Stupid --delete mistake

Steve Bonds knnf6cy7w001 at
Sat Jun 4 02:19:47 GMT 2005

On 6/3/05, Ed wrote:

> I just made a rather stupid commandline ordering error and managed to delete
> a whole load of data (mostly word files/some pics fwiw) with rsync –delete. 
> I know, I'm an idiot (and a big one at that).  To make matters worse this
> was off an ext3 partition, which from what I can find out seems pretty much
> undeleteable – at least if deleted in the normal way by rm. 

They key to this lies in the "pretty much", more below.  ;-)
> So the question is, does rsync delete files in a way which will allow me to
> recover them, or am I, as I suspect, royally screwed :( 

Rsync deletes files in the same way as "rm", so you are pretty screwed
unless you want to spend some time learning a bit about filesystem

The last time I recovered a file I'd nuked off an ext3 filesystem, I
ran across The Sleuth Kit:

It made the undelete process fairly painless.

The Sleuth Kit requires a separate system with lots of disk space
since it needs to hold the entire contents of the filesystem off which
you deleted your files plus associated analysis, logs, etc.

The first thing you need to do is "dd" a copy of your raw filesystem
onto some other linux host with lots of disk space.  The sooner you do
this, the less chance there is of those disk blocks getting
reallocated.  For example, from the system that will be used as the
dumping ground:

ssh hosed-host "dd if=/dev/hda3 obs=1500" | dd
of=/home/sleuth/hosed-host-hda3.img ibs=1500

This does a "dd" to stdout of your hda3 partition (substitute the real
device name) and sends it over the ssh connection to your receiving
host which presumably has a lot of free space in /home/sleuth.  The
"obs" and "ibs" parameters are there to ensure that we can fill up a
1500 byte ethernet packet on each read.  It works fine without them,
just a bit slower.

There are other ways to do this, one method using "netcat" is
described on The Sleuth Kit's website:

Once you have the image saved off you can spend some time learning how
to run The Sleuth Kit.  It goes to great pains to keep your "dd" image
unmodified, however as a fail-safe I always keep these owned by root,
mode 444, and run The Sleuth Kit as a non-root user.

The Autopsy Forensic Browser is a webserver-based front end to The
Sleuth Kit and is a good way to get started.

RPMs can be found at:

Good luck!  This will be a valuable Learning Experience.  ;-)

  -- Steve

More information about the rsync mailing list