who, what deleted a file?

who, what deleted a file?: Posted by Jhuola Hoptire on January 23rd, 2004; Using Ferdora Core 1:
Is there any way to find out when and how
(which process, user) a file was deleted?; Posted by Davide Bianchi on January 23rd, 2004; Jhuola Hoptire <JH@nothere.com> wrote:
No.
Davide

--
| Doing things randomly is what Admins do best. clickety-click -- Joe
| Moore on alt.sysadmin.recovery; Posted by Robert Nichols on January 24th, 2004; In article <hC9Qb.45973$mU6.172703@newsb.telia.net>,
Jhuola Hoptire <JH@nothere.com> wrote:
:Using Ferdora Core 1:
:Is there any way to find out when and how
which process, user) a file was deleted?

The answer is pretty much, "No." If you happen to know the inode
number of the deleted file and that inode has not been re-used, you
can run 'debugfs' on the file system, do a "stat <inode_number>" on
that inode (that's _with_ the <> brackets), and look at "dtime:" to
see when it was deleted. In the unlikely event that you have been
collecting per-process accounting data on that system, you could see
what processes were running at that time. That's about as close as
you can come.

--
Bob Nichols AT interaccess.com I am "rnichols"; Posted by Vampire at Wicked Empire on January 27th, 2004; Jhuola Hoptire wrote:
If there is only one file deleted in the directory,
you can see the modified time of the directory to know the time when
the deleting occured.

--
My projects:
http://fftv.sourceforge.net
http://tcron.sourceforge.net
http://www.csie.nctu.edu.tw/~cp76/gcb; Posted by Alan Connor on January 27th, 2004; On Tue, 27 Jan 2004 11:04:11 +0800, Vampire at Wicked Empire <vampire001@localhost.localdomain> wrote:
If it was deleted by a user, the OP might be able to find the command to do so
in their command history, and make a guess based on their login period for
that session.

And the logs for any programs that depended on that file might give the
approximate time it was deleted....

AC; Posted by RRB on January 27th, 2004; Jhuola Hoptire wrote:
One could write a rm script that is called instead of the original rm,
that logs somewhere all the details of the file being removed, perhaps
simply an ls -li...

RRb sohe; Posted by news@roaima.freeserve.co.uk on January 27th, 2004; RRB <removethis.basv@removethis.gmx.at> wrote:
That only works if you use rm to delete the file. There are many other
ways of deleting a file from a filesystem, and to catch most of them
you'd have to modify the standard C libraries. To be 100% sure you'd
caught everything, you'd need to modify the kernel itself.

Hmm... it doesn't feel that difficult: you could try putting a printk()
statement into the guts of vfs_unlink() in fs/namei.c You've got the
userid and (obviously) the file path, and syslog would report the
current date/time.

Chris

Similar Posts

How to recover a deleted WAV file, if some of that file is corrupted (Help and Support) by DC
File copy - existing destination file gets deleted (Microsoft Windows) by GK
File cannot be deleted (Computers & Technology) by Luke O'Malley
Deleted File Analysis Utilitiy - recover deleted files (Software & Applications) by *ProteanThread*
File that cannot be deleted (Windows ME) by Raymond Noel