This is an approach to undeleting a file using a combination of unrm and lazarus.

Unrm is a simple tool that opens the named device and copies data blocks. By default, unrm copies unallocated data blocks only. For this example we will use this command unrm /dev/hda1 > undelete.bin depending on the size of your filesystem, this file can grow in enormous size preety soon. I had to stop it when it reached 5.2gb. Since I am doing this for demonstration purpose, I dont see any reason to create a 60+ GB worth of free data blocks that the unrm will eventually end up creating in my system. I should have enough datablocks to undelete some files.

For the second part of this example we will use lazarus. Lazarus is one of the only noncommercial tools available to the general public that attempts to undelete files from an offline file system. Lazarus has been reported to undelete files from UFS, EXT2, NTFS, and FAT32 file systems.

Lazarus analyzes the data resulting from unrm. Because lazarus will output more information from this unrm file, we can expect to need as much free space to run this tool as we did for unrm. Therefore, if the file system was 2GB, and 1.5GB were free, unrm will need 1.5GB free on the forensic workstation, and lazarus will need up to another 1.5GB free. It will take a long time of uninterrupted processing to complete a full analysis.

For this example we will use:
lazarus -h /home/pavs -D /home/pavs /home/pavs/undelete.bin

For some reason (not exactly sure why, but if someone can correct me here) my resulting binary file was in txt format instead of html. But the result was the same nevertheless.

For more information about unrm:
http://staff.washington.edu/dittrich/talks/blackhat/tct/man/man1/unrm.1.html

Information about lazarus: http://www.porcupine.org/forensics/tct.html