LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 05-25-2010, 02:32 PM   #1
rtoney5
Member
 
Registered: Oct 2007
Location: FL, US
Distribution: Ubuntu MintLinux-XFCE, Mint7, Parted Magic, PCOS OpenWorkstation, OpenSuse-11
Posts: 131

Rep: Reputation: 17
Lightbulb How to Recover Deleted Files when rm command was used (I recovered using ext3grep)


I thought I'd share this with anyone who made the same mistake I did when using the rm -r command on Linux (my distro is Ubuntu-9.10).

I'll spare you the sob story details, but In summary, I wiped out 60% of my VirtualBox .vdi files on one of my partions. The file sizes ranged from 3gb to 9gb files. (I did have some backups but 4 months ago). Needless to say I'll be backing my files up more often (especially my Virtual Image .vdi files). So here are the steps...: [ Look, I know it seems like allot of steps, but its worth it in the end!!]

(By the way, these are all ext3 filesystems, I would imagine you could recover fat32 [windows} type filesystems too, but I just did this under Linux filesystems)

1--> If you've found yourself deleted any files, try to unmount the partition. ( In my case it was an external 2 1/2 hard drive, command used to unmount is sudo umount /dev/sda3)

1b--> If you only have one partition, then I'd suggest shutting down your computer and putting a Live CD in it (preferably the Ubuntu Live CD).

2--> Whether 1 or 1b applies to you, install ext3grep from Synaptic or any package manager. (if you had to reboot via a live CD, make sure you unmount the partition that has the deleted files.(example umount /dev/sda1 or in my case it was umount /dev/sda3). If you're on the LiveCD of Ubuntu, I believe it will let you install the ext3grep package using Synaptic Package manager and it will put it in RAM under the Live Desktop Session.

3--> Now here's the important part before you proceed any further. If the partition that has the deleted files is taking up 30gb (yes 30gb used space), then you have to mount an existing partition GREATER than 30gb ***FREE*** SPACE. I happened to have another partition /media/sda7 already mounted that had 50 gb free.
So at this point, you must go to any directory under your (recovery partition, i'm referring to my 50gb partition /media/sda7). To do this, run the command cd /media/sda7, now you're in your (recovery partition). You can make a new directory if you want, or just use any existing directory on the /media/sda7 partition. (I made a directory something like mkdir ./Yikes ) So I get into the directory by cd /media/sda7/Yikes then run the following command....:

ext3grep --restore-all /dev/sda3

4--> ***Keep in mind, you just ran that command from the /media/sda7/Yikes directory on your recovery partition. ***This will create a folder called "RESTORED_FILES" under/in the Yikes Directory.*** The ext3grep command you just submitted will try to recover every single file on that partition that has the deleted files (i.e. /dev/sda3). There is a way to restore single files and their paths, but I got frustrated and just did a full restore.

5--> Depending on the partition size and number of files, it could take 30 minutes to 2 hours or more before you start to see messages in the terminal screen saying "Restored file... Abc.txt or sam.jpg". Let it finish!!!
At first you will see it saying "Group 1, Group 2 and crazy characters going across the screen, that's normal." You know it's begining the actual restore process when you start to see "Restored file...".

6--> At this point you can open a DIFFERENT terminal screen and do cd /media/sda7/Yikes/RESTORED_FILES to see the files being restored under the various directories. This does work because I was able to restore at least 25gb worth of files. Again, file sizes ranged from 3gb to 9gb!!

7--> Final step when the 1st terminal screen is done restoring the files, you can either open them up from the /media/sda7/Yikes/RESTORED_FILES directory to check them out, or you can copy them back to where they were deleted before.
***BUT I WOULD SAY TO MAKE A BACKUP OF THE RESTORED FILES, or keep the restored files in the /media/sda7 partition. It's up to you.

***Final Notes...:
-->Again, I did a "ext3grep --restore-all /dev/sda3" command from the partition that had plenty of free space (i.e. 50gb) to restore the 30 gb worth of deleted files (and that ext3grep --restore-all /dev/sda3 command was run in the following directory /media/sda7/Yikes ).

-->Remember to unmount the /dev/sda3 partition (i.e. the partition that has the deleted files). DO NOT MOUNT /devs/sda3 when running the ext3grep --restore-all command. The ext3grep documentation states you don't want to write anything to that partition because you run the risk of writing over files or directories that could be recovered.

-->This ext3grep utility saved me Big Time!! 4 to 5 months of work restored because of this utility. You can get it from Synaptic Package Manger searching for ext3grep.
I'm not an expert, but you can pass this along as you like. Hope it helps someone the way it helped me!!!
Whoever created this ext3grep program, THANK YOU!!!
 
Old 05-25-2010, 03:00 PM   #2
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Ext3grep is an excellent utility and with images and documents and some data types that have consistent starts and endings often a data slicer can recover vast amounts of data also... the manual way of constructing it from blocks using various tools in the sleuth kit/et all really rather suck. Sometimes you can find journal entries referencing your file though which makes things far easier.

Good job You've done something the ext3 devs said wasn't possible!
 
Old 05-26-2010, 06:06 AM   #3
rtoney5
Member
 
Registered: Oct 2007
Location: FL, US
Distribution: Ubuntu MintLinux-XFCE, Mint7, Parted Magic, PCOS OpenWorkstation, OpenSuse-11
Posts: 131

Original Poster
Rep: Reputation: 17
Hey Thanks rweaver. I think what helped is that I mostly kept my massive multi gigabyte VirtualBox .vdi files on the partition I was using. Maybe 10 or 12 files I had in all on that partition, so it was easier to keep track. But nothing is more safe than "frequent" backups. I had to learn that the hard way, but learn I did.
 
Old 05-26-2010, 03:00 PM   #4
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Backups are *far* superior to data recovery. You have no idea how often I've seen people with no backups freaking out when the 'critical' system they've never backed up had a hard drive error and died. End up spending obscene amounts of money on data recovery... yet they're completely unwilling to spend time or money on setting up a good backup system until it happens. It's very frustrating when you know what is going to happen and can make it completely preventable... but can't.
 
Old 05-27-2010, 08:13 AM   #5
rtoney5
Member
 
Registered: Oct 2007
Location: FL, US
Distribution: Ubuntu MintLinux-XFCE, Mint7, Parted Magic, PCOS OpenWorkstation, OpenSuse-11
Posts: 131

Original Poster
Rep: Reputation: 17
Yes, take from someone stayed up until 3:00 a.m. because i wouldn't do a simple cp from one disk to another. Ironically this all happened because I installed "Webmin" (great tool) on all of my virtual and physical machines. This partition was the last one I had to do a backup for. I was trying to remove some older .vdi's I didn't need on that partition because it would take up more space on my destination drive.
I did the initial (important directory/file) backups for all of my machines and was going to setup a schedule within Webmin.
But you know, I'm actually glad this happened to me. Like you said, people dont't think about it until it's too late.
I've learned my (backup) lesson!!
 
1 members found this post helpful.
Old 06-12-2010, 01:41 AM   #6
ronlin
LQ Newbie
 
Registered: Jun 2010
Location: indonesia,surabaya
Distribution: Ubuntu 9.04 & 9.10
Posts: 1

Rep: Reputation: 0
failed to recover my virtual box

hello
i follow all your intruction and i have external hard drive with a FAT format to recovery my virtual box data.
but when i run the command, i got warning message aborted (core dumped), maybe you can help me to solve this problem???

thanks 4 all
ronny
 
Old 06-13-2010, 01:35 PM   #7
rtoney5
Member
 
Registered: Oct 2007
Location: FL, US
Distribution: Ubuntu MintLinux-XFCE, Mint7, Parted Magic, PCOS OpenWorkstation, OpenSuse-11
Posts: 131

Original Poster
Rep: Reputation: 17
Hello Ronlin:

Can you run the following command and paste it in your reply...:

df -h

and also paste the ext3grep command you are entering in that gives you the error message.

I'm not an expert, but I think you may need to use a recovery file format of ext3 instead of vfat.

Either mount an external drive that has ext3 file format, or backup your external drive's data that contains the vfat data to another drive, and if you have the knowledge how to do it, change your external drive to shrink the vfat partition and create a big enough ext3 partition to recover your virtual box file(s).
I'd say go with the easiest option and use an external drive that has ext3 filesystem type.
 
Old 01-11-2013, 02:31 AM   #8
hanuma19
LQ Newbie
 
Registered: Jan 2013
Posts: 1

Rep: Reputation: Disabled
Thumbs up

rtoney it's great- thanks for the info i have recovered my lost files(5 days effort). you saved 5 days in my life .
 
Old 01-14-2013, 05:19 AM   #9
rtoney5
Member
 
Registered: Oct 2007
Location: FL, US
Distribution: Ubuntu MintLinux-XFCE, Mint7, Parted Magic, PCOS OpenWorkstation, OpenSuse-11
Posts: 131

Original Poster
Rep: Reputation: 17
Wink

Glad to have helped. Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to recover deleted Files sundar_reddy Linux - Software 2 10-25-2007 06:00 PM
recover deleted files ashishjen Linux - Newbie 5 02-02-2007 02:23 PM
How to recover deleted files? SentralOrigin Linux - General 11 01-25-2007 06:31 PM
How do I recover deleted files? Hector404 Linux - General 5 12-27-2005 01:35 AM
Recover deleted files markdw Linux - General 1 12-07-2001 04:08 PM


All times are GMT -5. The time now is 05:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration