We will try to find out the inode numbers of the deleted directories.
Walk to that place in the structure where the directories were located
before the deletion. You can use ls and
cd inside debugfs.
Example of output from the above command.
179289 20600 0 0 0 17-Feb-100 18:26 file-1
918209 40700 500 500 4096 16-Jan-100 15:18 file-2
160321 41777 0 0 4096 3-Jun-100 06:13 file-3
177275 60660 0 6 0 5-May-98 22:32 file-4
229380 100600 500 500 89891 19-Dec-99 15:40 file-5
213379 120777 0 0 17 16-Jan-100 14:24 file-6 |
Description of the fields.
Inode number.
First two (or one) numbers represents the kind of inode we got:
2 = Character device
4 = Directory
6 = Block device
10 = Regular file
12 = Symbolic link
Last four numbers are the usual Unix rights.
Owner in number representation.
Group in number representation.
Size in bytes.
Date (Here we can see the Y2K bug =)).
Time.
Filename.
Now dump the mother directory to disk. Here inode is
the corresponding inode number (do not forget the '<' and '>').
debugfs: dump <inode> debugfs-dump |
Get out of debugfs.