Hi! I'm helping recover someelse's torched / fsys at work<br> (redhat9,ext3...have "dump" format of the BROKEN / also)<br><br>I had a USB external disk (ext3 fs, 200g) to dump onto, and I know this fsys needs reloading,<br>
but some body parts might (or might not) be worth looking for. <br>Seriously if you've tried any post-mortem (HEALTY ext3 filesystem, torched with "rm -rf /" (which is no prob for the fsys itself,<br> but leaves the data in free blocks, which are how-badly-scattered-i-wonder.<br>
<br>(background; the root perl script "system" rm -rf $variable/something<br> did a few dirs and stopped....I have the perl script stderr logfile for fun)<br><br>Would you guess the overall idea, or the rough steps below, might work well, or not?<br>
I would not dare to ask, but suspect a few of you may have tried something LIKE this.<br><br>Since /boot and /etc (at least; I believe it was rm -rf / )<br> got wiped a few hours ago, I have the RAW FILESYSTEM too.<br>
So the QUESTION is about recovering pieces of the REMOVED files perhaps e.g. <br><br># dd if=/dev/sda2 of=FILEname01 count=500mb ( "bs=8k" not needed these days right?)<br><br>#dd if=/dev/sda2 of=FILEname02 skip=500mb count=500mb ( 2nd of roughly 60 pieces )<br>
<br>=================<br>thought the above might be smarter than "split --bytes=<br><br>So using plain tools like "split", "strings", "grep" I wonder if I could recreate parts of a few files.<br>
<br>dump of / had 3-5 gb (I'm home now, I forgot: took 1 hour to "dump" it to usb2)<br> has the files WITHOUT /etc<br><br>(dd of 31gb / filesystem : 31gb. Not a problem. <br> Maybe split it into ~ 500mb pieces with "split" ,,,,or "dd count=(whatever500mb)<br>
Then (havent really done this yet) idea# strings 500mbfile01 > strings01<br><br>Will be fun to see if "strings" is useful here. Any tips?<br>--<br>(other ideas are fun topics too, since I'm holding the firehose, not the torch)<br>
<br>