Linuxdoc Linux Questions
Click here to ask our community of linux experts!
Custom Search

4. Finding inodes for deleted directories

We will try to find out the inode numbers of the deleted directories.

        # debugfs /dev/hdy1

Walk to that place in the structure where the directories were located before the deletion. You can use ls and cd inside debugfs.

        debugfs: ls -l

Example of output from the above command.

        179289  20600      0      0       0 17-Feb-100 18:26 file-1
        918209  40700    500    500    4096 16-Jan-100 15:18 file-2
        160321  41777      0      0    4096  3-Jun-100 06:13 file-3
        177275  60660      0      6       0  5-May-98  22:32 file-4
        229380 100600    500    500   89891 19-Dec-99  15:40 file-5
        213379 120777      0      0      17 16-Jan-100 14:24 file-6

Description of the fields.

  1. Inode number.

  2. First two (or one) numbers represents the kind of inode we got:

    2 = Character device

    4 = Directory

    6 = Block device

    10 = Regular file

    12 = Symbolic link

    Last four numbers are the usual Unix rights.

  3. Owner in number representation.

  4. Group in number representation.

  5. Size in bytes.

  6. Date (Here we can see the Y2K bug =)).

  7. Time.

  8. Filename.

Now dump the mother directory to disk. Here inode is the corresponding inode number (do not forget the '<' and '>').

        debugfs: dump <inode> debugfs-dump

Get out of debugfs.

        debugfs: quit