Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] undelete fat32 files from linux

On Monday 01 May 2006 07:56, dave kempe wrote:
> utilitys. I was wondering though - is there any tools that can provide
> undelete functionality for fat32 filesystem on linux? anyone got any
> ideas on how to recover the deleted data using the existing tools?
> thanks,
> Dave

fsck.vfat (and msdos) has an undelete feature, if you can remember the 
filenames. I'm not sure how well it works (my quick tests worked fine). You 
can take a snapshot of the device and mount it via loopback to test it.

Something like:

dd if=/dev/sdc1 of=/somepath/carddump bs=1024
(replace sdc1 with the relevant partition)

then to recover the files (if you know the names)
fsck.vfat -vru /mycamdir/mydeletedfile.jpg /somepath/carddump
(I don't think you can undelete more then 1 file at a time, so you might need 
to do this for each file.)

If you can't remember the names of the files, you can get a rough idea from 
looking at a hexdump of the fat table;
fsck.vfat -rv /somepath/carddump
give me this:
First FAT starts at byte 512 (sector 1)
         2 FATs, 16 bit entries
     16384 bytes per FAT (= 32 sectors)

As the FAT is at the start you can browse it with:
hexdump -C /somepath/carddump | less
(note: filenames are missing the first letter and there is no "." between the 
name and extension, you can assign any first letter to the filename)

Once you've finished undeleting; 

mount /somepath/carddump /mnt/some_mount_point -t vfat -o 
(doesn't have to be loop3, pick a spare loop device)

There is probably a tool out there that does this, and it may be able to read 
the deleted filenames from the FAT too. 

Working with a snapshot means you can fiddle with it to your hearts content 
without affecting the original image, so you can always try to recover the 
original with a Windows utility.

Malcolm V.

Expedience is the best teacher.