Unix/Linux undelete/recover deleted files

  • Is there a command to recover/undelete deleted files by rm?

    $ rm -rf /path/to/myfile

    How can I recover myfile? If there is such a tool how can I use it?

    Before you do anything, mount the filesystem read-only to make sure the data is not overwritten. Also, take a look at this post: http://superuser.com/questions/170857/ext4-undelete-utilities.

    @EvanTeitelman you mean remount read-only is better than try to recover the file while it is umounted? btw, midnightcommander (mc) way, suggests umounting http://www.datarecoverypros.com/recover-linux-midnightcommander.html

  • slm

    slm Correct answer

    7 years ago

    The link someone provided in the comments is likely your best chance.

    Linux debugfs Hack: Undelete Files

    That write-up though looking a little intimidating is actually fairly straight forward to follow. In general the steps are as follows:

    1. Use debugfs to view a filesystems log

      $ debugfs -w /dev/mapper/wks01-root
    2. At the debugfs prompt

      debugfs: lsdel
    3. Sample output

      Inode  Owner  Mode    Size    Blocks   Time deleted
      23601299      0 120777      3    1/   1 Tue Mar 13 16:17:30 2012
      7536655      0 120777      3    1/   1 Tue May  1 06:21:22 2012
      2 deleted inodes found.
    4. Run the command in debugfs

      debugfs: logdump -i <7536655>
    5. Determine files inode

      output truncated
          Fast_link_dest: bin
          Blocks:  (0+1): 7235938
        FS block 7536642 logged at sequence 38402086, journal block 26711
          (inode block for inode 7536655):
          Inode: 7536655   Type: symlink        Mode:  0777   Flags: 0x0   Generation: 3532221116
          User:     0   Group:     0   Size: 3
          File ACL: 0    Directory ACL: 0
          Links: 0   Blockcount: 0
          Fragment:  Address: 0    Number: 0    Size: 0
          ctime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
          atime: 0x4f9fc730 -- Tue May  1 06:21:20 2012
          mtime: 0x4f9fc72f -- Tue May  1 06:21:19 2012
          dtime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
          Fast_link_dest: bin
          Blocks:  (0+1): 7235938
      No magic number at block 28053: end of journal.
    6. With the above inode info run the following commands

      # dd if=/dev/mapper/wks01-root of=recovered.file.001 bs=4096 count=1 skip=7235938
      # file recovered.file.001
      file: ASCII text, with very long lines

    Files been recovered to recovered.file.001.

    Other options

    If the above isn't for you I've used tools such as photorec to recover files in the past, but it's geared for image files only. I've written about this method extensively on my blog in this article titled:

    How to Recover Corrupt jpeg and mov Files from a Digital Camera's SDD Card on Fedora/CentOS/RHEL.

    I tried with `debugfs -w /dev/sdb2` but `lsdel` sais: `0 deleted inodes found.`

    It working, but sometimes.

    using `extundelete` is easier for ext3/4 and would probably lead to the same results.

    this worked to recover a file, but I received ��@y��U���T6 �Ԝ��*e�0�� ��v'���T�0�<#selinuxsystem_u:object_r:rpm_var_lib_t:s0��}y��U���T6..... trying conv=ascii, conv=ibm, and conv=ebcdic yields same problem

    lsdel: Filesystem not open,how to resolve it?

    @wangyiran - if you have a new Q I encourage you to ask it.

    photorec currently can recover at least 483 different file types, including lots of archives, office-type files, and many "miscellaneous" files, and you can add your own "custom signatures" too. It's apparently changed a lot since it was a photos-only recovery program.

    In photorec (from package testdisk) you can set the extensions of files that you wanna recover. Is not using any kind of inode data, it's totally raw and is not comparable on what extundelete does. Both are good pieces of software.

    I get `/dev/mapper/wks01-root: No such file or directory while opening filesystem` Where did you get this `/dev/mapper/wks01-root` from?

    @marko don't remember but I think that it's an example of a lvm logical volume. That's the root volume.

    I get this output: https://pastebin.com/jv7wfGJ9 What number must I put to `skip` parameter of `dd` and what's the logic?

    `lsdel` is showing me some files deleted months ago?

    `debugfs` Does NOT work on ext4 journal systems using Ubuntu18.04LTS.

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM