Unix/Linux undelete/recover deleted files
Is there a command to recover/undelete deleted files by
$ rm -rf /path/to/myfile
How can I recover
myfile? If there is such a tool how can I use it?
Before you do anything, mount the filesystem read-only to make sure the data is not overwritten. Also, take a look at this post: http://superuser.com/questions/170857/ext4-undelete-utilities.
@EvanTeitelman you mean remount read-only is better than try to recover the file while it is umounted? btw, midnightcommander (mc) way, suggests umounting http://www.datarecoverypros.com/recover-linux-midnightcommander.html
The link someone provided in the comments is likely your best chance.
That write-up though looking a little intimidating is actually fairly straight forward to follow. In general the steps are as follows:
Use debugfs to view a filesystems log
$ debugfs -w /dev/mapper/wks01-root
At the debugfs prompt
Inode Owner Mode Size Blocks Time deleted 23601299 0 120777 3 1/ 1 Tue Mar 13 16:17:30 2012 7536655 0 120777 3 1/ 1 Tue May 1 06:21:22 2012 2 deleted inodes found.
Run the command in debugfs
debugfs: logdump -i <7536655>
Determine files inode
... ... .... output truncated Fast_link_dest: bin Blocks: (0+1): 7235938 FS block 7536642 logged at sequence 38402086, journal block 26711 (inode block for inode 7536655): Inode: 7536655 Type: symlink Mode: 0777 Flags: 0x0 Generation: 3532221116 User: 0 Group: 0 Size: 3 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x4f9fc732 -- Tue May 1 06:21:22 2012 atime: 0x4f9fc730 -- Tue May 1 06:21:20 2012 mtime: 0x4f9fc72f -- Tue May 1 06:21:19 2012 dtime: 0x4f9fc732 -- Tue May 1 06:21:22 2012 Fast_link_dest: bin Blocks: (0+1): 7235938 No magic number at block 28053: end of journal.
With the above inode info run the following commands
# dd if=/dev/mapper/wks01-root of=recovered.file.001 bs=4096 count=1 skip=7235938 # file recovered.file.001 file: ASCII text, with very long lines
Files been recovered to
If the above isn't for you I've used tools such as
photorecto recover files in the past, but it's geared for image files only. I've written about this method extensively on my blog in this article titled:
using `extundelete` is easier for ext3/4 and would probably lead to the same results.
this worked to recover a file, but I received ��@y��U���T6 �Ԝ��*e�0�� ��v'���T�0�<#selinuxsystem_u:object_r:rpm_var_lib_t:s0��}y��U���T6..... trying conv=ascii, conv=ibm, and conv=ebcdic yields same problem
photorec currently can recover at least 483 different file types, including lots of archives, office-type files, and many "miscellaneous" files, and you can add your own "custom signatures" too. It's apparently changed a lot since it was a photos-only recovery program.
In photorec (from package testdisk) you can set the extensions of files that you wanna recover. Is not using any kind of inode data, it's totally raw and is not comparable on what extundelete does. Both are good pieces of software.
I get `/dev/mapper/wks01-root: No such file or directory while opening filesystem` Where did you get this `/dev/mapper/wks01-root` from?
@marko don't remember but I think that it's an example of a lvm logical volume. That's the root volume.
I get this output: https://pastebin.com/jv7wfGJ9 What number must I put to `skip` parameter of `dd` and what's the logic?