of the world, Where residents of the two countries struggle to face seemingly never ending violence and turmoil amid Syria's civil war and attacks by remnants of the Islamic State of Iraq and Syria (ISIS) social groups. of course, Even in locations where conflict has subsided, Fires currently raging in farmers' fields, depriving them of valuable crops.

The blazes have been blamed also consider on defeated ISIS militants seeking to avenge their losses, Or on Syrian regime forces battling to rout other armed groups. Thousands of acres of wheat and barley fields in both Syria and Iraq have been scorched by the fires within harvest season, what kind runs until mid June.

ISIS militants have a history of implementing a "Scorched earth guideline" In areas from which retreat or where they are defeated. this "A means of inflicting a collective punishment on those put aside, said Emma Beals, a completely independent Syria researcher.

ISIS militants claimed obligations for burning crops in their weekly newsletter, al Nabaa, Saying they targeted farms owned by senior officials in six Iraqi provinces and in Kurdish administered eastern Syria, sending the persistent threat from the group even after its territorial defeat.

ISIS said it burned the farms of "The apostates in Iraq together with the Levant" And required more.

"It seems that it'll be a hot summer that will burn the pockets of the apostates as well as their hearts as they burned the Muslims and their homes in the past years, this great article said.

countless acres of wheat fields around Kirkuk in northern Iraq were set on fire. Several wheat fields in the Daquq district in southern Kirkuk burned for three days straight yesterday.

In eastern Syria's Raqqa state, Farmers battled raging fires with items of cloth, bags and water trucks. Piles of hay burned and black smoke billowed above the job areas.

The Syrian Observatory for Human Rights said through 74,000 acres (30,000 hectares) linked farmland in Hassakeh, Raqqa and completely to Aleppo province to the west, Were scorched.

Activist Omar Abou Layla said local Kurdish led forces failed to react to the fires in the province of Deir el Zour, Where ISIS was uprooted from its last property in March, (...)

Comment about this article, ask questions, or add new information about this topic:



Top Document: comp.unix.aix Frequently Asked Questions (Part 1 of 5)
Previous Document: 1.145: What is a checkstop error?
Next Document: 1.147: What questions are on the AIX Certified User/SystemAministrator/etc., exam?

Part1 - Part2 - Part3 - Part4 - Part5 - Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
bofh@mail.teleweb.pt (Jose Pina Coelho)




Last Update March 27 2014 @ 02:11 PM