[wellylug] big mistake

[Ewen McNeill]

In message <20030826052424.GB7108 at paradise.net.nz>, Volker Kuhlmann writes:
>Most importantly, the partition the file was on must be unmounted
>immediately, this is also regardless of filesystem used. If you don't
>do this step, don't bother with anything else. 

Actually you'd be surprised just how long deleted files can stick around,
especially on an ext2 file system which is otherwise fairly empty.
It's by no means guarenteed, but I've been fairly successful recovering
things even a few days later when someone deleted their only copy of
something -- and someone did a survey of various file systems, from a
security point of view, and found that _sometimes_ deleted files can be
completely retrievable months later.

However, the less you write to the partition after you've deleted
something you need back, the better your chances.  Unmounting or
re-mounting read only is definitely recommended.

There are some tools which automate the ext2 file recovery process, to
the extent it's still possible (basically undeleting everything and
letting you pick which ones to keep).  And I think things like the
coroner's toolkit will offer some automation of the dd the whole disk
and pick out likely stuff.

But nothing is as easy as "just undelete".  So for short text files
retyping it can be easier.

>However, the really magic word in this case is "b a c k u p".

Indeed.

For text files using a version control system (eg, cvs) regularly can be
a cheap easy way to do regular backups -- and you get version history
for free.

Ewen