Friday, February 11, 2011

DELETED FILES RECOVERY

Deleted files recovery howto

The first steps 

First of all: Immediately unmount the file system the deleted file was located on. This minimizes the risk that the data of the deleted file are overwritten while taking steps to recover them. All data written to the file system containing the deleted file - either by you or by any other process running on your machine - might overwrite some of the data you want to recover!
If you can't unmount the file system, e.g. because the deleted file was located on your root file system, you should consider to shut down the computer, remove the hard drive and put it into another Linux machine. Probably, you will have to compile and install some software, such possibly destroying the data you want to recover.
I strongly suggest this option if either the deleted data are so important that you don't want to take any unnecessary risk to loose them, or if the file system has very few unused space available (less then 20 percent or less than 100 MByte), or if the file is larger than 48 kByte: If few free space is available on the file system, ext2 might choose to store new data in areas that were recently used by deleted files; and if the file is larger than 48 kBytes, its data may be distributed across the file system, such enhancing the risk of overwriting parts of the deleted data with new files. It is your decision; but you have been warned.
If you are in the very unpleasant situation that you neither can use your system without the file system containing the deleted file nor have another Linux machine available, I strongly suggest to create a RAM disk to build and install the necessary software. With kernel 2.4, it is quite easy: Just do a mount tmpfs /mnt -t tmpfs. This will create a dynamically growing RAM disk on directory /mnt.

 Using debugfs 

Especially if you can't unmount the file system containing the deleted data, debugfs is a less comfortable, but usable alternative if it is already installed on your system. (If you have to install it, you can use the more comfortable e2undel as well.) Just try a
/sbin/debugfs device
Replace device by your file system, e.g. /dev/hda1 for the first partition on your first IDE drive. At the "debugfs:" prompt, enter the command
lsdel
After some time, you will be presented a list of deleted files. You must identify the file you want to recover by its owner (2nd column), size (4th column), and deletion date. When found, you can write the data of the file via
dump <inode_number> filename
The inode_number is printed in the 1st column of the "lsdel" command. The file filename should reside on a different file system than the one you opened with debugfs. This might be another partition, a RAM disk or even a floppy disk. Repeat the "dump" command for all files that you want to recover; then quit debugfs by entering "q".

Note that this document comes without warranty of any kind. But every effort has been made to provide the information as accurate as possible. I welcome emails from any readers with comments, suggestions, and corrections at webmaster_at admin@linuxhowto.in

Copyright © 2012 LINUXHOWTO.IN

2 comments: