Tales from the Abyss: UNIX File Recovery

Liam Widdowson and John Ferlito

It is every systems administrator's nightmare -- an important file has been accidentally deleted, falling into the deep abyss where bits and bytes go to die. Typically, this situation presents an inconvenience rather than a tragedy as the files can be recovered from regular backup media.

However, if a systems administrator or developer has significantly modified the file in question since the time of last backup then a large amount of data may be lost. There are also other situations that systems administrators may face, such as incorrectly configured backup scripts, backup hardware failure, or plain old bad luck. Nothing can replace a proper backup strategy, but this article will outline how whole or partial files can be restored directly from the UNIX file system.

The UNIX File System

Files in UNIX file systems are logical containers of data. Each file has an inode (index-node) structure associated with it that contains meta-data such as the physical disk blocks the file is stored on, the file owner, permissions, size, etc. [1]. When files are removed, the inodes are not erased from disk but are marked as free. The actual data contained in the files is still on disk and can potentially be retrieved before being over-written with new data.

A Tale from the Abyss

Some time ago, a graduate in my team was tasked with developing a Perl CGI-based provisioning and support interface to a product we were developing. Earlier on in the project I showed her how she could use UNIX pipes and redirection to debug her Perl script from a shell rather than exclusively through the Web server. Unfortunately, one day she accidentally typed the following:

$ ./nph-www.pl > nph-www.pl