[SGVLUG] rm -rf ./* from the wrong folder on a LUKS encrypted ext hdd

Bryan Pesterfield via SGVLUG sgvlug at sgvlug.net
Tue Feb 6 17:28:43 PST 2018 

At the moment, I have ddrescue making an image of the drive (estimate
6hours 30min). Next it looked like photorec might be good to use, but I
haven't gotten into it yet to know. From what I can tell, it comes with
Testdisk and that is the tool that lets them say they can recover ext4
files (even though it also comes stand alone). I stopped the rm command
relatively fast, but it still got 6 GB out of 846 GB, and I have no idea
what is gone or if it was important.

The folder I was in was a clone of my home directory as it was before
the system wipe. If it went in alphabetical order, I would assume it
would try to hit all the hidden folders first (unless a period comes
after Zed in the alphabet) and then start to work on the Desktop and
Documents folders, but I don't know how big any of the hidden files
were. I know it didn't get the thunderbird folder because I was able to
restore everything, including my archives, enigmail, and my pgp key.


On 02/06/2018 03:07 PM, nopbin at gmail.com via SGVLUG wrote:
> Just a quick note, go for the undelete utilities first, but when they
> fail I have had some luck with data carving. Image the unencrypted
> partition with dd then use the data carver to find files of interest
> with unique signatures.
>
> On Feb 6, 2018 12:21 PM, "Bryan Pesterfield via SGVLUG"
> <sgvlug at sgvlug.net <mailto:sgvlug at sgvlug.net>> wrote:
>
>     Good morning, 
>
>     I used that dreaded command from the wrong folder while rebuilding
>     my system and restoring files. I know I need to be careful with
>     that command and that sooner or later I would regret it. That day
>     came yesterday. I was looking at a different directory and forgot
>     where I was at when I issued the command.
>
>     So far, I have read that debugfs and lsdel only works on ext2,
>     extundelete works for unmounted drives but I get a Bad Magic
>     Number error when attempting to run (presumably because the disk
>     is encrypted), testdisk says on their wiki it can do it but gives
>     no indication how, and of course, every hit on a search engine
>     leaves out one or two terms, so most of what I find is
>     nonapplicable or junk. 
>
>     At least when I screw up, I do it spectacularly. Any ideas? 
>
>     Thanks, 
>     Bryan Pesterfield 
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20180206/b33c20ff/attachment.html>

More information about the SGVLUG mailing list