Monday, June 11, 2007

Recover Deleted Files

Many years ago I accidentally deleted a lot of files on a Linux ext2 partition. At the time, there were no decent data recovery tools for ext2 filesystems available. So, I put the drive in an electrostatic protective bag and stored it in a safe place. Fast forward to the present, there is still nothing for Linux as good as Ontrack's EasyRecovery Professional. However, there is The Sleuth Kit, an amazing set of file and volume system forensic analysis tools. It is the best tool for data recovery because you can non-intrusively access deleted files. Surprisingly, there is no batch recover for deleted data. So, I wrote recoup.pl, a perl script to recursively extract every deleted file. Point it at a directory and it will automatically reconstruct as much as Sleuth Kit's fls and icat commands will let it.

2 comments:

Anonymous said...

Hi, i've been tried to batch recover my files (files didn't get deleted but fs got a little corrupted but beyond repair) for several weeks now.

I can see and export my files with Autopsy front-end of SleuthKit but i just needed a batch way since there are 130GB worth.

So after trying almost every sleuthkit addon, i finally came across your recoup.pl which is exactly what i want.

However i think you wrote it for older version of SleuthKit, it's giving an error:

Basically I'm running http://pastebin.com/m42ff8959
while pointing it to my Pictures directory inside a dd image and it returns:
http://pastebin.com/me389226

btw i tried fls and icat manually and was able to see files, so i'm guessing it's some sort of parsing error after sleuthkit changed something with the output format.

Please let me know if you have any ideas. Thanks

Brett said...

Thanks so much! I was about to write my own Perl script then thought "surely someone else has had to do this before". A quick Google and there was your script! Saved me a couple of hours of messing around. Appreciate you sharing your work with us.

Brett.