#==============================================================================
# R.A.L.F. (Recover A Lost File)
# Syntax: $0 <filename>
#------------------------------------------------------------------------------
# Ralf is just a shell script that automates the manual steps required to
# restore a (accidentally) deleted file from a modern ext2/ext3 file system.
# For other *nix file systems there may be easier solutions - though Ralf
# should also be able to handle them, as long as they work with iNodes.
#------------------------------------------------------------------------------
# Requires: photorec OR foremost
# Requires: sleuthkit (at least fsstat, dls and fls from that package)
#==============================================================================

Introduction
============
The concept of Ralf is based on an article I found in the InterNet - while
looking for a way to recover (accidentally) deleted files from Ext2/Ext3
file systems (see
http://www.lonerunners.net/blog/archives/1056-How-to-recover-data-and-deleted-files-from-Ext3-partitions.html)
Sure, almost everybody seems to be quite sure that it is impossible to undelete
such a file - and so almost everybody is wrong, as the few exceptions prove.
There are excellent tools available to forensic research, which can restore
almost everything.

To mention the tools first: PhotoRec (http://www.cgsecurity.org/wiki/PhotoRec)
is far the best I found - it supports the widest range of file types, and is
available on *nix and *dows system as well. The same task is fulfilled by
foremost (http://foremost.sourceforge.net/), just less file formats are
supported. And then there is sleuthkit (http://sleuthkit.org/), a whole
forensic toolbox...

Concept
=======
On the "good old" FAT system, undeleting was as easy as edit the File Allocation
Table, changing the first character of the deleted file name from "?" to
something else - and the file immediately re-appeared visible in the file
system. With Ext3, this is not even nearly as easy: When you delete a file in an
Ext3 file system, the connection between the "MetaData" (Filename, CreationDate,
which file system blocks are occupied by this file, and the like) and the
"Content" (i.e. the real data) is destroyed and lost - so you no longer can
look it up in any "table"...

The web page mentioned above describes a way how it can still be rescued: As
long as it was not overwritten, both the iNode and the data blocks are still
available - they are just no longer connected with each other. If we don't
know the file name and its location any longer, tools like PhotoRec and
foremost can scan all (free) data blocks within the file system for known
signatures, to identify the file type and, hopefully, restore the file. But
on a large disk, this will restore a lot of files - so we somehow need to
restrict the search area.

If we know the file name, we can do so - and this is where Ralf (and the
concept from that web page) come into play:

fls   : This helper scans the iNode information, and its output contains
        things like the file names, creation/modification time, etc. together
	with the iNode holding this information
fsstat: iNodes are organized in groups, and each group has a given area
        assigned on the hard disk to store the real data. So if we know
        our iNode, we can use fsstat to find the group it belongs to, and
        grep a range of file system blocks the file must have been stored to.
dls   : We use this tool to extract the blocks we just found to a file
        system image - and then we can use this image to retrieve our lost
	file from (and won't find too much other files as a side-effect)

Now, instead of half a Terrabyte to scan for, we have limited this to a few
megabytes (or even less). We can use PhotoRec or foremost on the image file
created by dls, and as a result we find e.g. 6 files to decide between
(instead of 6.000 otherwise). Still, the files NAME is lost: Imagine we
searched for "example.txt" - but as a result, we got back 6 *.txt files.
Since we do not know which of them belonged to what iNode, we cannot
automatically tell which is the file we wanted to restore - but that's
nothing of a problem, compared to the alternative: The file lost completely...

R.A.L.F.
========
So what does Ralf do? It simply automatizes the steps you also could do
manually:
* find the correct file system and adjust the file name, so we know how to
  call fls and what to search for in its output
* evaluate the output of fls, call fsstat and find the match
* call dls and extract the correct data blocks
* call PhotoRec / foremost and extract the content of the image

So instead of doing all those steps manually, you just call Ralf with the
name of the file to recover - and Ralf does the job. The only thing left to
you is: Evaluate the results, and rename your file.
