Oops - Undeleting a file on Freebsd
23/01/13 08:48 Filed in: Systems Administation
A perfect storm of filename completion and inattention resulted in the deletion of a C source code file yesterday (.core starts with .c). As a result I had to find a way to “undelete” a file from a FreeBSD system.
Unfortunately, FreeBSD does not have an undelete facility. A bit of simple filesystem forensics was required to access the contents of the file. This only works because the default FreeBSD filesystem tends to cluster the bits of a file close together and it overwrites existing sectors when modifying a file.
The process is fairly simple:
In my case the series of commands looked like:
The string was found at offset 47035498575
and trimmed the file a.c to remove extraneous bytes.
The process is fairly simple:
- stop doing anything to the filesystem with the file to be undeleted immediately
- dd the whole filesystem slice to another disk to create an image file
- use grep to find the byte offset of a string in the file in the image
- use dd to roughly extract deleted file contents
- trim
In my case the series of commands looked like:
dd if=/dev/ad4s1f of=ad4s1f.dd bs=4K
grep -b --binary-files=text dump_stream_info ad4s1f.dd
The string was found at offset 47035498575
dd if=/data/ad4s1f.dd of=/tmp/a.c bs=1000 skip=47035498 count=100
and trimmed the file a.c to remove extraneous bytes.