While at work this week I accidentally deleted some source files I was working on. They were quite large, and a lot of time had been put into these files. I really didn’t want to do the work over since I didn’t really have time.
The mistake was a stupid one, but something that happens to a lot of admins (that’s my story and I’m sticking to it). If you are an admin and say this hasn’t happened to you then you aren’t really an admin, or you have blocked the memory out because of how sickening the ordeal actually was.
I was working on an Ubuntu server, and decided to remove a folder and some tempfiles I was no longer working in. Here is the sequence of events that transpired. If you are a Linux person, you will understand.
>sudo -i
#rm -r tmp *
See, in Ubuntu server, if you follow anything after the -r switch for recursive remove it will not ask you to confirm your selection. Notice the space between tmp and the asterisk? In Ubuntu server, it ignores everything without a - and between the end. So basically, I just asked it to recursively remove everything in the directory and not just the intended files and directories…….yea……ugh……I think I threw up a little.
So what in the world was I to do? Easy, I download RIPLinux (Recovery Is Possible), and copied it to cd, booted the server up with it and WHAM! This linux distro found my IBM raid controllers and saw every ext3 partition that I had. I was told long ago that you cannot recover deleted data from ext3. I thought I would give it a try.
I found the programs and started up a program called PhotoRec (short for photo recovery). The program was originally designed to retrieve accidently deleted images, but had grown to recover just about everything. I stuck in a large USB device to copy the recovered files to and the program immediately recognized it as well. Everything was moving smoothly. The program was iterating through all the deleted clusters block by slow moving block. I let it sit.
After two hours I came back to find that my USB device was slam full. WOW! Photorec wasn’t even done. I copied the contents of the USB device to another server and then restarted the search. Amazingly I did this 20 times over a period of a week. Yes, I wanted my datas!
Finally, I was finished. I started looking through the files. To my suprise, I found files that were from the server when it was a Windows server. I found files from when it was a Linux server, and from when it was turned back into a Windows server. I found my files as well.
I started to really analyze the data I had collected. I had some old emails that actually had passwords in them. I found one document that was part of the our hr’s folder back 5 years and it contained social security numbers. It was amazing what I found.
What is the moral to this story?
If your drive that you are getting rid of to put a larger drive in its place still spins, or spins the slightest, especially after a good tap with a hammer, don’t just throw it away because someone will get it and has your datas very easily. Deleting doesn’t delete. Formatting doesn’t delete. The only way to make sure I don’t has your datas is shred that hard drive.
