Monday, May 7, 2012

Linux debugfs Hack: Undelete Files

http://www.cyberciti.biz/tips/linux-ext3-ext4-deleted-files-recovery-howto.html


Undeletion means restoring files which have been deleted from Linux ext3 file system using rm command. Deleted files can be recovered on ext3 file systems using the debugfs program. This quick tutorial describes how to recover a file that was recently deleted using nothing but standard Linux command line utilities.

Only sys administrators and root user can view and recover the deleted files using debugfs command. You need to immediately unmount the file system the deleted file was located on to minimizes the risk that the data of the deleted file are overwritten by other users or system process.

A step-by-step guide for recovering files using debugfs

Create a text file called data.txt, enter:
echo 'This is a test' > data.txt
Display the index number (inode) of data.txt, enter:
ls -li data.txt
Sample outputs:
7536648 -rw-r--r-- 1 root root 15 May  3 12:40 data.txt
Please note down inode # 7536648. To find out the contents of the ext3 journal (block of data) using debugfs command. The syntax is as follows:
 
debugfs -w /dev/device/name/here
debugfs /dev/sda1
debugfs /dev/mapper/SysVolGroup-LogVolRoot
 
If your file system is on /dev/sda2, enter:
# debugfs -w /dev/sda2
If your file system is on /dev/mapper/wks01-root, enter:
# debugfs -w /dev/mapper/wks01-root
After some time, you will be presented with debugfs: prompt as follows:
debugfs 1.41.12 (17-May-2010)
debugfs:
Type the following command at debugfs: prompt to get block of data:
debugfs:  logdump -i <7536648>
Sample outputs:
Inode 7536648 is at group 230, block 7536642, offset 896
Journal starts at block 10875, transaction 38398034
  FS block 7536642 logged at sequence 38398245, journal block 12418
    (inode block for inode 7536648):
    Inode: 7536648   Type: regular        Mode:  0600   Flags: 0x0   Generation: 1050194965
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4fa249ab -- Thu May  3 04:02:35 2012
    atime: 0x4fa249ab -- Thu May  3 04:02:35 2012
    mtime: 0x4fa249ab -- Thu May  3 04:02:35 2012
    dtime: 0x4fa249ab -- Thu May  3 04:02:35 2012
    Blocks:
  FS block 7536642 logged at sequence 38398250, journal block 12537
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398253, journal block 12592
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398258, journal block 12711
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398261, journal block 12765
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398266, journal block 12855
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398270, journal block 12913
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398274, journal block 12981
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398276, journal block 13034
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398280, journal block 13190
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398285, journal block 13252
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398287, journal block 13302
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398290, journal block 13355
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398293, journal block 13409
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398298, journal block 13471
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398302, journal block 13604
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398307, journal block 13700
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398311, journal block 13756
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398314, journal block 13809
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398317, journal block 13864
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398320, journal block 13921
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398325, journal block 13980
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38401277, journal block 23924
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38401314, journal block 24107
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38401325, journal block 24146
    (inode block for inode 7536648):
    Inode: 7536648   Type: regular        Mode:  0644   Flags: 0x0   Generation: 1050269005
    User:     0   Group:     0   Size: 15
    File ACL: 0    Directory ACL: 0
    Links: 1   Blockcount: 8
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4fa2c307 -- Thu May  3 12:40:23 2012
    atime: 0x4fa2c307 -- Thu May  3 12:40:23 2012
    mtime: 0x4fa2c307 -- Thu May  3 12:40:23 2012
    Blocks:  (0+1): 7559168
Found sequence 38395723 (not 38401480) at block 24688: end of journal.
Please note down Blocks: (0+1): 7559168 line. Type the following command to remove data.txt file, enter:
rm data.txt
ls data.txt

Sample outputs:
ls: cannot access data.txt: No such file or directory
To recover file, enter:
# dd if=/dev/mapper/wks01-root of=data.txt bs=4096 count=1 skip=7559168
Sample outputs:
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.010884 seconds, 376 kB/s
Verify that data is recovered, enter:
cat data.txt
Sample outputs:
This is a test

Howto: Recover a file when you don't know inode number

Delete a file called 521.sh:
rm 521.sh
Type the following command:
# debugfs -w /dev/mapper/wks01-root
At debugfs: prompt type lsdel command:
debugfs: lsdel
Sample outputs:
 Inode  Owner  Mode    Size    Blocks   Time deleted
23601299      0 120777      3    1/   1 Tue Mar 13 16:17:30 2012
7536655      0 120777      3    1/   1 Tue May  1 06:21:22 2012
2 deleted inodes found.
Get block data, enter:
debugfs: logdump -i <7536655>
Sample outputs:
Inode 7536655 is at group 230, block 7536642, offset 1792
Journal starts at block 10875, transaction 38398034
  FS block 7536642 logged at sequence 38398245, journal block 12418
    (inode block for inode 7536655):
    Inode: 7536655   Type: symlink        Mode:  0777   Flags: 0x0   Generation: 3532221116
    User:     0   Group:     0   Size: 3
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    atime: 0x4f9fc730 -- Tue May  1 06:21:20 2012
    mtime: 0x4f9fc72f -- Tue May  1 06:21:19 2012
    dtime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    Fast_link_dest: bin
    Blocks:  (0+1): 7235938
  FS block 7536642 logged at sequence 38398250, journal block 12537
    (inode block for inode 7536655):
    Inode: 7536655   Type: symlink        Mode:  0777   Flags: 0x0   Generation: 3532221116
    User:     0   Group:     0   Size: 3
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    atime: 0x4f9fc730 -- Tue May  1 06:21:20 2012
    mtime: 0x4f9fc72f -- Tue May  1 06:21:19 2012
    dtime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    Fast_link_dest: bin
    Blocks:  (0+1): 7235938
  FS block 7536642 logged at sequence 38398253, journal block 12592
    (inode block for inode 7536655):
    Inode: 7536655   Type: symlink        Mode:  0777   Flags: 0x0   Generation: 3532221116
    User:     0   Group:     0   Size: 3
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    atime: 0x4f9fc730 -- Tue May  1 06:21:20 2012
    mtime: 0x4f9fc72f -- Tue May  1 06:21:19 2012
    dtime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    Fast_link_dest: bin
    Blocks:  (0+1): 7235938
...
...
....
output truncated
    Fast_link_dest: bin
    Blocks:  (0+1): 7235938
  FS block 7536642 logged at sequence 38402086, journal block 26711
    (inode block for inode 7536655):
    Inode: 7536655   Type: symlink        Mode:  0777   Flags: 0x0   Generation: 3532221116
    User:     0   Group:     0   Size: 3
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    atime: 0x4f9fc730 -- Tue May  1 06:21:20 2012
    mtime: 0x4f9fc72f -- Tue May  1 06:21:19 2012
    dtime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    Fast_link_dest: bin
    Blocks:  (0+1): 7235938
No magic number at block 28053: end of journal.
Type the following command:
# dd if=/dev/mapper/wks01-root of=recovered.file.001 bs=4096 count=1 skip=7235938
# file recovered.file.001

Sample outputs:
file: ASCII text, with very long lines
View file, enter:
# more recovered.file.001

A note about easy to use tool called photorec

Now, you know basic hacks for recovering files under ext3 or ext4. However, I strongly recommend that you make backups. It cannot be stressed enough how important it is to make a backup. Another, option is PhotoRec software. It is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. PhotoRec is free - this open source multi-platform application is distributed under GNU General Public License (GPLV v2+). PhotoRec is a companion program to TestDisk, an app for recovering lost partitions on a wide variety of file systems and making non-bootable disks bootable again. You can download them from this link. You can install testdisk using the following apt-get command or yum command:
# yum install testdisk
OR
# apt-get install testdisk
To recover files simply type:
# photorec
Stay tuned, for more information on photorec and testdisk data recovery tools. I recommend that you view the manual page on debugfs using the following command for more information:
$ man debugfs

No comments:

Post a Comment

Post a Comment