undelete files on ext4

Question

My mother has placed some important files on her /tmp per accident. Now, of course, they are gone.

This happened yesterday (2 boots of the machine since)

I want to try to undelete the files. They were on /tmp, which was on the same partition as the rest of / , so I need a tool that runs on a mounted system (or maybe I could use a livecd ...)

Right now, I am trying testdisk on a systemrescuecd that I just downloaded. I can get some files from /tmp, but not all. (is it the right tool ? What exactly are those "red" files ? are only some of them recoverable ?)

Answer 1

You can also use extundelete

First unmount (umount) the file system where the files have been deleted.
Then read the chapter What to do if you've deleted a file.

You can install extundelete from classic Ubuntu repository:

sudo apt-get install extundelete

Or better, you can download the latest version and compile it:

cd ~/Download
tar -xf extundelete-*.*.*-.tar.bz2  #Replace *.*.* by the version
cd      extundelete-*.*.*
sudo apt-get install e2fslibs-dev   #Required for compilation
./configure
make
sudo make install
extundelete --version               #Should be your *.*.* version

Example of usage: restore all deleted files from directory Images into new created directory restore

sudo extundelete --restore-directory Images/ -o restore /dev/sda3

Bad news if you see your file XXXX within the following format:

Unable to restore inode NNN (Images/XXXX): Space has been reallocated.

See all restored files (look for your file):

find restore -name '*'

Backup your file(s) and remove this temporary directory restore

cp restore/Images/XXXX MY_BACKUP_DIRECTORY
sudo rm -rf restore  

Answer 2

Data recovery, especially on EXT file systems, should be attempted from a live CD or other system that isn't depending on the partition you're undeleting from. Getting the disk unmounted or re-mounted as read only helps a great deal in the recovery effort.

Most of the time I try to create an image of the partition or disk using dd or a similar tool, so that I'm not working on the disk itself:

dd if=/dev/sd[xx] of=/media/backup_drive/recovery.img

Once you have your image, you can use a tool like ext3grep to try and find the files you're looking for. There are lots of different switches that you can try, but this might be a good start:

ext3grep --restore-file 'tmp/moms-file.txt' recovery.img

The ext3grep utility also provides several different ways to search through the file system if you don't know the name of the file. Check ext3grep --help for the various methods of searching.

Answer 3

I prefered to use ext4magic as :

sudo ext4magic  /dev/sdc3 -r -f $USERl/Documents/ -d /tmp/local/tmp/

Note you have to resolv symlink by your own

References:

http://ext4magic.sourceforge.net/howto_en.html

http://sourceforge.net/projects/ext4magic/

http://rzr.online.fr/q/recover

Answer 4

AnalyzeEXT

Parse data blocks for EXT directory data.

Detailed documentation on EXT4 can be found here:

• https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout
• https://digital-forensics.sans.org/blog/tags/ext4

Download the perl script with

git clone https://github.com/halpomeranz/analyzeEXT

No guarantee but may be able to reconstruct deleted filesystems.

Answer 5

I could not recover my crontab file by using ext4magic or extundelete.

On Debian, the crontab for root is here:

/var/spool/cron/crontabs/root

But, by using the following command, I was able to at least manually recover my crontab from the logs.

 grep CRON /var/log/syslog.* -i| awk -F " CMD " {'print $2;'} |sort | uniq

It will output only the executed cron jobs (no timings), but at least this is a lot more than starting from scratch.

If you don't remember how often certain cron jobs run, take a full log e.g. syslog.1 and this will give you the count for runs trough the day:

grep CRON /var/log/syslog.1 -i| awk -F " CMD " {'print $2;'} |sort | uniq -c |sort -n