How to Recover Deleted Files when rm command was used (I recovered using ext3grep)
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
There is less than 12 hours left to vote in the 2015 LinuxQuestions.org Members Choice Awards. Click here to go to the polls. Vote now and make sure your voice is heard!
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
How to Recover Deleted Files when rm command was used (I recovered using ext3grep)
I thought I'd share this with anyone who made the same mistake I did when using the rm -r command on Linux (my distro is Ubuntu-9.10).
I'll spare you the sob story details, but In summary, I wiped out 60% of my VirtualBox .vdi files on one of my partions. The file sizes ranged from 3gb to 9gb files. (I did have some backups but 4 months ago). Needless to say I'll be backing my files up more often (especially my Virtual Image .vdi files). So here are the steps...: [ Look, I know it seems like allot of steps, but its worth it in the end!!]
(By the way, these are all ext3 filesystems, I would imagine you could recover fat32 [windows} type filesystems too, but I just did this under Linux filesystems)
1--> If you've found yourself deleted any files, try to unmount the partition. ( In my case it was an external 2 1/2 hard drive, command used to unmount is sudo umount /dev/sda3)
1b--> If you only have one partition, then I'd suggest shutting down your computer and putting a Live CD in it (preferably the Ubuntu Live CD).
2--> Whether 1 or 1b applies to you, install ext3grep from Synaptic or any package manager. (if you had to reboot via a live CD, make sure you unmount the partition that has the deleted files.(example umount /dev/sda1 or in my case it was umount /dev/sda3). If you're on the LiveCD of Ubuntu, I believe it will let you install the ext3grep package using Synaptic Package manager and it will put it in RAM under the Live Desktop Session.
3--> Now here's the important part before you proceed any further. If the partition that has the deleted files is taking up 30gb (yes 30gb used space), then you have to mount an existing partition GREATER than 30gb ***FREE*** SPACE. I happened to have another partition /media/sda7 already mounted that had 50 gb free.
So at this point, you must go to any directory under your (recovery partition, i'm referring to my 50gb partition /media/sda7). To do this, run the command cd /media/sda7, now you're in your (recovery partition). You can make a new directory if you want, or just use any existing directory on the /media/sda7 partition. (I made a directory something like mkdir ./Yikes ) So I get into the directory by cd /media/sda7/Yikes then run the following command....:
ext3grep --restore-all /dev/sda3
4--> ***Keep in mind, you just ran that command from the /media/sda7/Yikes directory on your recovery partition. ***This will create a folder called "RESTORED_FILES" under/in the Yikes Directory.*** The ext3grep command you just submitted will try to recover every single file on that partition that has the deleted files (i.e. /dev/sda3). There is a way to restore single files and their paths, but I got frustrated and just did a full restore.
5--> Depending on the partition size and number of files, it could take 30 minutes to 2 hours or more before you start to see messages in the terminal screen saying "Restored file... Abc.txt or sam.jpg". Let it finish!!!
At first you will see it saying "Group 1, Group 2 and crazy characters going across the screen, that's normal." You know it's begining the actual restore process when you start to see "Restored file...".
6--> At this point you can open a DIFFERENT terminal screen and do cd /media/sda7/Yikes/RESTORED_FILES to see the files being restored under the various directories. This does work because I was able to restore at least 25gb worth of files. Again, file sizes ranged from 3gb to 9gb!!
7--> Final step when the 1st terminal screen is done restoring the files, you can either open them up from the /media/sda7/Yikes/RESTORED_FILES directory to check them out, or you can copy them back to where they were deleted before.
***BUT I WOULD SAY TO MAKE A BACKUP OF THE RESTORED FILES, or keep the restored files in the /media/sda7 partition. It's up to you.
-->Again, I did a "ext3grep --restore-all /dev/sda3" command from the partition that had plenty of free space (i.e. 50gb) to restore the 30 gb worth of deleted files (and that ext3grep --restore-all /dev/sda3 command was run in the following directory /media/sda7/Yikes ).
-->Remember to unmount the /dev/sda3 partition (i.e. the partition that has the deleted files). DO NOT MOUNT /devs/sda3 when running the ext3grep --restore-all command. The ext3grep documentation states you don't want to write anything to that partition because you run the risk of writing over files or directories that could be recovered.
-->This ext3grep utility saved me Big Time!! 4 to 5 months of work restored because of this utility. You can get it from Synaptic Package Manger searching for ext3grep.
I'm not an expert, but you can pass this along as you like. Hope it helps someone the way it helped me!!!
Whoever created this ext3grep program, THANK YOU!!!
Ext3grep is an excellent utility and with images and documents and some data types that have consistent starts and endings often a data slicer can recover vast amounts of data also... the manual way of constructing it from blocks using various tools in the sleuth kit/et all really rather suck. Sometimes you can find journal entries referencing your file though which makes things far easier.
Good job You've done something the ext3 devs said wasn't possible!
Hey Thanks rweaver. I think what helped is that I mostly kept my massive multi gigabyte VirtualBox .vdi files on the partition I was using. Maybe 10 or 12 files I had in all on that partition, so it was easier to keep track. But nothing is more safe than "frequent" backups. I had to learn that the hard way, but learn I did.
Backups are *far* superior to data recovery. You have no idea how often I've seen people with no backups freaking out when the 'critical' system they've never backed up had a hard drive error and died. End up spending obscene amounts of money on data recovery... yet they're completely unwilling to spend time or money on setting up a good backup system until it happens. It's very frustrating when you know what is going to happen and can make it completely preventable... but can't.
Yes, take from someone stayed up until 3:00 a.m. because i wouldn't do a simple cp from one disk to another. Ironically this all happened because I installed "Webmin" (great tool) on all of my virtual and physical machines. This partition was the last one I had to do a backup for. I was trying to remove some older .vdi's I didn't need on that partition because it would take up more space on my destination drive.
I did the initial (important directory/file) backups for all of my machines and was going to setup a schedule within Webmin.
But you know, I'm actually glad this happened to me. Like you said, people dont't think about it until it's too late.
I've learned my (backup) lesson!!
i follow all your intruction and i have external hard drive with a FAT format to recovery my virtual box data.
but when i run the command, i got warning message aborted (core dumped), maybe you can help me to solve this problem???
Can you run the following command and paste it in your reply...:
and also paste the ext3grep command you are entering in that gives you the error message.
I'm not an expert, but I think you may need to use a recovery file format of ext3 instead of vfat.
Either mount an external drive that has ext3 file format, or backup your external drive's data that contains the vfat data to another drive, and if you have the knowledge how to do it, change your external drive to shrink the vfat partition and create a big enough ext3 partition to recover your virtual box file(s).
I'd say go with the easiest option and use an external drive that has ext3 filesystem type.