
			undelete is in ALPHA test!

	Send bug reports and patches to Sebastian Hetze <she@lunetix.de>

----------------------------------------------------------------------------


Deleting a file is one of these tasks, everyone is able to perform quick
and easy. The usual commands doing this kind of work are well known.
With a powerful operating system like Linux it only takes a couple of
keystrokes, and fractions of a second later a file or even a whole
directory has vanished from the file system.

As everybody knows, this usual beneficial feature of Linux can turn
to an desaster, when you delete a file by accident. One single
whitespace turns a command like 'rm *.o' into 'rm * .o'. Once you
recognize the mistake, you already see the message:

	rm: .o: No such file or directory

Now you are very lucky, if you have a recent backup of your source
files. If not, you are in trouble.


Real trouble? Well, not neccessarily. Under certain circumstances
it is possible or even easy to recover deleted files from a linux
file system.

undelete is the tool that helps you to recover deleted files. It is
easy to use, so you don't need to know about file system internals
to recover your data.


	Preconditions for Successful File Recovery
	------------------------------------------

To get all your deleted files back with undelete, you need to meet
a couple of preconditions:

- No more data may have been written to the partition file system
  where your deleted files had been stored.
  This does not only mean creation of new files, but also extension
  of existing ones. Whenever any process writes to the file system, 
  it may allocate one of the blocks former used by the deleted file.
  The new allocated block gets cleared, even if no data has been
  written into it. Obviously, data that has been cleared or overwritten
  by other processes can never be recovered from the file system.

  To hit the reset button works, but this is usually not the best thing
  to do for stopping processes to write to the file system.
  A compiler run can be stopped immediately by hitting ^C or sending
  HUP signals. If you have editors running with open files, you can
  save these files on other partitions, using 'save as' or similar
  commands. You can stop daemons by sending HUP signals or by calling
  the init-script (on of the files in /etc/rc.d/init.d/ or similar)
  with the 'stop' argument.

  To be shure that no process overwrites your deleted files, unmount
  the file system where your deleted file was stored an leave it so
  until all your data has been recovered.

- Undelete works only for ext2 file systems. If your file was stored
  on a minix, xiafs or the old ext file system, undelete can not help
  you.

- For best results, you must have run a kernel version 2.1.44 or later.
  Older kernels clear the contents of the indirect block lists when
  deleting a file. These blocks are used to store file system data for
  files larger than 12 kBytes. Therefor, with older kernels you can
  undelete only files up to that size without hazzle.

  It does not matter, what kernel version is running to recover the
  the deleted file. What matters is the version of the kernel that
  was running while deleting the file.

- You need to have a second partition (maybe a floppy) ready to save
  the recovered files on. Undelete is not meant to recover file data
  in place. Undelete should run on unmounted partitions only. Saving
  data on the same partition where the deleted file was stored may
  overwrite yet unrecovered data while writing the file.

- You need read permission for the device file (partition) where the
  data to be recovered was stored on. You do not need to have root
  permissions to run undelete, but you have to have root permissions
  to change the mode of the device file


	Deleted File Recovering HOWTO
	-----------------------------

If you have accidently deleted a file and meet the above listed
preconditions, you can use undelete to recover the file data.
(Resumed: the ext2 partition with the deleted file is unmounted, you
have read permission for the device file and you have sufficient space in
the current directory to hold all data that is due to be recovered.)

You might want to create a new directory to store the recovered files
before you start. Change into that directory before you run the
undelete program. The current version of undelete can store files only
in the working directory. This is the directory where it was started.

If for example the deleted file was stored on the partition /dev/hda3,
you would enter the following command at the shell prompt:

	$ undelete -d /dev/hda3 -a 2

The -d argument is obviously for the device file. The second argument
is optional and tells the program how many hours ago the file was
deleted. This argument defaults to 24 hours. On busy systems, where
lots of temporary files are created and deleted, a more accurate limit
might be useful. On the other hand, it might be desirable and possible
to recover files even a week after the deletion.

Once the program starts up, a screen like that will appear:


+---------------------------------------------------------+
|                                                         |
|                                                         |
|                                                         |
|                                                         <--datawindow
|                                                         |
|                                                         |
|                                                         |
+----------------------------+----------------------------+
|unknown_DIR_1223 <<----     |Inode Nr.     1223          |
|unknown_1013                |User ID:     500            |
|unknown_DIR_123             |Mode:      40775            |
|project_main.c              |Size:       1024            <--infowindow
|util.c                      |D-Time:   Thu Jul 24 09:12  |
|mydatafile                  |                            |
|unknown_155                 |                            |
|unknown_277                 +----------------------------+
|unknown_444                 |ready      type [?] for help<--statuswindow
+-------------|--------------+----------------------------+
              |
	      +-------- listwindow

The listwindow displays a list of all inodes of deleted files that are
not older than the age given on the commandline. The last deleted file
is listed first.
Directories are similar to files, so they are listed among ordinary
files.
In general, the names of the deleted files get lost when their directory
entries are cleared. However, if a whole directory is deleted, the
names of all files that were linked with that directory can be
recovered. In the example above, you can see a couple of listed inodes
with unknown filenames and some with successful recovered filenames.
The unknown names have the inode number as suffix.

One entry in the inode list is highlighted (selected). You select
another inode by using the cursor and PAGE_UP or PAGE_DOWN keys.

You see more information about the selected inode/file in the
infowindow right of the listwindow. If a filename could not be recovered
automatically, this information can help you to find the file you want
to recover amongst those that you intentionally deleted.
To examine the contents of a file, you can hit RETURN and use the keys
[h], [j], [k] and [l] (like in vi) to display the file data in the
datawindow and scroll back and forth.

If you want to change the filename, you can enter a new one after
hitting the key [n]. The new ENTERed name will be displayd in the
list window.

To save the selected file, just hit the key [s]. If your file is
at most 12288 bytes long or you were running Linux-2.1.44 or later
when deleting the file, your data should be recovered.


You can see information about the current status of the program in
the statuswindow. A short help summary is displaied after hitting
the key [?].
