Hi,
First of all, thanks for all your replies.
The general concensus is: "You're in big trouble!". The most important
thing to do first when you have deleted some files is to not use the file
system that the files resided on. The disk can then be treated as a raw
device and the data read from the disk - the reader having to find and piece
together the files. This requires an intricate knowledge of the disk
architecture and a lot of patience!!
There are some utilities about (Norton etc) which most people who have seen
them say are a waste of time and money - all of the functionality can be
achieved with existing UNIX utlities/commands.
Here is a summary of the replies; thanks to all of you who responded.
-------
From: Hilarie Orman <ho@edu.arizona.cs>
If you haven't used the disk too much since the deletions you might be
able to recover bits and pieces, but there is no algorithm that will
provide much help -- too much structure has already been lost. You
can access the disk as a raw device (e.g. /dev/rsd01) and use search
utilities to find interesting deleted sections -- these will
correspond to disk blocks that are currently on the free list. For
example, if you need to find files with the string "TEST DATA", you
could try
grep 'TEST DATA' /dev/rrsd0a
A positive reponse would show you that at least one disk block of the
data was there, and then you would be faced with the problem of
trying to find which area of the disk had the block, and then you
could use "dd" to extract it. You might try using dd to extract
1M at a time of data, and use a text editor like emacs to examine it.
This is the best that can be done. The deleted blocks are usually
the first to be overwritten, and the blocks for one file are often
scattered about the disk fairly randomly.
From: David Fetrow <fetrow@biostat.washington.edu>
It is POSSIBLE to recover most of the information (don't write ANYTHING
to the disk) but it's a long and ugly and expensive process (some of the
folks who read this list make their living doing this. I am, alas, not
one of them).
By "long" I mean; you ship the drive to them and they eventually send
you the drive (and maybe a tape) back.
Perhaps the art has improved since I last chekced several years ago.
Back then it was almost an exercise in cryptography (this inodes info
looks like it belongs with that inodes info, etc.).
Good luck.
From: Dave Haywood <sysdth@oak.scp.ac.uk>
The /home/<machine>/... directories have been accidentally deleted from
our Sun Sparc II machine.
There is essential work, carried out today, in these directories which I
*really*, no desperately, need to recover.
Is it possible for me to doctor the disk in some way (Maxtor 1.2Gb) to get
these directories back? Is there *anything* I can do to get some/all of the
files back?
Sun tell me it isn't possible - Do you know any different?
From: frankm@shadow.cna.tek.com (Frank 'Scruff' Miller)
I think the only chance you had was to instantly hit the power button
... this will keep the blocks from being assigned to the free list.
The *sometimes* a fsck will get things proper.
Someone might know better, but there is no recovery like DOS.
From: Colin Macleod <cmacleod@mcs.dundee.ac.uk>
> The /home/<machine>/... directories have been accidentally deleted from
> our Sun Sparc II machine.
Here is a copy of info from sun-managers on this subject a while ago.
I'm afraid it's not very hopeful, though.
Subject: Summary: restoring deleted files
Date: Fri, 08 Nov 91 09:01:29 EST
From: Sid Stuart <sid@com.Think>
Sender: sun-managers-request@uk.ac.nsfnet-relay
I posted a letter earlier this week asking if anyone knew of a utility
to restore deleted files. I got back 14 replies. Many people suggested
looking into Norton Utilities for the Sun. The author of the first
letter below gives a review of it. He is not impressed. Another letter
suggested a utility called Buttsaver. I have not looked into it
yet, their address is listed in the letter below. Several of the replys
authoritativly stated that nothing could be done. Barry Shein sent a
letter saying he is doing it now. He also mentioned that it is a
major pain and he charges $150/hour. Barry, I think you should
consider upping your rate. ;-)
====================================================================
there is no known way to recover from this disaster. This person is
truly out of luck.
=================================================================
Sorry, but you are out of luck.
DOS UnDelete programs take advantage of the unoptomized DOS file
system and the single-tasking nature of DOS. When you delete a file
under DOS, the space typically isn't reused until sometime later.
Also, it is easy to completely stop any modifications to the
filesystem, because there is only one program running.
In contrast to this, U*IX thinks that a good place to put a file is in
the free space nearest to where the drive head is physically
positioned (an oversimplification). This makes for a fast filesystem.
However, there are typically another hundred processes running at any
given time that may want to write to files, and thereby write over the
spot where your deleted file data was.
It's better to change mindsets now from the "did I get lucky?"
crapshoot world of UnDelete to the guaranteed performance of a regular
backup scheme. You can set up a backup scheme to maintain any
particular set of peace-of-mind requirements. Users and managment
both know what they can expect in the way of security, and they can
rely on it being there in the face of hardware failure and user error.
It's a much more professional arrangment.
-----
There is a Norton Utilities for U*IX, but it's overpriced misleading
garbage. The review I saw in Byte described several different
programs, which I will mercilessly pick apart:
"Super block editor" - allows unsophisticated users to
completely scramble the important parameters of their
filesystems beyond any wild hope of recovery.
The only parameters that can be changed without completely
regenerating the filesystem from scratch are tweakable by the program
"tunefs" that already exists on your system. Any other parameters
need to be specified at build time, and may be given to the program
"mkfs" that already exists on your system.
"Norton Batch Enhancer" - allows bored users to put
highlighting, cursor positioning, and other bells and whistles
into their scripts in a terminal-independent way.
This program already exists on your system, and it is called "tput".
"Norton UnDelete" - allows files that have been deleted by the
user at the command line after the time that Norton UnDelete
has been installed, to be retrieved.
This isn't a general undelete-from-disk program. What this program
gives you is a replacement for the "rm" command that moves the file to
a hidden directory instead of actually deleting it. The "undelete"
program just mv's the file back out where it's visible. Note that
files deleted from within other programs are still unretrievable.
This sort of functionality can be programmed in a couple ten-line
scripts, or I can mail you the C source and man pages for a few
programs called "delete", "undelete", and "purge" that do exactly what
I've described.
========================================================================
Unless you had that disk turned off line as soon
as the damage was done, it's probably hopeless.
The information will be scattered all over the disk with
absolutely no pointers to it because they'll have been
replaced by pointers to new material as the inodes
were recycled. If the disk was bagged soon enuf,
there are services that can recover the data.
I don't know anyone who's doing it or has had it
done -- I seem to recall that James Joyce's UNIX
Bookstore in San Francisco had some involvement with
this, but I could be confused. Good luck.
==========================================================================
I saw Norton Utility advertised for SunOS, in the Sun Observer.
Ask Hal Stern
============================================================================
I can't answer the question you asked, but I'd certainly install
MIT's undelete program (it's in an old archive of comp.sources.unix). It
basically, makes rm a 2 step process, so you can recover from these types
of things. I forced some of my users to start using it, because I was
tired of restoring their files ;-)
=============================================================================
Kiss the files goodbye. There is no such animal for SunOS (or any other Unix
except those that have it kluged into the kernel) because Unix is a
multiprocessing environment in which as soon as a file is deleted, its space
is freed up and usually quicly tromped on by other user and system processes.
Even on DOS you have to stop writing to the afflicted disk in order to use
Norton to unerase files - on Unix the multiprocessing immediately bites you.
==============================================================================
I know there is a Norton Utility limited port to unix. I know
recovering deleted files is the main thrust of the port. I
can't remember who sells it or if it's ported to suns.
==============================================================================
here are now Norton utilites available for Unix. However, whether they have
the exact same functionalities as their DOS counterparts (in particular the
Undelete capability) I can't say.
==============================================================================
>I am hoping for something like a Norton Utility for SunOS.
Actually there is a Notron utility for unix I think even SunOS.
I cannot tell where to get it. I sugget calling Norton.
===========================================================================
As far as I know, the way Unix file systems work, it is utterly
impossible to restore deleted data. If you find out differently, I'd
be interested to hear about it.
==============================================================================
If you haven't done anything else on the filesystem you might be able to
use "Buttsaver" by "Lone Star Computer." The most recent reference I
have to it is "The Programmer's Shop/Unix Catalog," a distributor at
800-544-8732 or 617-740-2510; Lone Star seems to be in Maryland
at 800-525-UNIX (Mt Airy, MD).
==============================================================================
Right this moment I am working on the same exact problem for a client
and slowly developing utilities. The big problem is the definition of
"recover". You generally cannot recover exactly what was there,
particularly the directory structure as that's exactly what is mostly
gone even if the data is 99% intact. However, you can do better than
nothing on guessing the structure by the disk locations of where you
found files, say grouping files together, the Sun (and BSD in general)
file system is pretty good on locality of creation on the disk.
Needless to say this is not my idea of a walk in the park, I charge
real money to tackle these problems and will expect something even if
it's deemed a hopeless case (since it even takes a few hours work to
be able to give that diagnosis, but cost has to be based on my time,
not results, primarily, I have no idea if I'm being handed an,
effectively, zero'd disk.) But it won't cost much if it looks
hopeless, I can usually determine that in a couple of hours work at
$150/hour.
I'm also happy to pull back as much as I can and then let the client
sort the mess out (they're usually better able to anyhow as they know
what was in the files and how the directories might have been arranged
etc.) The less I do, the less I charge. I'm happy to get back to my
newsgroup posting...
I'll also say at the outset that files which can be typified (e.g.
ASCII text, files created by certain software packages) are much
easier to recover than, say, random binaries, as at some point one
usually has all these blocks, some of which obviously go together with
each other, some, who knows, etc. Kind of a jigsaw puzzle dropped on
the floor.
But there's no real magic, ie. something which can just run over the
disk image and put it all back together, there are some hints around
for the detective work, and I've been developing some tools to speed
up that process a lot.
Feel free to call me if I can be of assistance, 617-739-0202.
==============================================================================
I believe that Norton or someone had come up with something like an
un-delete utility, but you had to have it installed and running before
your "accident" occured. What it did was to intercept rm and only
make it look like you deleted a file. The file was actually kept
and made available when you wanted it, or truly lost when the file
system needed the space. In your current case however... does the
expression "dead meat" convey the proper meaning?
I believe that the way UNIX works on file allocation is like so:
The file name is simply a pointer to an inode, which is a pointer
to the actual data OUT THERE on the file system. When you rm a
file, you erase the name, and hence the pointer to the inode. The
system sees that the inode is not being pointed to and thus frees
it and the data space it was pointing to for new use. When you
create a hard link, all you do is to create another file name that
points to the inode. When either file name is deleted, the other
file name is still pointing to the inode, and the file is then
still valid.
------------------------------ Message Separator -----------------------------
From: bzs@com.std.world (Barry Shein)
If anyone at Sun or other vendors wants to pass this along, one small
and I believe harmless change in the file system would make recovery
much, much easier: Don't zero out the block pointers in the inode or
the mode when a file is deleted, use some other indicator, like
setting the access time to 0xFFFFFFFF or some such thing (or maybe set
the number of blocks held to zero, whatever.)
Then again, one person's feature is another's security hole. I could
see arguments why you wouldn't want to make it too easy to recover
deleted files. Obviously fsck would need to be changed a little also.
Folks, if you find yourself in this situation, hit the power button or
L1-A the sucker, bring it back up single user, and dd the partition to
tape before mounting or anything. Fsck will clean up the mess if need
be, it's the least of your problems if you've really wiped a disk full
of valuable, unbacked-up files. And don't expect miracles.
Better yet, do regular backups, but you knew that already...ya can pay
now, or pay later...
From: Ashwin_Mistry@gec-epl.co.uk
Sorry to hear of your problem, if you do find an answer, could you
share it with me . Thanks
From: Steve Rumsby <steve@maths.warwick.ac.uk>
As I'm sure lots of other people will tell you, there's no way to get
back deleted files on a Unix system. Backup tapes is the best you can
do. Sorry...
From: John DiMarco <jdd@db.toronto.edu>
Egad, you're in trouble.
> Is it possible for me to doctor the disk in some way (Maxtor 1.2Gb) to get
>these directories back? Is there *anything* I can do to get some/all of the
>files back?
If the files are text or data files, and you would recognize their contents
when you see them, there is something (painful) you can do:
- *DON'T* write to the disk partition which used to contain the files you
erased. You'll overwrite the data that was in those files.
- Read the raw disk device (eg /dev/rsd0d) for that partition. Look for
sections that belong to the files you erased. Copy those sections (eg. using
cut and paste) to another file on another filesystem.
If you want, you can dd the entire partition onto a tape, and read it from
there.
> Sun tell me it isn't possible - Do you know any different?
When you erase a file, you've clobbered the list of blocks that belong to
it. The blocks containing the data in the file are assigned to the free list.
You need to examine the blocks (they're 8k or less in size) to find out which
belong to which file, and retrieve the data from that. It's a slow and
painful process. I've done it before. :-(
From: Harvey Richardson <harvey@physics.heriot-watt.ac.uk>
If it was work you did today then forget itt. It would take longer to get
any data back.
Assuming that you immediately unmounted the disk:
You can look at the raw disk device and hope to spot the blocks that
contain you work. This will be very hard unless your files have a very
obvious structure. There are consultancies that do this in the PC world
but it costs a lot of money.
You also need someone with a good knowledge of the unix file system
(not me!)
Mostly doom and gloom I'm afraid. As ever the message is that if your
data is really importand you back it up on the timescale that makes sense.
From: Patrick Shopbell <pls@pegasus.rice.edu>
If you immediately unmounted the directories so that none of
the disk blocks could have been re-allocated, you might be able to
find a commercial package, such as the Norton Utilities (I know there
is a UNIX version) that could get some of the files back.
I don't know much about where to get this, but it's an idea.
From: birger@vest.sdata.no (Birger A. Wathne)
First you should halt the computer (or umount those filesystems), so
you don't do any further damage.
You could take it to a disk specialist. There are companies around that
specialize in this kind of stuff. It's somewhat expensive, but it may still
be cheaper than using your work hours to try fixing it.
I cannot help you with names in the UK. I only know about one company in
Norway.
They have worked with this for 12 years now. They are called 'ibas
laboratories'
and can be reached at
Instrumentbyraaet A/S
Arkoveien 14
P. Box 1250
N-2201 Kongsvinger
Phone: +47-66-16377
If you know enough about the data you are looking for and the unix file
system, you may be able to search the disk structure and put some files
back together....
-------
Dave.
--------------------------------------------------------------------------
JANET : D.Haywood @ uk.ac.sheffield-city-poly | Dave Haywood.
or D.Haywood @ uk.ac.scp | Computer Services,
INTERNET: D.Haywood @ scp.ac.uk | Sheffield Hallam University,
Telex : 54680 SHPOLY G | Pond Street,
Tel : +44 742-533-828 | Sheffield. S1 1WB. ENGLAND.
FAX : +44 742-533-840 |
X.400:/I=D/S=Haywood/O=Sheffield-City-Poly/PRMD=UK.AC/ADMD= /C=GB
X.500:@c=GB@o=Sheffield City Polytechnic@ou=Computer Services@cn=Dave Haywood
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:51 CDT