On Tue, Apr 22, 2003 at 09:00:11PM +0200, Christian K?nning wrote: > /var/log, symlinked /root/.bash_history > /dev/null, etc. > Is there any way to recover the evidences, e.g. the /var/log/ directory? > (ext2)
Examine your /dev/swap after following advice in other replies about making sure things are RO. You'll want to do a swapoff to preserve the evidence right away. Best if you pull the ether cable and work off a local console while you do any of this. You'd be amazed what you can find in /dev/swap ;-)
