LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 11-13-2003, 09:17 AM   #1
e-Gandalf
LQ Newbie
 
Registered: Nov 2003
Posts: 5

Rep: Reputation: 0
Question Data rescue on ext3


I have big problem with undeleting one, very important file which was in directory i deleted by mistake.
I have unmounted that drive and now i'm testing every app i found - led, e2undel, unrm... but all of them are for ext2.
With led i was able to find blocks of this file and probably even inode, but after this, when i tried to dump inode with debugfs, debugfs said that that inode is empty...

Anyone succesfully rescued any file ever with ext3???

Or meaby undeleting directory is easier? Please, i see those lines in block editor, and i don't know what to do next to rescue this data... Need any, any help.
 
Old 11-22-2003, 12:07 PM   #2
Eqwatz
Member
 
Registered: May 2003
Distribution: Slack Puppy Debian DSL--at the moment.
Posts: 341

Rep: Reputation: 30
I hope you unplugged/umounted that drive immediately. And, I hope you did a binary image of the drive/partition in which the directory used to reside.

Frankly, you are pretty screwed. If the directory and all of its files weren't written as a single unit, the files are going to be spread out. If the actual inodes located within the directory are found to be intact, and only dereferenced on the superblock, you might get it back. But this involves making an actual entry for the directory in the correct location using exactly the correct entry.

I was able to recover using an offset to define the beginning of each file and specifying the exact length of the file using the utility dd. In my case it was all trial and error. Mostly error. I used a hex-editor to view the drive one offset at a time. A ghastly learning experience.

If the inodes within the directory are intact, you may be able to use an offset to define the location of the directory, and possibly pipe the inode to a file utility to copy the files to another directory. I don't know. Just thinking about this gives me the "squeamish--woo-hahs".

But you are going to have to manipulate things at a level in which I am unfamiliar. You are going to have to do some heavy research on that one.

If the stuff is really that important, I pray that everything you have tried had been on the binary image of the partition/drive in which you are working--otherwise, well . . .

And, yes I have rescued files from a serious f**kup, but not as ext3. The underlying filesystem is ext2. Any journalled information or unsyncronised writes were lost. It took mucho--mucho--mucho time, the stuff better be worth it.

That was when I got really serious about filesystem layout and backups--including cheating using Image software, and duplicating filesystems using other names--so I could change a LABEL= entry in /etc/fstab, reboot and continue on my merry way--it is possible to synchonize a partition as an "unofficial mirror" for writes only--leaving everything there in case of a bad mistake. I don't use that any more as I have developed good habits.

I am not proud--I'll do anything to avoid the experience you are going through, and what you will have to go through to attempt to recover something of value from that filesystem.

I also set up the windows garbage-can thing for linux, so I had to go through two distinct operations to delete things. NEVER AGAIN.

Last edited by Eqwatz; 11-22-2003 at 12:38 PM.
 
Old 11-25-2003, 12:17 PM   #3
e-Gandalf
LQ Newbie
 
Registered: Nov 2003
Posts: 5

Original Poster
Rep: Reputation: 0
Hmmm. I unmounted drive, but i don't know how to create ideal binary copy of that drive (i tried with /dev/hdc5 > ~/rescue/hdc5.resc but i'm not sure if it worked for all blocks or only for inoded files?

So, i know i'll have to do much work with dd (( At now i'm trying to manage some perl script which will search for determined begin of each mail, end, and dump it to new file. Hope it will work!

Thanks for help!
 
Old 11-25-2003, 12:45 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
I have unmounted that drive and now i'm testing every app i found - led, e2undel, unrm... but all of them are for ext2.
Ext3fs is just ext2fs with journalling added. Tools like mc (Midnight Commander), recover, TCT should all be able to show and undelete your files provided the space the file occupied previously wasn't reallocated.


Here's some howto's:
Recovering a Lost Partition Table,
Linux Partition HOWTO,
How to recover lost partitions,
Linux Ext2fs Undeletion mini-HOWTO,
Linux Partition Rescue mini-HOWTO.


Here's a tools listing:
Recover (app + info),
R-Linux (never tried this one),
e2salvage (never tried this one),
Unrm (never tried this one),
TCT, The Coroners Toolkit* ,
Also mc (the Midnight Commander) can undelete stuff.
* Don't use unless you're desperate w/o options left. Don't use until you have some experience with this as it's used in forensics, is a tool set and not a GUI click-n-go tool and damn slow. Make sure you are willing to make a serious investment (your time) and be prepared to still not get usefull stuff returned...


I unmounted drive, but i don't know how to create ideal binary copy of that drive (i tried with /dev/hdc5 > ~/rescue/hdc5.resc but i'm not sure if it worked for all blocks or only for inoded files?
Try "dd if=/dev/hdc5 of=/dev/someotherpartition/filename conv=noerror"

I wrote a script to do mass undeletion (just an experiment), here's the code. Save it as "undelfile.sh", make executable and run w/o args for some basic details. If for example your (ext2 or ext3) /tmp partition has enough space to hold ALL stuff that can be undeleted, you could run it as "./undelfile.sh --automate-it-all /tmp /dev/hdc5". It would then try to recover ANY RECOVERABLE FILE to /tmp/lost+found.

Please note I don't take responsability for fsck ups and YMMV(VM).


Code:
#!/bin/bash
# Purpose: Undelete files on ext2fs and ext3fs
# Args: l,s,u,t,--automate-it-all
# Deps: Bash, GNU utils, debugfs, file, magic, md5sum, sha1sum
# Run from: manual

# Prepstage functions
progn=$(basename $0)
# Access custom functions
#. /etc/bash_functions

__help() { echo -e "$progn: <cmd> </dest> </dev/part> 
</dest>: VFS dir where \"lost+found\" resides 
</dev/part>: partition to recover from
<cmd>, in logical order:
1: -l </dest> </dev/part> (generates inode master list)
2: -s </dest> </dev/part> (generates inode statistics from list)
3: -u </dest> </dev/part> (<inode> or empty to add regex)
4: -t  </dest> (tags inodes using commands: file, md5sum and sha1sum)

>>>> ALWAYS RECOVER TO -=ANOTHER PHYSICAL PARTITION=- <<<<
"; exit 1; }

__testto() { test -d "$1/lost+found" && dest="$1/lost+found" || __help; }
__testfrom() { chk=( $(file "$1") )
case "${chk[1]}${chk[2]}" in blockspecial) src="$1";; *) __help;; esac; }

case "$1" in
l|-l|--generate-list) __testto "$2" && __testfrom "$3"
######################################################################################
/sbin/debugfs -R "lsdel" "$src" 2>&1> "$dest/0_fullinodelist" && \
echo "Inode info is "$dest/0_fullinodelist""

test -f "$dest/0_fullinodelist" && ( egrep "$dest/0_fullinodelist" -vie \
"(debugfs|inodes found|deleted)"|cut -c1-6|grep "[0-9]" >"$dest/0_inodes"
test -f "$dest/0_inodes" && echo "Inode list is "$dest/0_inodes"" ) || exit 127

echo "Calculating necessary diskspace"
space=0; egrep "$dest/0_fullinodelist" -vie "(debugfs|inodes found|deleted)" \
| while read l; do l=( ${l} ); let space=$space+${l[3]}
echo $space >"$dest/0_space"; done
space=$(echo $(cat "$dest/0_space")/1024/1024|bc)
echo "We need ${space}MB space to recover everything"
echo "Checking remaining diskspace"

sfdisk -l -uM|egrep -vie "(disk|units|device)"|tr -d "\+\-\*"\
|grep "^/dev"|egrep -vie "(swap|empty|lba|hidden)"\
|while read s; do s=( ${s} )
if [ "${s[3]}" -ge "$space" ]; then
        echo "${s[0]} has SIZE ${s[3]}MB"
fi; done

\df -m|egrep -vie "($src|filesystem|tmpfs)"|while read s; do s=( ${s} )
if [ "${s[3]}" -ge "$space" ]; then
        echo "mounted ${s[5]} has ${s[3]}MB left (could do)"
else
        echo "mounted ${s[5]} has ${s[3]}MB left (insufficient)"
fi; done
;;

s|-s|--inode-stats)  __testto "$2" && __testfrom "$3"
######################################################################################
# Next add regex search tru 0_fullinodelist
test -f "$dest/0_inodes" && ( tac "$dest/0_inodes" | while read inode; do
        /sbin/debugfs -R "stat <$inode>" "$src" 2>&1>"$dest/0_stat_$inode"
done ) || echo failed 128
;;

u|-u|--undelete)  __testto "$2" && __testfrom "$3"
######################################################################################
# Next add easy choices like "today", "this week", "this month", "this aeon"
if [ "X$4" = "X" ]; then
        echo "Get the inode from "$dest/0_inodes" or see "$dest/0_fullinodelist""

        unset ans; echo -e "Want to refine search and dump, or dump everything?
        [Y|y|yes|R|r|refine] to refine
        [A|a|all] to dump everything (watch out, I'm not checking!!!)
        [Q|q|quit|(anything else)] to quit"; read ans
        case "${#ans}" in 0) exit 129;; *) ans=$(echo $ans|tr [A-Z] [a-z]);; esac

        case "${ans:0:1}" in
         y|r) echo -e "OK, Give me a std regex. Remember a debugfs line looks like this:
        25894      0 100644   3576    1/   1 Wed Sep 26 15:57:34 2001
        and the date given is the TIME OF DELETION so no MAC times.
        So, that's all you can use. Hope you are creative.
        Example :\"Dec.*2001\" is used as \'grep list -Eice \"^[0-9].*Dec.*2001\"\'"
        read regex; res=$(grep "$dest/0_fullinodelist" -Eice "^[0-9].*${regex}")
        printf "%sWe used: \"^[0-9].*${regex}\" and got $res hits)\n"

        unset ans; echo "See [r]esults or [u]se regex for recovery? [s|u]"; read ans
        case "${#ans}" in 0) exit 130;; *) ans=$(echo $ans|tr [A-Z] [a-z]);; esac
        case "${ans:0:1}" in
        r) grep "$dest/0_fullinodelist" -Eie "^[0-9].*${regex}";;
        u) grep "$dest/0_fullinodelist" -Eie "^[0-9].*${regex}"|awk '{print $1}'\
           |while read inode; do /sbin/debugfs -R "dump <$inode> $dest/$inode" $src
           done;;
        esac
         ;;

         a) echo "cat "$dest/0_inodes" | while read inode; do"
           echo "/sbin/debugfs -R \"dump <$inode> $dest/$inode\" $src"
           echo "done"
         ;;

         q|*) exit 1
         ;;

        esac
        exit 0
else    
        /sbin/debugfs -R "dump <$4> $dest/$4" $src
fi
;;

t|-t|--tag)  __testto "$2"
######################################################################################
echo "Making output of file, md5 and sha1 command"
find $dest -iname "[0-9][0-9][0-9]*" | while read inode; do
        file "$inode" 2>&1 >> "$dest/0_inodes.file"
        md5sum "$inode" 2>&1 >> "$dest/0_inodes.sums"
        sha1sum "$inode" 2>&1 >> "$dest/0_inodes.sums"
done
;;

--automate-it-all) __testto "$2" && __testfrom "$3"
######################################################################################
echo "Too late... you set the gears in motion..."
echo "This one only stops when done or when out of diskspace..."
# Newest inodes first.
/sbin/debugfs -R "lsdel" "$src" | egrep -vie "(debugfs|inodes found|deleted)"\
|cut -c1-6|grep "[0-9]">"$dest/0_inodes"; tac "$dest/0_inodes"|while read inode; do 
/sbin/debugfs -R "dump <$inode> $dest/$inode" $src; done
find $dest -iname "[0-9][0-9][0-9]*" | while read inode; do
file "$inode" 2>&1 > "$inode.file"; md5sum "$inode" 2>&1 > "$inode.md5"
sha1sum "$inode" 2>&1 > "$inode.sha1"; done
;;

h|-h|--help|ohcrap|whathavidone|*)
######################################################################################
        __help
        ;;
esac

exit 0
 
Old 11-25-2003, 04:24 PM   #5
meldroc
Member
 
Registered: Aug 2003
Posts: 102

Rep: Reputation: 15
Most of the undelete tricks that worked with ext2 don't work with ext3. When deleting a file, ext2 normally just marks the file's inode as free, but leaves the data about the file's location & size in there, meaning an undelete utility can find it and recover the file (assuming it wasn't overwritten by another file.)

Ext3, because of it's journalling, actually wipes the inode rather than just marking it free, because of data integrity requirements, meaning ext2's undelete won't work. You might be able to recover parts of the file if you unmount the partition and search using very low level tools (like led), but it's a lot harder, and you might not get all of it.

In any case, I've never done this. I'm just parrotting what I've read. I don't envy your situation. Sometimes I think it would be a good idea to implement a trash-can directory (like Windows' Recycle Bin) where files are moved when they are "deleted", so they can be recovered if necessary, and have a cron job empty the trash can once a week or so to keep it from hogging too much space. It should be implemented on a fairly low level - filesystem level, so a user can type "rm foo" or use delete functions in programming APIs or whatever, and automagically move files to the Trash instead of deleting them.

I've used Linux for quite a while, and consider myself to be smarter than most when it comes to computers, and even so, I've made some bad screwups from deleting. Think what happens if you type "rm -rf / usr/share/foo" instead of "rm -rf /usr/share/foo" as root...

Last edited by meldroc; 11-25-2003 at 04:27 PM.
 
Old 11-25-2003, 04:36 PM   #6
meldroc
Member
 
Registered: Aug 2003
Posts: 102

Rep: Reputation: 15
More info: After googling, I found some more information on the kernel mailing list archives:

Quote:
Quote:
I think there must be some other differences between ext2 and ext3, I've tryed e2undel and unrm, both made for ext2, and none of them found any deleted inode.
Yes, in order to ensure that ext3 can safely resume an unlink after a crash, it actually zeros out the block pointers in the inode, whereas ext2 just marks these blocks as unused in the block bitmaps and marks the inode as "deleted" and leaves the block pointers alone.

Your only hope is to "grep" for parts of your files that have been deleted and hope for the best.

Cheers, Andreas
 
Old 07-22-2006, 06:27 AM   #7
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: PCLinuxOS 2010.12, Debian Lenny
Posts: 387

Rep: Reputation: 38
What I dont get is there are many Windows apps out there that say they can recover ext2 AND ext3 filesystems. Yet there's no Linux app out there saying it can.

I am putting together a Windows box to try these out tomorrow. We'll see how they go, but if they work, then thats disappointing for the Linux community [Windows programs recovering Linux filesystems better then Linux can]
 
Old 03-27-2007, 11:10 PM   #8
digdogger
LQ Newbie
 
Registered: Mar 2007
Posts: 13

Rep: Reputation: 1
I have a similar posting at ...

http://www.linuxquestions.org/questi...41#post2687541
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
problem with dd/foremoste+usb-hdd - trying to rescue data Barkpingu Linux - Software 2 11-07-2005 08:01 AM
Can I back-up data from init3 rescue mode? d-kam Linux - Newbie 19 03-20-2005 02:38 PM
Deleting ext3 with rescue disk fdisk onlyhuman9 Linux - General 2 01-27-2005 10:13 PM
how to get data off in rescue mode bmicielli Linux - Software 4 08-24-2003 01:00 PM
recovering data from ext3 chupacabra Linux - General 2 10-21-2002 10:32 AM


All times are GMT -5. The time now is 07:57 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration