[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Recovering deleted files - possible?

On Apr 04, 2002  12:48 +1200, Matt Cunningham wrote:
> Redhat 7.2 - ext3 filesystem.
> Is it possible to recover deleted files immediately after deleting them?
> I have found utilities for recovering data from ext2 filesystems...

Not easily.  This is a "bug" in the ext3 code caused by the way that
the journaling is written.  While it is a known issue, the fix is
apparently not very easy so it hasn't been done yet.

Two things you can do to try and recover your data (depending on what
sort of data it is):

0) Unmount your filesystem with these deleted files immediately.  If
   you have not already done so, the chances of you recovering them
   is getting smaller all the time.  This might mean booting from
   a CD instead of the disk if it is your root filesystem.
1) run "strings /dev/hdX | less" on your disk and search for bits of
   your text documents in the output, then cut-n-paste it to another
   file ON ANOTHER FILESYSTEM.  You _could_ just dump the output into
   a DIFFERENT filesystem, but it could be pretty large, so you may
   want to find the actual data first before doing this.  If you have
   a small number of deleted text (or text-containing) documents to
   which you know some of the expected content, this may work.
2) (much more complex) If you haven't also deleted the directory in
   which these files resided that is a big help.  Do "ls -id /dir"
   on the directory in which the deleted files lived.  Then run
   "dumpe2fs /dev/hdX" to find out which group this directory inode
   lives in.  You will also get a listing of free blocks for that
   group.  For each free block in that group do (blocksize as reported
   at the beginning of debugfs output, probably 4096):
   dd if=/dev/hdX bs={blocksize} skip={blocknum} count=1 > tmpfile.{blocknum}

   Make sure that tmpfile is on a DIFFERENT filesystem.  Look at each
   block with "less" and/or "file" to see if it has the data you want.
   The "file" output can be used to identify the START of a binary file,
   but not any subsequent blocks.  However, depending on how many files
   you have deleted and how large they are, this may not be helpful.
   In general, a file will allocate contiguous blocks, so if you find the
   start of a file you want, you can try sticking all of the following
   blocks after it and seeing if it works.  If you have very large files,
   or you deleted a lot of files spread across the whole disk, this is
   basically impossible to do.

Moral of the story - depending on how valuable these files are will tell
you how much time and/or money to spend trying to get them back.  If they
are really that valuable, you should have made a backup.

Cheers, Andreas
Andreas Dilger  \ "If a man ate a pound of pasta and a pound of antipasto,
                 \  would they cancel out, leaving him still hungry?"
http://www-mddsp.enel.ucalgary.ca/People/adilger/               -- Dogbert

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]