, ,

After my friend rm’d a bunch of code yesterday, I offered to help.  I first made a copy of her disk using dd, copying it off of her machine and using ssh to take it to another:

sudo dd if=/dev/sda1 | ssh USER@HOST "dd of=/home/USER/backup.img"

I then grabbed a copy of sleuthkit, and used the fls tool to find the inodes pointing at her old files, and icat to restore them.  I new the files were php code, stored in /var/www so I used grep to select those results from all the files listed by fls.  Using grep, I selected the inode numbers from the output, and piped the results to icat.

for i in `fls -r -d backup.img | grep var/www | grep \.php | grep -o [0-9][0-9]*`


icat $i > $i


Voila, I had a bunch of files, 6 of which were the missing PHP files!  Super easy, and thank goodness the filesystem was ext2, as ext3 is much harder to recover data from.