Recovering deleted data from ext3 filesystem on linux


Scenario:
Linux machine with/home having ext3 type of filesystem.
You have welcome.jpg file in /home/test. And you have deleted it by “rm -f ” command.
Now we will recover that welcome.jpg
Required Tools: debugfs, foremost & blkls
Step 1. –> Check which Filesystem /home is.
 Gladiator:~ # df -h
    Filesystem    Size     Used     Avail     Use%      Mounted on
    /dev/sda       2 7.8G   5.3G     2.2G      71%          /
    udev              122M    168K    121M       1%         /dev
    /dev/sda3      12G       158M    11G         2%         /home
So we got Filesystem ID – /dev/sda3
Step 2. –> Debugfs to get necessary information
The debugfs program is an interactive file system debugger that is installed by default with most common Linux distributions. This program is used to manually examine and change the state of a filesystem. In our situation, we’re going to use this program to determine the inode which stored information about the deleted file and to what block group the deleted file belonged.
  Gladiator:~ # debugfs /dev/sda3
    debugfs 1.41.1 (01-Sep-2008)
    debugfs:  cd test
    debugfs:  ls -d
    32769  (12) .    2  (4084) ..   <32770> (4072) welcome.jpg    ---> Here we got Inode number which is in RED
The next command we want to run is imap, giving it the inode number above so we can determine to which block group the file belonged. We see by the output that it belonged to block group 4.
debugfs:  imap <32770>
    Inode 32770 is part of block group 4    -----------> Here we got block group no. ---> BG
    located at block 131074, offset 0x0100
Running the stats command will generate a lot of output. The only data we are interested in from this list, however, is the number of blocks per group. In this case, and most cases, its 32768. Now we have enough data to be able to determine the specific set of blocks in which the data resided. We’re done with debugfs now, so we type q to quit.
debugfs: stats
    << lots of content>>
    Blocks per group:         32768   ---> BPG
    <>
    debufs: q    -------> To quit debugfs
Step 3. –> Recovering data in dat format.
The next thing we need to do is pull all unallocated blocks from block group 56 so we can examine their content. The blkls program, from The Sleuth Kit (TSK), allows us to do just that. We simply need to know the device file, a range of blocks, and have enough space in the appropriate place to output this data. Using the information above, we can calculate the block range by multiplying the block group number and the block group size and then multiplying the block group number plus one by the blocks per group minus one. In this case, the formula would look like this:
(BG * BPG) through ((BG + 1) * BPG -1)
In above example, it will look like:
BPG –> 32768
BG –> 4
(4 * 32768) through ((4+1) * 32768 -1)
131072 through 163839
    So now need to give following command:
 Gladiator:~ # blkls /dev/sda3 131072-163839 > /root/block.dat
Step 4. –> Recovering file from dat file using “Foremost” tool
Create output directory first.
    linux-remo:~ # mkdir /root/output
    linux-remo:~ # foremost -dv -t jpg -o /root/output/ -i /root/block.dat
Foremost version 1.5.6 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File
oremost started at Sat Sep 26 12:11:59 2009
Invocation: foremost -dv -t jpg -o /root/output/ -i /root/block.dat
Output directory: /root/output
Configuration file: /usr/local/etc/foremost.conf
Processing: /root/block.dat
|——————————————————————
File: /root/block.dat
Start: Sat Sep 26 12:11:59 2009
Length: 125 MB (132108288 bytes)
Num Name (bs=512) Size File Offset Comment
0: 00012272.jpg 65 KB 6283264 (IND BLK bs:=4096)
**|
Finish: Sat Sep 26 12:12:03 2009
1 FILES EXTRACTED
jpg:= 1
——————————————————————
Foremost finished at Sat Sep 26 12:12:03 2009
And here we got the jpg file in /root/output directory. Filename will be different that original. But content will be same.
Comparing size only works, of course, if you “know your data”. Integrity checking programs such as Tripwire play a big role in a recovery operation as you can identify the recovered data without ever inspecting the content, as well as verify its integrity. This becomes quite useful if the information you’re attempting to recover is confidential and you are not authorized to view the data.
File formats supported by Foremosts are jpg, gif, png, bmp, avi, exe, mpg, wav, riff, wmv, mov, pdf, ole, doc, zip, rar, htm, and cpp. If you need to recover data beyond these built-in data types, you will need to define custom types in Foremost’s configuration file foremost.conf.

No comments:

Post a Comment