how can I recover trashed directory/files?

der Mouse mouse at thunder.mcrcim.mcgill.edu
Fri Jun 14 02:45:52 AEST 1991


In article <13384 at uhccux.uhcc.Hawaii.Edu>, mikem at uhccux.uhcc.Hawaii.Edu (Mike Morton) writes:

> I just destroyed a directory of source files, and my most recent
> backup is over two weeks old.  Any suggestions for ways to scavenge
> the deleted files?

> Particulars:

> I'm running NeXTstep 2.1, which I believe basically means the BSD
> file system underneath.

Well, strictly, NextStep is just the GUI and has nothing to do with the
underlying system.  (I think I heard something about IBM having bought
the right to sell systems running it, for example.)

However, I think (though I haven't checked) that NeXTs do use a more or
less BSD filesystem.  All my comments about the filesystem below are
based on the BSD filesystem.

> I deleted the directory with the NeXT Workspace Manager's "Destroy"
> command, which I suspect basically rm's the files.

Did you check from a shell to see whether there's anything visible
left?  Don't forget to check your ~/.NeXTTrash or whatever it's called
to see if anything was left there.

> I then spent some time conferring with friends on what to do, during
> which time it's likely that something did a 'sync' and my superblock
> has now forgotten the directory.

It wouldn't be the superblock that would be the critical thing.  By the
time the unlink() syscall finishes, you are typically only milliseconds
away from the critical bits being overwritten on the disk (perhaps a
couple of hundred milliseconds, but certainly less than a second; the
writes have been queued, and it's only a matter of the disk working its
way through the queue).

> I assume that booting off the disk will be a Bad Thing, likely to
> trash blocks, and that I must remove the disk and attach it to
> another machine, not as a boot disk.

Provided you don't create any files, everything that's still there
should remain intact.

> The big question then is: What utilities or techniques are available
> for finding my lost data?  I'd be willing to spend 2-3 days
> reconstructing files; there are probably a dozen source files.

You *could* simply go through all free data blocks in the filesystem
and look at each one to see which ones look familiar.  Unfortunately
this will probably include a great deal of rubbish and false positives.
It might be worth trying, though.

I once looked at adding an un-remove syscall to a BSD kernel.
Unfortunately, while the data blocks remain undisturbed (they are
merely marked as free in the bitmap), the pointers to those data blocks
are overwritten with zeros.  Fixing this amounts to allowing valid data
block pointers to exist after the end of the file, taking care to
ignore them if the file is legitimately extended.  This looked like
more work than I was willing to get into at the time.

All your code is probably there; it's just a matter of finding it.  And
all the pointers have been destroyed.

> and my misplaced data thank you, too.

It's nice to see someone who realizes that `data' is plural....

					der Mouse

			old: mcgill-vision!mouse
			new: mouse at larry.mcrcim.mcgill.edu



More information about the Comp.unix.misc mailing list