Summary: restoring deleted files

From: Sid Stuart (sid@Think.COM)
Date: Fri Nov 08 1991 - 12:47:13 CST


I posted a letter earlier this week asking if anyone knew of a utility
to restore deleted files. I got back 14 replies. Many people suggested
looking into Norton Utilities for the Sun. The author of the first
letter below gives a review of it. He is not impressed. Another letter
suggested a utility called Buttsaver. I have not looked into it
yet, their address is listed in the letter below. Several of the replys
authoritativly stated that nothing could be done. Barry Shein sent a
letter saying he is doing it now. He also mentioned that it is a
major pain and he charges $150/hour. Barry, I think you should
consider upping your rate. ;-)

Thamks for all the replies,
Sid

====================================================================

there is no known way to recover from this disaster. This person is
truly out of luck.

Jeff Nieusma <nieusma@cs.colorado.edu>

=================================================================

Sorry, but you are out of luck.

DOS UnDelete programs take advantage of the unoptomized DOS file
system and the single-tasking nature of DOS. When you delete a file
under DOS, the space typically isn't reused until sometime later.
Also, it is easy to completely stop any modifications to the
filesystem, because there is only one program running.

In contrast to this, U*IX thinks that a good place to put a file is in
the free space nearest to where the drive head is physically
positioned (an oversimplification). This makes for a fast filesystem.
However, there are typically another hundred processes running at any
given time that may want to write to files, and thereby write over the
spot where your deleted file data was.

It's better to change mindsets now from the "did I get lucky?"
crapshoot world of UnDelete to the guaranteed performance of a regular
backup scheme. You can set up a backup scheme to maintain any
particular set of peace-of-mind requirements. Users and managment
both know what they can expect in the way of security, and they can
rely on it being there in the face of hardware failure and user error.
It's a much more professional arrangment.

-----

There is a Norton Utilities for U*IX, but it's overpriced misleading
garbage. The review I saw in Byte described several different
programs, which I will mercilessly pick apart:

        "Super block editor" - allows unsophisticated users to
        completely scramble the important parameters of their
        filesystems beyond any wild hope of recovery.

The only parameters that can be changed without completely
regenerating the filesystem from scratch are tweakable by the program
"tunefs" that already exists on your system. Any other parameters
need to be specified at build time, and may be given to the program
"mkfs" that already exists on your system.

        "Norton Batch Enhancer" - allows bored users to put
        highlighting, cursor positioning, and other bells and whistles
        into their scripts in a terminal-independent way.

This program already exists on your system, and it is called "tput".

        "Norton UnDelete" - allows files that have been deleted by the
        user at the command line after the time that Norton UnDelete
        has been installed, to be retrieved.

This isn't a general undelete-from-disk program. What this program
gives you is a replacement for the "rm" command that moves the file to
a hidden directory instead of actually deleting it. The "undelete"
program just mv's the file back out where it's visible. Note that
files deleted from within other programs are still unretrievable.
This sort of functionality can be programmed in a couple ten-line
scripts, or I can mail you the C source and man pages for a few
programs called "delete", "undelete", and "purge" that do exactly what
I've described.

Brian Bartholomew UUCP: ...gatech!uflorida!reef.cis.ufl.edu!bb
University of Florida Internet: bb@math.ufl.edu

========================================================================

Unless you had that disk turned off line as soon
as the damage was done, it's probably hopeless.
The information will be scattered all over the disk with
absolutely no pointers to it because they'll have been
replaced by pointers to new material as the inodes
were recycled. If the disk was bagged soon enuf,
there are services that can recover the data.
I don't know anyone who's doing it or has had it
done -- I seem to recall that James Joyce's UNIX
Bookstore in San Francisco had some involvement with
this, but I could be confused. Good luck.

mike@fionn.lbl.gov

==========================================================================

I saw Norton Utility advertised for SunOS, in the Sun Observer.

Ask Hal Stern

mez@orbot.co.il (Bernie Mezrich)

============================================================================

        I can't answer the question you asked, but I'd certainly install
MIT's undelete program (it's in an old archive of comp.sources.unix). It
basically, makes rm a 2 step process, so you can recover from these types
of things. I forced some of my users to start using it, because I was
tired of restoring their files ;-)

Good luck,
Michael
lamour@mitre.org

=============================================================================

Kiss the files goodbye. There is no such animal for SunOS (or any other Unix
except those that have it kluged into the kernel) because Unix is a
multiprocessing environment in which as soon as a file is deleted, its space
is freed up and usually quicly tromped on by other user and system processes.

Even on DOS you have to stop writing to the afflicted disk in order to use
Norton to unerase files - on Unix the multiprocessing immediately bites you.

-Roger

Roger Gonzalez - rg@msel.unh.edu
UNH Marine Systems Engineering Laboratory, Durham, NH 03824-3525

===============================================================================

I know there is a Norton Utility limited port to unix. I know
recovering deleted files is the main thrust of the port. I
can't remember who sells it or if it's ported to suns.

Andy Stefancik Internet: as6143@eerpf001.ca.boeing.com
Boeing Commercial Airplane G. UUCP: ...!uunet!bcstec!eerpf001!as6143
P.O. Box 3707 MS 64-25 Phone: (206) 234-3049
Seattle, WA 98124-2207

=================================================================================

here are now Norton utilites available for Unix. However, whether they have
the exact same functionalities as their DOS counterparts (in particular the
Undelete capability) I can't say.

Jim Napier
Programmer/Analyst
UC San Diego
(619)534-5414
jnapier@ucsd.edu

================================================================================

Hi Sid,

Sorry to hear this problem.

>I am hoping for something like a Norton Utility for SunOS.
Actually there is a Notron utility for unix I think even SunOS.
I cannot tell where to get it. I sugget calling Norton.

>- Oran

===========================================================================

As far as I know, the way Unix file systems work, it is utterly
impossible to restore deleted data. If you find out differently, I'd
be interested to hear about it.

Condolences --
       ------------------------------------------------------------------------
       |Eric Hanchrow sun.com!nosun!yamada-sun!eric |
       |Phase III Logic, Inc. cse.ogi.edu!yamada-sun!eric |
       |1600 N.W. 167th Place Beaverton, OR 97006-4800 USA |
       |Voice: (503)-645-0313 Fax: (503)-645-0207 as of 4-Oct-89|
       --Member--League-for-Programming-Freedom--write-league@prep.ai.mit.edu--

===============================================================================

If you haven't done anything else on the filesystem you might be able to
use "Buttsaver" by "Lone Star Computer." The most recent reference I
have to it is "The Programmer's Shop/Unix Catalog," a distributor at
800-544-8732 or 617-740-2510; Lone Star seems to be in Maryland
at 800-525-UNIX (Mt Airy, MD).

webber@world.std.com (Robert D Webber)

=================================================================================

Right this moment I am working on the same exact problem for a client
and slowly developing utilities. The big problem is the definition of
"recover". You generally cannot recover exactly what was there,
particularly the directory structure as that's exactly what is mostly
gone even if the data is 99% intact. However, you can do better than
nothing on guessing the structure by the disk locations of where you
found files, say grouping files together, the Sun (and BSD in general)
file system is pretty good on locality of creation on the disk.

Needless to say this is not my idea of a walk in the park, I charge
real money to tackle these problems and will expect something even if
it's deemed a hopeless case (since it even takes a few hours work to
be able to give that diagnosis, but cost has to be based on my time,
not results, primarily, I have no idea if I'm being handed an,
effectively, zero'd disk.) But it won't cost much if it looks
hopeless, I can usually determine that in a couple of hours work at
$150/hour.

I'm also happy to pull back as much as I can and then let the client
sort the mess out (they're usually better able to anyhow as they know
what was in the files and how the directories might have been arranged
etc.) The less I do, the less I charge. I'm happy to get back to my
newsgroup posting...

I'll also say at the outset that files which can be typified (e.g.
ASCII text, files created by certain software packages) are much
easier to recover than, say, random binaries, as at some point one
usually has all these blocks, some of which obviously go together with
each other, some, who knows, etc. Kind of a jigsaw puzzle dropped on
the floor.

But there's no real magic, ie. something which can just run over the
disk image and put it all back together, there are some hints around
for the detective work, and I've been developing some tools to speed
up that process a lot.

Feel free to call me if I can be of assistance, 617-739-0202.

        -Barry Shein

Software Tool & Die | bzs@world.std.com | uunet!world!bzs
Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD

===============================================================================

I believe that Norton or someone had come up with something like an
un-delete utility, but you had to have it installed and running before
your "accident" occured. What it did was to intercept rm and only
make it look like you deleted a file. The file was actually kept
and made available when you wanted it, or truly lost when the file
system needed the space. In your current case however... does the
expression "dead meat" convey the proper meaning?

I believe that the way UNIX works on file allocation is like so:
The file name is simply a pointer to an inode, which is a pointer
to the actual data OUT THERE on the file system. When you rm a
file, you erase the name, and hence the pointer to the inode. The
system sees that the inode is not being pointed to and thus frees
it and the data space it was pointing to for new use. When you
create a hard link, all you do is to create another file name that
points to the inode. When either file name is deleted, the other
file name is still pointing to the inode, and the file is then
still valid.

Best wishes,

Russ Button
button@alc.com
(The blind leading the blind.)



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:17 CDT