Originally Posted by
@nthony
Is there any way I can "lock" the sector/blocks where the directory/file is located from further use?
Not without some special utility. Basically, you'd allocate those blocks to a "dummy" file to prevent them from being used by something else. Similar to actually undeleting it, actually.
Also, I've used grep with files before, but how would I "grep" my harddrive in terms of raw bytes? Also are there any concerns I should worry about when mounting my NTFS drive with Knoppix?
You don't have to mount it at all. Just grep the raw partition. Your drive will be designated by a file either /dev/hdX or /dev/sdX, where X is a partition number. For instance, if your drive is IDE and it's the primary drive, the partitions will be labeled /dev/hda1, /dev/hda2, etc. So...
Code:
$ grep -b "something distinctive" /dev/hda1
This will search the first partition of the primary IDE disk for occurrences of "something distinctive," and print out the byte position of the match, if found. Then, you can use the "dd" utility to extract the raw data.
Try the grep first -- if it works, I'll explain the exact usage of dd.
EDIT: In the meantime, don't do ANYTHING on your box. The most recently deleted files are the best candidates to be overwritten by new activity.