1.146: How do I recover deleted files?

Preferably from a backup.  If you don't have a backup, at least one
company, Compunix, claims to have a product that will recover deleted
files.  More information is available at <http://www.compunix.com/>.

From: Bernard.Kozyra@bull.net

[Editor's note: this one appears to be for the really desperate ones,
but it might be helpful if you really need it the most.]

RECOVERING REMOVED FILES AND DIRECTORIES IN A FILESYSTEM

If a file is Deleted from the system, the filesytem blocks composing 
that file still exist, but are no longer allocated. As long as no new
files are created or existing files extended within the same filesystem, 
the blocks will remain untouched. It is possible to reallocate the 
blocks to the previous file using the "fsdb" command (filesystem debugger).


 MAKE A BACKUP OF THE ENTIRE FILESYSTEM BEFORE PERFORMING THESE STEPS!!!
 ELSE ( BANG !!!!! ).

 It is possible to send a mail for have some informations ...

                   Bernard.Kozyra@bull.net


Steps to recover a deleted file
-------------------------------

1) "ls -id {dir}" 
   (where dir is directory where file resided)
   Record INODE number for next step.

2) Unmount the filesystem.

3) "fsdb /{Mountpoint}" or "fsdb /dev/{LVname}"
   (where Mountpoint is the filesystem mount point, and LVname is 
   the logical volume name of the filesystem)

4) "{INODE}i"
   (where INODE is the inode number recorded in step 1)
   This will display the inode information for the directory. The
   field a0 contains the block number of the directory.
   The following steps assume only field a0 is used. If a value 
   appears in a1, etc, it may be necessary to repeat steps #5 and 
   #6 for each block until the file to be recovered is found.

5) "a0b"
   (moves to block pointed to by field "a0" of this inode)

6) "p128c"
   (prints 128 bytes of directory in character format)
   Look for missing filename. If not seen, repeat this step until
   filename is found. Record address where filename begins. Also
   record address where PRIOR filename begins. If filename does 
   not appear, return to step #5, and selecting a1b, a2b, etc.

   Note that the address of the first field is shown to the far left.
   Increment the address by one for each position to the right,
   counting in octal.

7) "a0b"
   (moves to block pointed to by field "a0" of this inode)
   If the filename was found in block 1, use a1b instead, etc.

8) "p128e"
   (prints first 128 bytes in decimal word format)
   Find the address of the file to recover (as recorded in step 6) 
   in the far left column. If address is not shown, repeat until found.

9) Record the address of the file which appeared immediately PRIOR to 
   the file you want to recover.

10) Find the ADDRESS of the record LENGTH field for the file in step 
   #9 assuming the following format:

   {ADDRESS}:  x    x    x    x    x    x    x    x    x    x  ...
               |    |    |    |    |-------- filename ------|
     inode # --+----+    |    |
                         |    +-- filename length
         record LENGTH --+

   Note that the inode number may begin at any position on the line.
   Note also that each number represents two bytes, so the address
   of the LENGTH field will be `{ADDRESS} + (#hops * 2) + 1'

11) Starting with the first word of the inode number, count in OCTAL
    until you reach the inode number of the file to be restored, 
    assuming each word is 2 bytes.

12) "0{ADDRESS}B={BYTES}"
    (where ADDRESS is the address of the record LENGTH field found
    in step #10, and BYTES is the number of bytes [octal] counted 
    in step #11)

13) If the value found in the LENGTH field in step #10 is greater than
    255, also type the following:

    "0{ADDRESS-1}B=0"
    (where ADDRESS-1 is one less than the ADDRESS recorded in step #10)
    This is necessary to clear out the first byte of the word.

14) "q"
    (quit fsdb)

15) "fsck {Mountpoint}" or "fsck /dev/{LVname}"
    This command will return errors for each recovered file asking if
    you wish to REMOVE the file. Answer "n" to all questions.
    For each file that is listed, record the associated INODE number.

16) "fsdb /{Mountpoint}" or "fsdb /dev/{LVname}"

17) {BLOCK}i.ln=1
    (where BLOCK is the block number recoded in step #15)
    This will change the link count for the inode associated with
    the recovered file. Repeat this step for each file listed in
    step #15.

18) "q"
    (quit fsdb)

19) "fsck {Mountpoint}" or "fsck /dev/{LVname}"
    The REMOVE prompts should no longer appear. Answer "y" to
    all questions pertaining to fixing the block map, inode map,
    and/or superblock.

20) If the desired directory or file returns, send money to the author
    of this document.