Altirium logo

Who says UNIX file undeletion is impossible?

The recovery of data files that have been deleted is not always a matter of competence, to a great extent success is governed by the file system in use and how busy the system has been since the deletion.

Windows NTFS, for example, marks a file as deleted but until the MFT entry is reused all of the file’s allocation information is still present. Other systems clear some or all of a file’s allocation information as soon as there is deletion, which is why the recovery of deleted files from heavily fragmented FAT file systems is such a nightmare.

What about UNIX? Well there are a wide range of file systems available under UNIX and LINUX, common amongst these is UFS. We have received a number of UFS data recovery jobs lately where the problem has been file deletion and the owners of the hard drives have been told by some data recovery companies and other UNIX specialists that file cannot be un-deleted.

This assertion has some basis in truth, there is no generalised way of pointing a software application at a UFS file system and recovering the deleted files. The inode for a file is cleared when the deletion is done and so the primary allocation information is no more. What is ignored is that there is more allocation information then that stored in the file inode and that this can be used to make a substantial recovery of some files. What is required is for the data recovery professional to have an understanding of data rather than just being a user of data recovery software.

So the 12 months up until today has seen an 80% success rate in the recovery of deleted files from UFS file systems when the customer had been told by several other “experts” that the chances were 0%. This was not achieved through clever software or massively in depth R&D but by having the right attitude and knowledge.

So if you have a problem with a UNIX file system and are being told flatly that it is not possible, get an explanation as to why, and get some other opinions, in case you are talking to the wrong UNIX data recovery company.

VN:F [1.9.22_1171]
Rating: 5.0/10 (1 vote cast)
Who says UNIX file undeletion is impossible?, 5.0 out of 10 based on 1 rating

2 Responses to “Who says UNIX file undeletion is impossible?”

  • Haim says:

    It seem that you are hinting to the fact the if the deleted files have a clearly identifiable header and footer then it can be reassembled manually the old-fashion way before all the tools were available. Is that correct, or are you saying that there is a “hidden” or less know source of a file allocation info beside the inode?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  • Steven says:

    Even when a file does have a recognisable header and footer it can generally only be recovered in such a way if the file data is contiguous. For UFS and many other UNIX/Linux files systems does not occur in large files because they will have allocation and other file system structure data interspersed.

    The recoveries on UFS file systems that we have recently been seeing were generally for large, multi gigabyte, files. UFS uses direct and indirect data allocation information, direct being pointing to file data and indirect pointing to allocation information that then points to file data. File deletion will destroy the direct allocation information when the inode is destroyed however the indirect allocation remains. The heads of the files were found manually. We were able to use file system information to refine our search rather than just trawling the entire data space. We then mapped out the used, valid, file system data and located what appeared to be the blocks of indirect allocation information for files. Following the indirection blocks we were able to rebuild the tail sections of the files and then rejoin the head and tail sections together. Please note this is a simplification of the actual analysis and work that took place.

    I must stress that it is still not practicable to undertake a general un-deletion of files under UFS, this technique is for the recovery of selected file from within the UFS file system, and is dependent upon there not having been any writing back of data to the areas of disk used to store the required file, and some knowledge of the structure of the file that is required is still essential.

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)

Leave a Reply