1

I have an ext3 image that I am working on for school. I am trying to identify all deleted files and folders, including the full path names and inode numbers of these files/folders. I believe I need to use the blkcat command but I am unsure of the parameters that I need?

Joshua Zweistein
  • 23
  • 2
user240079
  • 11
  • 1
  • 2

2 Answers2

1

Can you speak with the dead?

enter image description here

Almost the same it is happening with deleted files... Pretty much impossible. When a file is deleted, it's simply gone. On most systems, this is not logged anywhere.

If you're using rm from the command line, the system does not generally ask for confirmation before removing files.

If you deleted files using a GUI tool, they may still be in some kind of "trash can". It depends on what you're using for a desktop environment.

If you are interested to recover deleted files, maybe the following Q&A can help you:

Nevertheless, there is a tool called inotifywait which can be used to listen for events happening in a specified directory. To watch for deleted files and folder use the following command:

inotifywait -m -r -e delete dir_name > deleted_files.log

to log the deleted files from dir_name directory in deleted_files.log file.

To install inotifywait, use:

sudo apt-get install inotify-tools

Source: How to find which files and folders were deleted recently in Linux?

Community
  • 1
Radu Rădeanu
  • 169,590
0

It sounds like you are talking about the forensic tools from The Sleuth Kit (TKS). There is a sleuthkit package that is available from the standard Ubuntu repository, so your first step would be making sure that is installed. Probably the fls tool is a better starting point than blkcat:

DESCRIPTION
       fls lists the files and directory names in the image  and  can  display
       file  names of recently deleted files for the directory using the given
       inode.  If the inode argument is not given, the  inode  value  for  the
       root directory is used. For example, on an NTFS file system it would be
       5 and on a Ext3 file system it would be 2.

After that I really can't help you but there is an online wiki, and this article Why Recovering a Deleted Ext3 File Is Difficult should get you started.

steeldriver
  • 136,215
  • 21
  • 243
  • 336