Tuesday, June 7, 2011

Undelete Files on an ext3 or ext4 File System


So you’ve been futzing round in the file system, and been over vigorous with the rm command and deleted a crucial file that you or (more scarily) a significant other, can’t live without. What to do? After that initial hot flush has died down, you must be calm, and work fast. You have three options:

if the file is still open in a running application

To be honest, I can’t imagine this happening a lot, but it’s possible. The scenario is this: you’re editing/using a file in an application, and whilst the application is still open, you delete the file. If this happens to you, then recovery of the file is pretty simple using a tool that should already be installed on your system. So:

step1:

Do not close any applications!

step2:

Open a terminal, and type:
lsof | grep "/path/to/file"
If the file is being used by a running application, then you should get something like this:
progname 5559 user 22r REG 8,5 1282410 1294349 /path/to/file
If you get no output, then the file isn’t being used by a running application, and you’ll need to use one of the other methods.

step3:

Looking at the output from step2, you’ll need the numbers from the 2nd and 4th column (ie. 5559 and 22r). With the second number, drop the “r” (leaving “22″). Now type the following command:
cp /proc/5559/fd/22 /path/to/restored.file
And voila, your file should be back in the form of /path/to/restored.file.
Easy.

using extundelete

Extundelete is a very useful little program for restoring deleted files. It should be able to restore files from ext2, ext3 and ext4 partitions. Restoring ext3 and ext4 is a very difficult process, because the journalling part of the file system deletes the information that points to where a file’s data is on the disk when it’s deleted, unlike the ext2 system, which leaves it in place. But fortunately for us, very often, that pointer information is still in the file system’s journal, and therefore this information can be used to find the data on the disk and restore it. So, with that said, on with the show.
First you’ll need to install extundelete. If your distro doesn’t have a pre-built package, then you’ll have to compile it from source. You can get the source from here. If you need help compiling a tarball, check out this page.

step1:

As soon as possible, you need to mount the relevant partition as read-only. The sooner you do this the better, so that there is no risk of another program writing data over the top of your recently deleted file. To do this, open a terminal, and type:
mount -o remount,ro /dev/partition
The partition will be something like /dev/sda2 or /dev/sdb1. You can find the relevant device by typing mount in a terminal. You’ll get an output like:
matt@mailserver:~$ mount
/dev/sdb1 on / type ext4 (rw,errors=remount-ro)
proc on /proc type proc (rw)
none on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/fuse/connections type fusectl (rw)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
none on /dev type devtmpfs (rw,mode=0755)
none on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
none on /dev/shm type tmpfs (rw,nosuid,nodev)
none on /var/run type tmpfs (rw,nosuid,mode=0755)
none on /var/lock type tmpfs (rw,noexec,nosuid,nodev)
none on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
none on /var/lib/ureadahead/debugfs type debugfs (rw,relatime)
/dev/sdc1 on /media/disk type vfat (rw,noexec,nosuid,nodev)
/dev/sdb2 on /home type ext3 (rw)
/dev/sda1 on /home/matt/storage type ext3 (rw)
/dev/sdd1 on /media/temp type vfat (rw)
/dev/sde1 on /media/disk1 type vfat (rw)
/dev/sdf1 on /media/disk2 type fuseblk (rw,nosuid,nodev,allow_other,blksize=4096)
So, if I want to make my /home partition read-only, it would be /dev/sdb2. Once you’ve mounted it read-only, you can relax a bit. At least you won’t be risking making the situation worse.

step2:

Now you can use the extundelete command to restore your file. extundelete can be used to restore all deleted files from a partition, or a specific file or directory. In this example we’ll just be restoring a specific file, but for more options, look here. To restore the deleted file, type the following into a terminal:
extundelete --restore-file /path/to/deleted/file

step3:

extundelete (if it works) should restore the file to a subdirectory in the current directory called RECOVERED_FILES. Voila – problem solved.

using photorec

If extundelete doesn’t work, then you can try photorec. Photorec works in a different way to extundelete. Instead of trying to find the information that points to where the deleted file data is on the disk, it tries to find the data by parsing the data itself to identify files. This method is less targeted than extundelete, but may still work if the information pointing to the file has been deleted from the journal. Photorec can find deleted files of a particular type. So if you’ve deleted a .mp3 file, you would get Photorec to find all deleted .mp3 files and hope that it finds the file you’re looking for. Photorec seems to be well supported on the main distros, so you should be able to find a package for easy install. So:

step1:

Rather than list the process in detail here, there is a very good explanation of the steps on the photorec wiki.
That’s it. Happy undeleting and remember prevention is always better than the cure. Backup.

1 comment:

  1. Paranoia may be negative, but it could actually arm you to prepare for the worse when it comes to your precious files. Deleted files are often a user's nightmare, and all the I-should've-backed-my-files tantrum gets wasted. There are thousands of file back-up methods available in the net today, and hell, they're for free! Sometimes, I don't get why people feel secure without any back-up technology...

    ReplyDelete