Recovering deleted files on ext3 filesystem in
Linux
I've recently deleted a file by mistake on my Debian Linux. I did
quite a research on possible ways to recover my lost
.odt
file
I've tried various approaches by using different tools. The most
straight forward way to recover plain text data is through simply
using the
grep command over the partition where the recently
deleted file occured.
I used egrep and was able to find the file inodes pointer of the
deleted files using the command:
debian:~# egrep -b -o --binary-files=text
"meta:creation-date.*meta:creation-date" <
/dev/sda5
In the above example
/dev/sda5 was actually my
ext3
partition
Though this command presented me with inode numbers where I can
look up for files I was not able to find a good straight forward
way to retrieve information contained by this inodes.
However before proceeding with using
grep to recover
anything on your partition it's recommandable that you switch to
another system runlevel (init level)
Best practice after you realize you have a certain mistakenly
deleted file is to switch to
init 1 and unmount the mounted
partition which previosuly containted recently deleted file.
To do so:
Issue the init command to enter
init 1
Next step is to try to use the unix traditional way to recover raw
portions of data from your partition.
For instance if you want to recover a text file starting with the
text
Assignment do the following grep
grep -i -a -B10 -A100 'Assignment' /dev/sda5 >
/root/file.txt
The above command will recover everything found on /dev/sda case
insensitive and containing the word
Assignment in it data
will be recoverd in a way that everywhere Assignment is matched
data will be retrived 10 lines before the word itself and 100 lines
of text after the grep key word.
Thought this will be helpful in recovering simple text files
messages that were scaped out, it's completely unusable with
retrieving binary files data.
Yet if you're trying to recover just a plain text sentences which
contains a certain key word like let's say
payments
You might once again execute the grep command in the following
way:
grep -b 'payments' /dev/sda5 >
/root/file.txt
Be aware that you will end up in your newly created file from the
binary grep with a lot of bulk data and you will have the time to
sort out which parts exactly of the data wer the ones you are
interested, this is really inconvenient and time consuming but
seems to be a way still.
For binary files you have the option to use
foremost
Foremost is said to be able to recover a certain range of binray
formats, however it is a really serious limitation that using it
you have only the option to recover the following file
formats:
jpg gif png png bmp avi exe mpg wav riff wmv mov pdf ole doc zip
rar htm cpp
foremost should also be able to recover all of the
forementioned formats at once.
To start using the program on Debian to recover your deleted files
you can simply install the software which is already available as a
Debian package, to install you need to issue:
debian:~# apt-get install foremost
To start using the program right away you will need to execute
something similar to:
debian:~# foremost -i /dev/sda5 -t doc -o
/root/foremost
Again in the above command line the
/dev/sda5 is the device
name where you will be willing to look up for you lost files, the
-t argument does provide foremost with the exact file
extension you're looking for the
-o switch instructs it
where to save the found files into.
Nevertheless my personal experience with
foremost wasn't
good. I tried to recover just a recently deleted .doc file. What
foremost does recoved were two doc files which had the size of
about 6.8 mbytes. I wasn't able to open none of the 2 files with
both Open Office and Microsoft Office 2003.
Right after executing foremost you will see a progress bar similar
to:
Processing: /dev/sda5
|************************************************************************..
On a 15 GB partition the program execution time was about 10 or 15
minutes until it completes it's recovery operations, but as I said
the recovered data wasn't good at all.
The other ext3 file recovery programs I tried was:
1.
PhotoRec
2.
TestDisk
3.
ext3grep
4.
ext3undel's reviews and articles online I found were really
interesting, and does presented the ext3undel collection of wrapper
shell scripts based on top of the
sleuth kit , photorec and foremost
as a mean tools to conduct it's recovery.
After I've red a few positive feedbacks of people who succeeded in
recovering their deleted files on an ext3 partitions I immediately
went to check out the tool and installed it.
The tool has already a packaged debian version to install it you
will have to add the following deb repository to your
/etc/apt/sources.list file.
debian:~# echo 'deb http://apt.izzysoft.de/ubuntu generic
universe' >> /etc/apt/sources.list
Next to install the ext3undel package issue:
debian:~# apt-get update && apt-get install
ext3undel
The ext3undel is actually pretty interactive, so it was not
necessary for me to pass any program options to it, therefore I
simply started it:
debian:~# ext3undel
You will be prompted with the partition selection menu where you
will have to firstly select the partition from which you would like
to recover files:
Next you will be prompted to select another partition which should
be compulsory a different one than the first one chosen.
Third thing you will be prompted about will be the file type you
would like the ext3undel program to look up for you, in my case
that was
.odt
After a minute time or so the program will show you up all the .odt
files which were recently wiped out of the hdd.
It will next up to you to use the
/usr/bin/ralf - (R.A.L.F.
- Recover A Lost File, a tool to undelete an (accidentally) deleted
file from ext2/ext3 file systems) program to undelete the
mistakenly deleted files on your ext3 Linux filesystem.
However it appeared that the ralf utility is not properly working
on current Debian testing/unstable (Squeeze/Sid)
distributions.
Invoking the ralf binary I was suprised by the following error
message:
Could not find the 'dls' executable in your $PATH. This is
part of the
sleuthkit package.
One or more of the essential tools required to recover your file
cannot
be found. Please make sure you have them installed, and they can be
found
in your $PATH.
<
Few minutes of research pointed me out that in newer version of the
sleuth kit the name for the previous
dls binary has
changed to
blkls therefore it seemed quite natural for me to
simply link the blkls binary to dls and my assumption was that
would probably solve the error message printed by the ralf wrap up
script.
Thus I did the dsl symlink to point to blkls:
debian:~# ln -sf /usr/bin/blkls
/usr/bin/dls
Then once again I tried the ralf file recovering utility:
debian:~# ralf
/home/hipo/filetorecover.odt
This time the error returned by the
ralf proggie changed and
was like:
* FileName set to '/home/hipo/filetorecover.odt' * Real
filename: '/home/hipo/filetorecover.odt' /usr/bin/ralf: line 239:
/tmp/undel_FIFO: Interrupted system call
* Evaluated '' as corresponding mount point, using '' file
system.
! WARNING: This is not an ext2/ext3 file system, so our algorithm
may fail!
Sorry - something went wrong, could not determine the source
device.
* Cleaning up...
I looked online if somebody has experienced the same error with the
program but I couldn't find anything therefore I eventually decided
to drop off the idea to use
ex3undel
As I continued further my research on the possible tools that
exists nowadays to undelete files on Linux I've came across
debugfs
A very good article about a
possible way to debugfs to retrieve a deleted files on ext3 is
found on Symantec's website
However in my case using debugfs as a recovery tool didn't worked
out.
Anyways as I scraped through the internet I've found a couple of
posts which pointed out that a good commercial software which will
be able to recover lost files on an ext3 partition is
Stellar
Phoenix Linux Recovery you can check out the product as well
here
Stellar
Phoenix Linux Recovery
After few hours spend on a futile attempts to recover my recently
deleted file I finally decided to drop it out and rewrite the file
:(
As a conclusion I would say that for Linux there are plenty of ways
to recover files on an ext3 partition, however the process is
really complex and the lack of simple user friendly robust program
to do it is a big gap in GNU/Linux as a modern day operating
system.
Any user feedback and suggestins on how somebody was able to
recover his accidently deleted files from ext3 partitions are
mostly welcomed!