Recovering Data with GNU/Linux
Marty Pauley <marty@kasei.com>
火星
Data recovery?
- (vi) The data regains a former state or condition after
misfortune.
- (vt) You get renewed possession of your data.
Warning signs
Oh my God, they killed kenny.kasei.com!
You bastards!
The South Park solution
Restore Kenny from backup.
When backups can't help
- A hard disk may fail now!
- A departing staff member may delete important (or incriminating)
email from his
Outlook
folders.
- Your files are safe on your drive, somewhere. But you don't know where.
- Passwords are in your browser, not your head.
Passwords in your browser
look in ~/.mozilla/default/*.slt/*.s
http://www.kasei.com
username
~bWFydHk=
*password
~c2VjcmV0IDop
.
Looks like Base 64
Decoding Base 64 Data
$ perl -MMIME::Base64 -wlne 'print decode_base64($_)'
c2VjcmV0IDop
secret :)
Recognising Data
| c2VjcmV0IQ== |
base64 |
| c2VjcmV0IDop |
base64 |
| c2UYO2E8tJmRs |
crypt |
| $1$VjcmV0ID$K2i25fMSBraIm6GBev4To0 |
crypt md5 |
| $1?$#+-$#-:$=-$- |
Perl |
No such file or directory
Maybe your Mozilla doesn't have a .s file.
Or maybe you don't use Mozilla!
Use dsniff
10/10/05 12:23:02 tcp 192.168.1.23.33184 -> www.kasei.com.80
GET / HTTP/1.1
Host: www.kasei.com
Authorization: Basic bWFydHk6c2VjcmV0IDop [marty:secret :)]
Questions?
I'm not lost
I just don't know where I am.
Use find
find ~ -name "*.sniff" -print
locate "*.sniff"
But I don't know my name!
Do you know its content?
find ~/misc -type f -exec grep -l -i password '{}' ';'
Or use Beagle.
I know nothing!
find . -mtime +30 -mtime -90 -print
find ~ -type f -exec file '{}' ';' | grep tcpdump
It's a kind of /etc/magic
0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian)
>4 beshort x - version %d
>6 beshort x \b.%d
>20 belong 0 (No link-layer encapsulation
>20 belong 1 (Ethernet
>20 belong 2 (3Mb Ethernet
>20 belong 3 (AX.25
Questions?
Deliberate Deletion
Bad news: sometimes people delete
important information on purpose.
Good news: it hasn't gone away.
It's expensive to destroy data.
strings
$ strings "Deleted Items.dbx" | less
hccccc_`aM
___^^^\\c
[XWWWUTR?
mS\i70EJQFca_P@Yr~
and then
S!xL.
"F%%C
Tpp)$
)d'F
i*"0Cu(
but then...
Received: from hotmail.com
Questions?
Click, click, BOOM!
Filesystem errors aren't that bad.
Just fsck
But bad blocks are bad
... and things can only get worse.
SMART disk
Switch on SMART monitoring!
The plan
1. Steal underpants
chef$ ssh kenny dd if=/dev/hda1 conv=noerror > hda1.img
or
kenny$ dd if=/dev/hda1 conv=noerror | ssh chef 'cat > hda1.img'
2. ???
chef$ losetup /dev/loop/0 hda1.img
chef$ reiserfsck --rebuild-sb /dev/loop/0
chef$ reiserfsck --rebuild-tree /dev/loop/0
chef$ reiserfsck --check /dev/loop/0
3. Profit
chef$ mount /dev/loop/0 /mnt
chef$ cd /mnt/lost+found
chef$ ls /mnt/var/lib/mysql
Questions?
