[solved] catastrophic event, file recovery on ext3

--- Quote from: magic on October 22, 2019, 12:02:22 pm ---
--- Quote from: legacy on October 21, 2019, 10:02:24 pm ---But ... I was not so lucky to find the folder "/home/project/DT11", probably because overwritten by the resync. At least, the inode that describes the folder "project" is gone, but other inodes might still be there.

--- End quote ---
I believe ext3 journals writes to directory data blocks so full information about older revisions of this directory should be found in the journal.
So start with reviewing older revisions of /home inode. See what directory data blocks it points to (may be the same blocks as the current revision of /home). Find older revisions of those blocks in the journal. They will point you to your file inodes.

Of course no guarantee that file data are not overwritten.

--- End quote ---

In parallel, we cloned the harddrive for a second mac-mini/x86 which is still processing.

sort of for inode={2 to ....}, process(inode)

So, this approach is very very slow.

Two tools have been developed during this story:

* a text viewer (similar to hexedit, but *text* and) able to open a giant file of 40GByte, processing data only if they look "printable" "strings"
* a pattern matching searcher (similar to grep but) able to work within a region (given start address and end address regarding the seek position in the input big file, and able to) grab stuff when it sees a matching pattern, and stop grabbing when it sees a stop pattern
grab between 0x410FAD9A1 and 0x0x610FAD9A1, everything that begins with "/*" untill you see '\0'

This generated some local files, mostly are false positive, but this way it extracted the 90% of lost C files.

Thank everyone for the support. It's much more than appreciated  :D

You're lucky there legacy, I was just about to quote your troll and log post. :)
It took me ages to decide where it was from, and the timestamps were out of order. :-//


