[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Undelete for Linux

On Thu, 5 Dec 2002, Aaron Konstam wrote:

>Date: Thu, 5 Dec 2002 10:15:57 -0600
>From: Aaron Konstam <akonstam Trinity Edu>
>To: psyche-list redhat com
>Content-Type: text/plain; charset=us-ascii
>List-Id: Discussion of Red Hat Linux 8.0 (Psyche) <psyche-list.redhat.com>
>Subject: Re: Undelete for Linux
>On Thu, Dec 05, 2002 at 03:54:40PM -0000, Rimas wrote:
>> Is there a way to undelete files on RedHat 7.3/8.0?
>> Thank you
>For ext2 file systems this can be done with dumpe2fs, mc and a program that can
>be downloaded from contributed sites called restore.
>I have yet to see any thing that admits it can recover files in ext3 file
>systems but I haven't really tried.

An ext3 filesystem is an ext2 filesystem, with the addition of 
the journal file, so recovery is identical.

Another method which is much easier, is to remount the partition 
read-only that the files were deleted from, after forcefully
doing a "kill -9" on any software preventing remounting, and then 
using Midnight Commander (mc) to recover the files using it's 
built in undelfs support.  After a very long time of undelfs 
scanning the disk, it will present you with all of the deleted 
inodes, and you can select them for undeletion.  Note that these 
files may be recoverable, or they may have already been 
destroyed because a deleted file's blocks are free to be used by 
the system for future disk writes.  Attempting to recover deleted 
files is a crap shoot because you are praying that the OS has not 
yet used the deleted blocks for something else.  If it has, you 
are screwed.

The deleted files no longer have filenames, just the inode 
number.  So you'll get a huge list of inode numbers like "#34524" 
for filenames.  The easiest way to find your goodies, is to 
recover ALL of them to a separate partition that can hold all of 
the data, then hunt through it with unix utilities like 
grep/strings/etc. or you can search the list in mc sorted by 
date/time, etc.

Recovering deleted files is not fun, but mc makes it somewhat 
easier than using something like debugfs.  The important thing is 
to remount the partition readonly first that contains the files 
deleted.  And to realize that until you get it readonly mounted, 
any command you run could cause the disk to be written to.  For 
example, "init 1" to switch to single user mode might seem like  
a nice quick way to do it, however that will cause many services 
to cleanly shut down, and also to write to disk, write to syslog, 
etc.  Make sure whatever you do, you are preventing apps from 
writing to the partition with the deleted files.  If the 
partition is very very full and has little free space, this is 
ultraimportant.  On partitions with more free space, it is less 

Anyway, I hope this helps.

Mike A. Harris     ftp://people.redhat.com/mharris
OS Systems Engineer - XFree86 maintainer - Red Hat

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]