We will try to find out the inode numbers of the deleted directories.
# debugfs /dev/hdy1 |
Walk to that place in the structure where the directories were located before the deletion. You can use ls and cd inside debugfs.
debugfs: ls -l |
Example of output from the above command.
179289 20600 0 0 0 17-Feb-100 18:26 file-1 918209 40700 500 500 4096 16-Jan-100 15:18 file-2 160321 41777 0 0 4096 3-Jun-100 06:13 file-3 177275 60660 0 6 0 5-May-98 22:32 file-4 229380 100600 500 500 89891 19-Dec-99 15:40 file-5 213379 120777 0 0 17 16-Jan-100 14:24 file-6 |
Description of the fields.
Inode number.
First two (or one) numbers represents the kind of inode we got:
2 = Character device
4 = Directory
6 = Block device
10 = Regular file
12 = Symbolic link
Last four numbers are the usual Unix rights.
Owner in number representation.
Group in number representation.
Size in bytes.
Date (Here we can see the Y2K bug =)).
Time.
Filename.
Now dump the mother directory to disk. Here inode is the corresponding inode number (do not forget the '<' and '>').
debugfs: dump <inode> debugfs-dump |
Get out of debugfs.
debugfs: quit |