Hack 58 Recover Deleted Files

Recover accidentally deleted files with unrm and lazarus.

When you use rm to remove a file in Linux, you generally consider that file completely gone. Unlike in the DOS days, you can't simply run through a list of undeleted filenames hoping your file hasn't been overwritten, because Linux unlinks a file when it is removed and no longer keeps track of it other than to note that the space is free. But if you have accidentally removed a very important file, there is still a chance you can recover the file, especially if the file is small, by using the unrm and lazarus utilities included as part of the Coroner's Toolkit (http://www.porcupine.org/forensics/tct.html).

If you have just deleted a file you want to recover, turn off the machine now! The unrm utility works by recovering files from the free space on your drive. When you delete a file, the system unlinks it and adds that space to the free space on the system, but it doesn't actually overwrite that segment of the hard drive with zeros. While you can't actually access the file any longer, the file still remains until a new file is written over it. The longer that system is running, the greater the chance that a new file that is written to the drive will be written over that space. Use Knoppix for file recovery to unmount the partition you intend to scan and eliminate the risk that new files will be written over the files that you are recovering.

Before you start, make sure you have an extra partition or drive available for unrm and lazarus to write its information to. The general rule of thumb is to allow at least 220% of the free space on the partition you are recovering from. Basically, unrm creates a copy of the entire free space into a file (~100%), and lazarus creates individual files based on the unrm file (~100%), with the HTML files and some other overhead it creates (~20%). Use the df command to figure out the free space on a drive:

knoppix@ttyp0[knoppix]$ df -h

Filesystem            Size  Used Avail Use% Mounted on

/dev/root             3.0M  1.1M  1.9M  38% /

/dev/scd0             690M  690M     0 100% /cdrom

/dev/cloop            1.9G  1.9G     0 100% /KNOPPIX

/ramdisk              396M  159M  238M  41% /ramdisk

/dev/hda1              93M   82M  6.4M  93% /mnt/hda1

/dev/hda2              38G   26G   12G  69% /mnt/hda2

The -h option passed to df displays the file sizes in megabytes and gigabytes where applicable, instead of just kilobytes. In this example, /dev/hda1 has 6.4 MB of free space, and /dev/hda2 has 12 GB. To recover a file from /dev/hda1, you need at least 14 MB of free space. To recover a file from /dev/hda2, you need at least 26.4 GB of free space.

It is important that you put your output on a different partition than the partition you recover, because otherwise, your unrm output has the potential to erase the very files you are trying to recover! Click on the icon for the partition on which you decide to store your output, then right-click on the icon and choose Actionschange read/write so you can write to it. You can also open a terminal and type:

knoppix@ttyp0[knoppix]$ sudo mount -o rw /dev/hda2 /mnt/hda2

Replace /dev/hda2 with your recover to partition. This example recovers the possible data from /dev/hda1 and stores the output on /mnt/hda2. Create a directory to store the output, and then run unrm on your recover from partition:

knoppix@ttyp0[knoppix]$ sudo mkdir /mnt/hda2/unrm

knoppix@ttyp0[knoppix]$ sudo sh -c "unrm /dev/hda1 > /mnt/hda2/unrm/output"

A new file called output is created in the unrm directory that contains all of the free-space blocks on /dev/hda1. Now use lazarus to analyze that file and split up the blocks into individual files. Create a blocks directory inside your unrm directory to store all of the files, just so they are separate from the rest of the output:

knoppix@ttyp0[knoppix]$ cd /mnt/hda2/unrm

knoppix@ttyp0[unrm]$ sudo mkdir blocks

knoppix@ttyp0[unrm]$ sudo lazarus -h -w . -D blocks output

The -h option tells lazarus to output results in the form of HTML files. The -w option defines where to store the HTML frames for each file—in this case, the current directory. The -D option tells lazarus where to store all of the files it recovers. The reason for all of these options is that by default lazarus stores all of its output under /var/cache/tct. On Knoppix, this directory is part of the ramdisk and is limited in size, so you must tell lazarus to move the output to a directory with plenty of space.

Once lazarus completes, you should notice many .html files in the current directory, and many .txt files in the blocks directory. The .txt files in the blocks directory are all of the blocks that lazarus has recovered. The files are numbered, so you can't find the file you deleted just from the filename. If you have a lot of time on your hands, you can open each file, but if you can remember at least part of the contents of the file, you can use grep to search for it.

Try to think of some contents in the file that might be unique. For instance, to recover an email you have sent to sexy_chick4957@aol.com, go to the blocks directory and type:

knoppix@ttyp0[blocks]$ grep -i -l 'sexy_chick4957@aol.com'

The -l option lists only the filenames that contain that email address. Remove this option to output the filename and the matching line. The -i option performs a case-insensitive search. If you have sent a lot of emails to that address and are trying to narrow the search to a particular email about your birthday, run a second instance of grep that searches the files that the first grep has listed, by strings containing the word birthday:

knoppix@ttyp0[blocks]$ grep 'birthday' `grep -il 'sexy_chick4957@aol.com'` 

If you can't seem to find the file you need with grep, or the file you are trying to recover is binary, go back to the unrm directory and open the HTML output page that lazarus has generated with this command:.

knoppix@ttyp0[unrm]$ mozilla file:///mnt/hda2/unrm/output.frame.html

This page (as shown in Figure 6-2) provides a view of the recovered blocks in the form of color-coded files. Along the top frame of the file is a key showing what all of the colors and letters represent.

Figure 6-2. Lazarus HTML output

If you are looking for a lost email, look through the page for blue Ms. Click on any of the links to view that particular file. With luck, you should be able to recover at least a part of the deleted file this way.