undelete files on ext4
By Matthew Cannon
My mother has placed some important files on her /tmp per accident. Now, of course, they are gone.
This happened yesterday (2 boots of the machine since)
I want to try to undelete the files. They were on /tmp, which was on the same partition as the rest of / , so I need a tool that runs on a mounted system (or maybe I could use a livecd ...)
Right now, I am trying testdisk on a systemrescuecd that I just downloaded. I can get some files from /tmp, but not all. (is it the right tool ? What exactly are those "red" files ? are only some of them recoverable ?)
25 Answers
You can also use extundelete
First unmount (umount) the file system where the files have been deleted.
Then read the chapter What to do if you've deleted a file.
You can install extundelete from classic Ubuntu repository:
sudo apt-get install extundeleteOr better, you can download the latest version and compile it:
cd ~/Download
tar -xf extundelete-*.*.*-.tar.bz2 #Replace *.*.* by the version
cd extundelete-*.*.*
sudo apt-get install e2fslibs-dev #Required for compilation
./configure
make
sudo make install
extundelete --version #Should be your *.*.* versionExample of usage: restore all deleted files from directory Images into new created directory restore
sudo extundelete --restore-directory Images/ -o restore /dev/sda3Bad news if you see your file XXXX within the following format:
Unable to restore inode NNN (Images/XXXX): Space has been reallocated.See all restored files (look for your file):
find restore -name '*'Backup your file(s) and remove this temporary directory restore
cp restore/Images/XXXX MY_BACKUP_DIRECTORY
sudo rm -rf restore Data recovery, especially on EXT file systems, should be attempted from a live CD or other system that isn't depending on the partition you're undeleting from. Getting the disk unmounted or re-mounted as read only helps a great deal in the recovery effort.
Most of the time I try to create an image of the partition or disk using dd or a similar tool, so that I'm not working on the disk itself:
dd if=/dev/sd[xx] of=/media/backup_drive/recovery.imgOnce you have your image, you can use a tool like ext3grep to try and find the files you're looking for. There are lots of different switches that you can try, but this might be a good start:
ext3grep --restore-file 'tmp/moms-file.txt' recovery.imgThe ext3grep utility also provides several different ways to search through the file system if you don't know the name of the file. Check ext3grep --help for the various methods of searching.
I prefered to use ext4magic as :
sudo ext4magic /dev/sdc3 -r -f $USERl/Documents/ -d /tmp/local/tmp/Note you have to resolv symlink by your own
References:
AnalyzeEXT
Parse data blocks for EXT directory data.
Detailed documentation on EXT4 can be found here:
Download the perl script with
git clone No guarantee but may be able to reconstruct deleted filesystems.
4I could not recover my crontab file by using ext4magic or extundelete.
On Debian, the crontab for root is here:
/var/spool/cron/crontabs/rootBut, by using the following command, I was able to at least manually recover my crontab from the logs.
grep CRON /var/log/syslog.* -i| awk -F " CMD " {'print $2;'} |sort | uniqIt will output only the executed cron jobs (no timings), but at least this is a lot more than starting from scratch.
If you don't remember how often certain cron jobs run, take a full log e.g. syslog.1 and this will give you the count for runs trough the day:
grep CRON /var/log/syslog.1 -i| awk -F " CMD " {'print $2;'} |sort | uniq -c |sort -n
