undelete files on ext4
Solution 1
You can also use extundelete
First unmount (umount) the file system where the files have been deleted.
Then read the chapter What to do if you've deleted a file.
You can install extundelete from classic Ubuntu repository:
sudo apt-get install extundelete
Or better, you can download the latest version and compile it:
cd ~/Download
tar -xf extundelete-*.*.*-.tar.bz2 #Replace *.*.* by the version
cd extundelete-*.*.*
sudo apt-get install e2fslibs-dev #Required for compilation
./configure
make
sudo make install
extundelete --version #Should be your *.*.* version
Example of usage: restore all deleted files from directory Images into new created directory restore
sudo extundelete --restore-directory Images/ -o restore /dev/sda3
Bad news if you see your file XXXX within the following format:
Unable to restore inode NNN (Images/XXXX): Space has been reallocated.
See all restored files (look for your file):
find restore -name '*'
Backup your file(s) and remove this temporary directory restore
cp restore/Images/XXXX MY_BACKUP_DIRECTORY
sudo rm -rf restore
Solution 2
Data recovery, especially on EXT file systems, should be attempted from a live CD or other system that isn't depending on the partition you're undeleting from. Getting the disk unmounted or re-mounted as read only helps a great deal in the recovery effort.
Most of the time I try to create an image of the partition or disk using dd or a similar tool, so that I'm not working on the disk itself:
dd if=/dev/sd[xx] of=/media/backup_drive/recovery.img
Once you have your image, you can use a tool like ext3grep to try and find the files you're looking for. There are lots of different switches that you can try, but this might be a good start:
ext3grep --restore-file 'tmp/moms-file.txt' recovery.img
The ext3grep utility also provides several different ways to search through the file system if you don't know the name of the file. Check ext3grep --help for the various methods of searching.
Solution 3
I prefered to use ext4magic as :
sudo ext4magic /dev/sdc3 -r -f $USERl/Documents/ -d /tmp/local/tmp/
Note you have to resolv symlink by your own
References:
http://ext4magic.sourceforge.net/howto_en.html
http://sourceforge.net/projects/ext4magic/
http://rzr.online.fr/q/recover
Solution 4
AnalyzeEXT
Parse data blocks for EXT directory data.
Detailed documentation on EXT4 can be found here:
- https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout
- https://digital-forensics.sans.org/blog/tags/ext4
Download the perl script with
git clone https://github.com/halpomeranz/analyzeEXT
No guarantee but may be able to reconstruct deleted filesystems.
Related videos on Youtube
02 : 22
12 : 20
02 : 53
![How-to recover deleted files EXT3 and EXT4 [HD]](https://i.ytimg.com/vi/B9Wc8kSz-uw/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLC5Ahvt8duXp0aV9bLKj50UfhjkaQ)
03 : 34
01 : 30
josinalvo
Updated on September 18, 2022Comments
-
josinalvo over 1 year
My mother has placed some important files on her /tmp per accident. Now, of course, they are gone.
This happened yesterday (2 boots of the machine since)
I want to try to undelete the files. They were on /tmp, which was on the same partition as the rest of / , so I need a tool that runs on a mounted system (or maybe I could use a livecd ...)
Right now, I am trying testdisk on a systemrescuecd that I just downloaded. I can get some files from /tmp, but not all. (is it the right tool ? What exactly are those "red" files ? are only some of them recoverable ?)
-
0xC0000022L almost 4 yearsThe best solution is probably a backup and the next best solution for someone who is technically less apt than you perhaps
btrfswith frequent snapshots. Packages likerestic,rdiff-backup,duplicityorbackintime-qtmay also be of interest. None of this is going to help you in retrospect, but perhaps this comment helps future visitors. -
Vorac over 3 yearsFor me
extundeletesegments, whiletestdiskwhips out a list of differences. Now to see if it can get the files back.
-
-
saji89 over 11 yearsIt would be nice, if you could add the exact steps?
-
prathvi over 11 years@saji89 Added a sample usage - also fixed to link to the right utility!
-
josinalvo over 11 yearsnice. now ... does it work with ext4 ?
-
prathvi over 11 years@josinalvo I was working with an EXT4 volume when I tried it, and it did work; it didn't find the files I was looking for, but I think I had missed the window of opportunity.
-
Twifty over 6 yearsThis answer has literally just saved my job. Thankyou.
-
wjandrea over 5 yearsWhat is this tool exactly? How do you use it? I've read the repo description and the help message in the script, but there's not much detail. -
abu_bua over 5 yearsTook a look at the perl script; the cli help doesn't match with the script! -
jouell over 5 yearsMore details are here. I stumbled up on it - never used it! youtube.com/watch?v=6pzm6909IvY
-
wjandrea over 5 years@jouell I've watched 2:30 of the video and he hasn't mentioned the script yet. Could you edit your answer to add a brief summary?
-
Onza over 2 yearsI get segmentation fault, core dumped.
