undelete files on ext4

ext4 undelete

My mother has placed some important files on her /tmp per accident. Now, of course, they are gone.

This happened yesterday (2 boots of the machine since)

I want to try to undelete the files. They were on /tmp, which was on the same partition as the rest of / , so I need a tool that runs on a mounted system (or maybe I could use a livecd ...)

Right now, I am trying testdisk on a systemrescuecd that I just downloaded. I can get some files from /tmp, but not all. (is it the right tool ? What exactly are those "red" files ? are only some of them recoverable ?)


You can also use extundelete

First unmount (umount) the file system where the files have been deleted.
Then read the chapter What to do if you've deleted a file.

You can install extundelete from classic Ubuntu repository:

sudo apt-get install extundelete

Or better, you can download the latest version and compile it:

cd ~/Download
tar -xf extundelete-*.*.*-.tar.bz2  #Replace *.*.* by the version
cd      extundelete-*.*.*
sudo apt-get install e2fslibs-dev   #Required for compilation
./configure
make
sudo make install
extundelete --version               #Should be your *.*.* version

Example of usage: restore all deleted files from directory Images into new created directory restore

sudo extundelete --restore-directory Images/ -o restore /dev/sda3

Bad news if you see your file XXXX within the following format:

Unable to restore inode NNN (Images/XXXX): Space has been reallocated.

See all restored files (look for your file): 

find restore -name '*'

Backup your file(s) and remove this temporary directory restore

cp restore/Images/XXXX MY_BACKUP_DIRECTORY
sudo rm -rf restore

Data recovery, especially on EXT file systems, should be attempted from a live CD or other system that isn't depending on the partition you're undeleting from. Getting the disk unmounted or re-mounted as read only helps a great deal in the recovery effort.

Most of the time I try to create an image of the partition or disk using dd or a similar tool, so that I'm not working on the disk itself:

dd if=/dev/sd[xx] of=/media/backup_drive/recovery.img

Once you have your image, you can use a tool like ext3grep to try and find the files you're looking for. There are lots of different switches that you can try, but this might be a good start:

ext3grep --restore-file 'tmp/moms-file.txt' recovery.img

The ext3grep utility also provides several different ways to search through the file system if you don't know the name of the file. Check ext3grep --help for the various methods of searching.


I prefered to use ext4magic as :

sudo ext4magic  /dev/sdc3 -r -f $USERl/Documents/ -d /tmp/local/tmp/

Note you have to resolv symlink by your own

References:

http://ext4magic.sourceforge.net/howto_en.html

http://sourceforge.net/projects/ext4magic/

http://rzr.online.fr/q/recover


AnalyzeEXT

Parse data blocks for EXT directory data.

Detailed documentation on EXT4 can be found here:

  • https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout
  • https://digital-forensics.sans.org/blog/tags/ext4

Download the perl script with

git clone https://github.com/halpomeranz/analyzeEXT

No guarantee but may be able to reconstruct deleted filesystems.

Related

How do I edit applications panel menu in Lubuntu?
Can't connect to any wireless connection after updating
My program cannot run with "command not found" error
How to run a command or script at screen lock/unlock?
Upgraded to 18.04 and now have many broken packages and unmet dependencies
How to make a shell file execute by double click [duplicate]
How do I configure Ubuntu for a 21:9 screen?
What are directories, if everything on Linux is a file?
What does "pts/" in the output of w mean?
Where can I get themes and eye-candy for my desktop?
Network manager indicator missing
What do the different Boot Options mean? (i.e. acpi=off, noapic, nolapic, etc)