Ext3 Can Be Undeleted.

So in trying to undelete something I came across a couple of snippets. Now expect mileage to vary, firstly I was trying a Directory on a live sysytem which I shouldn't of done but was more curious than actually trying.

So first we need http://www.sleuthkit.org/autopsy/desc.php this is then used, though several bits can also be achieved with debugfs

http://www.sage.org/lists/sage-members-arc...7/msg00406.html This suggests if just done get the system offline and using just debufs.

This didn't quite work for me though did list some deleted inodes.
Now firstly this isn't easy.

http://www.lonerunners.net/blog/archives/1...partitions.html

So now using this with a dd image(What I didn't do, though I suspect the space was already gone), now having followed the above you should hopefully of ended up with a file that'll need carving I used http://foremost.sourceforge.net/ .

Another similar howto also here http://linux.sys-con.com/read/117909_1.htm

This isn't complete as one I'm not sure. I didn't manage to find the inode or was loooking in the wrong place but I did recover something I did have files in a zip format, just not the ones I wanted.

So perhaps if you're just interested or have something that you really do wish to recover and don't wish to pay the prices, here's an avenue or at least a start in the right direction.

Also far more detailed docs here http://www.porcupine.org/forensics/forensi...y/chapter4.html also with more info at 4.10 in regards to whats actually happening on deletion.