Question on deleted files in SCO Unix?
Rick
I am a newby to Unix and specifically SCO Unix. The question I have is:
Can a file or files that have been deleted in SCO Unix, be recovered,
through some sort of computer forensic techniques?
Thanks,
Rick
Rick
basic principles of the unix file structure and how it is possible to
recover intentionally deleted files? The reason being is another guy (a so
called computer expert) told my boss that it was impossible to recover
deleted file, because unix was a secure operating system and that the file
structure of SCO Unix made it impossible to do a recovery. If anyone can
give me some ammo to go back to the office with, it would be greatly
appreciated and I could learn something knew as well.
Gracias,
Rick
"Christer Palm" <pa...@nogui.se> wrote in message
news:3AADDAB3...@nogui.se...
Eirik Seim
news:kqnr6.174870$B6.38...@news1.rdc1.md.home.com...
> Thanks for the quick to the point answer. Could anyone elaborate on the
> basic principles of the unix file structure and how it is possible to
> recover intentionally deleted files? The reason being is another guy (a
so
> called computer expert) told my boss that it was impossible to recover
> deleted file, because unix was a secure operating system and that the file
> structure of SCO Unix made it impossible to do a recovery. If anyone can
> give me some ammo to go back to the office with, it would be greatly
> appreciated and I could learn something knew as well.
The general answer on recovering of files are to restore them from your most
recent backup tapes. I guess this is not an option in your case..
Here in Norway, we have a company called Ibas (www.ibas.com) that probably
can recover your files. I think they serve most of the world, but they can
be rather expensive. AFAIK, unix filesystems in general are not any harder
to restore than windows.
Hope this helps.
Follow up set to comp.unix.questions
- Eirik
Defibrillator
>"Christer Palm" <pa...@nogui.se> wrote in message
>news:3AADDAB3...@nogui.se...
>> Rick wrote:
>> >
>> > Can a file or files that have been deleted in SCO Unix, be recovered,
>> > through some sort of computer forensic techniques?
>> >
>> Yes
>
>basic principles of the unix file structure and how it is possible to
>recover intentionally deleted files? The reason being is another guy (a so
>called computer expert) told my boss that it was impossible to recover
>deleted file, because unix was a secure operating system and that the file
>structure of SCO Unix made it impossible to do a recovery.
It's not impossible, it's just a lot harder than on an MS PC system. Have
a look at this URL, particularly the sections on lazarus & unrm.
http://www.sans.org/infosecFAQ/threats/coroners_toolkit.htm
--
Regards,
Hugh.
Anamika
recover files.
There are certain requirements ofcourse.
One of them would be that you have access to the disk/filesystem at driver
level.
Once you have this and if you know the type of filesystem and its layout, it
a matter
of mapping the information and reading the appropriate areas of the media
(disk,tape etc).
eg., from unix inode tables, find out the logical blocks that make up a
file,
map the logical block info (cylinder, head, sector) to the appropriate disk
sectors.
It is not a trivial task, quite challenging but quite straightforward.
-A
Steve Dunn
$Thanks for the quick to the point answer. Could anyone elaborate on the
$basic principles of the unix file structure and how it is possible to
$recover intentionally deleted files?
File names are stored in directory entries; the allocation
information for the data is stored in inodes; the file itself is
stored within the filesystem.
When you delete a file, the directory entry is marked as available,
and the inodes for that file are marked as available. The file's
contents remain in the data blocks until such time as those data blocks
are allocated to, and overwritten with the contents of, other files.
The details are different from something like DOS, but the basic
idea is the same: the data are still sitting on disk; it's just
that you no longer have a nice directory/file allocation table to
point you to the right place.
--
Stephen M. Dunn (SD313), CNE, ACE ste...@ussinc.com
----------------------------------------------------------------------------
Senior Manager United System Solutions Inc.
20 Adelaide Street East, 5th Floor, Toronto, ON, Canada (416) 367-1070 x251
John Doherty
| Thanks for the quick to the point answer. Could anyone elaborate on the
| basic principles of the unix file structure and how it is possible to
| recover intentionally deleted files?
There's a pretty good article by Wietse Venema in the December 2000
issue of Dr. Dobb's Journal. You might read that.
<http://www.ddj.com/articles/2000/0012/0012h/0012h.htm>
--
Milt Q. Llama III
overwritten the data on disk, it is still recoverable:
http://www.fish.com/security/secure_del.html
Eric
System Administrator
Defunct.com
George R. Gonzalez
"Milt Q. Llama III" <esch...@cs.ucr.edu> wrote in message
news:3AAEFF2F...@cs.ucr.edu...
> Another good link to tell you that even if you think you have
> overwritten the data on disk, it is still recoverable:
>
> http://www.fish.com/security/secure_del.html
Er, um, I hate to put myself up against a Professor's Paper,
but I think if you read his paper carefully, you'll note that although
there are all kinds of claims of being able to "see" old bits,
nowhere do you see even one SECTOR, or even 10 bytes
of actual recovered information.
The basic concept is ludicrous-- you can't subtract out the new data,
as you have no idea the exact amplitude or phase of the latest data.
Even if you did, modern recording technology is already pushing the
noise level-- you subtract out the good data and you're left with a bunch of
noise.
Using the "edges" is even more ridiculous. Disk heads have for at lest 10
years been using "tunnel erase" where the erased width is wider than the
written data. So there is no fringe data.
Even if there was, the fringes have much less hi-frequency information
content, so the signal-to-noise ratio is even worse than dismal.
Yes, if you write repeating 1-0-1-0, then erase to zero, you'll see a
pattern.
But a repeating pattern isnt useful information. The human eye is very good
at auto-correlating-out noise when there's a simple repeating sequence. But
it's unlikely to ever be useful to take a sector of 1010101010101010's and
say "there were ones and zero'es there!"
Said another way, if you average out thousands of repeated but degraded ones
and zeros, you may be able to make a good guess whether the one or the zero
came first. But in the real world, we'd like to recover a goodly
percentage of non-repeating data, not a few bits of known repeating data.
I will cheerfully give $100 of my own money to anybody that can correctly
recover just one 512-byte sector of once-overwritten text (NOT E5E5's!).
Any takers?
Regards,
George
Thomas Jespersen
> Using the "edges" is even more ridiculous. Disk heads have for at lest 10
> years been using "tunnel erase" where the erased width is wider than the
I searched for "tunnel erase" on google, and all I could find was
floppydrive "tunnel erase". Are you sure this is used on harddrives as
well?