LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
LinkBack Search this Thread
Old 12-10-2009, 06:26 AM   #1
Imtiaz Deen
LQ Newbie
 
Registered: Jul 2005
Posts: 5

Rep: Reputation: 0
how to recover overwritten file


Hi,

By mistake I had overwrite a file that was filled with important logs
Is there any quick way to recover it?

Following steps taken:
root@# cp xyz_log.today xyz_log.today_2
root@# cp /dev/null xyz_log.today

However xyz_log.today_2 already exists

Any help?
Thanks in advance.
 
Old 12-10-2009, 07:55 AM   #2
bret381
Member
 
Registered: Nov 2009
Location: Alabama
Distribution: Arch x86_64
Posts: 648

Rep: Reputation: 78
midnight commander can recover deleted files, but if it was overwritten I think you are out of luck
 
Old 12-10-2009, 07:59 AM   #3
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Hi,

If you do not have a backup of the overwritten file you are out of luck....

Remember: Linux and Unix have the "You know what you are doing" philosophy. No "Are you sure" and "Are you really sure" questions by default (opposed to Windows).

If you are worried about this, make an alias for the cp and/or mv commands (in .profile or .bashrc) that includes the -i flag, something like: alias cp='cp -i'. The -i flags does the following: prompt before overwrite.

Hope this helps.
 
Old 12-10-2009, 01:52 PM   #4
jaymarting
LQ Newbie
 
Registered: Apr 2009
Posts: 15
Blog Entries: 7

Rep: Reputation: 0
Travel back in time, create a backup like a good technology professional, and then restore from that backup.
 
0 members found this post helpful.
Old 12-10-2009, 05:39 PM   #5
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728
Wait!!

Let's think about what it means to "overwrite" a file. If I understand it correctly, the filesystem keeps track of filenames and the location(s) of the data on the disk. If, for example, the file is deleted, the actual data is not erased----the system simply releases the blocks and make them available for new data.

If you attempt to write a file with the same name as one existing, then you are prompted as to whether you really intend to do this. If you say yes, it is not obvious to me that the filesystem will use the same physical locations.

Some simple experiments should be able to confirm...
 
Old 12-11-2009, 04:21 AM   #6
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Hi,
Quote:
Originally Posted by pixellany View Post
... the filesystem keeps track of filenames and the location(s) of the data on the disk. If, for example, the file is deleted, the actual data is not erased----the system simply releases the blocks and make them available for new data.
That part is true.
Quote:
If you attempt to write a file with the same name as one existing, then you are prompted as to whether you really intend to do this. If you say yes, it is not obvious to me that the filesystem will use the same physical locations.
The bold part is only true if the command/script has been told to do this (using -i with cp/mv or a piece of code that checks the existence of a file and acts accordingly for example).

A simple example:
Code:
$ ls -li lg.lcd.tv.pdf 
48963 -rw-r----- 1 druuna internet 11667921 May 29  2009 lg.lcd.tv.pdf

$ ls -li infile
48964 -rw-r----- 1 druuna internet 92 Dec  8 16:14 infile

$ cat infile
foo
-vertical
foobar
barfoo
.
.

$ debugfs /dev/sdb3
debugfs:  ls -ld
.
  48963  100640 (1)    500    500   11667921 29-May-2009 13:59 lg.lcd.tv.pdf
.

debugfs:  imap <48963>
Inode 48963 is part of block group 3
        located at block 99040, offset 0x0100

debugfs:  quit

$ cp infile lg.lcd.tv.pdf

$ ls -li lg.lcd.tv.pdf 
48963 -rw-r----- 1 druuna internet 92 Dec  8 16:14 lg.lcd.tv.pdf

$ cat lg.lcd.tv.pdf 
foo
-vertical
foobar
barfoo
.
.

$ debugfs /dev/sdb3
debugfs:  ls -ld
.
  48963  100640 (1)    500    500      92  8-Dec-2009 16:14 lg.lcd.tv.pd
.

debugfs:  imap <48963>
Inode 48963 is part of block group 3
        located at block 99040, offset 0x010
The original lg.lcd.tv.pdf is overwritten but still has the same inode index and block group associated with it (= same physical location on disk).

This test is done on an ext3 FS.

Last edited by druuna; 12-11-2009 at 04:27 AM. Reason: Fixed a typo
 
Old 12-11-2009, 08:01 AM   #7
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728
If you are over-writing a file from the GUI, then you would typically be prompted by default.

My theory is mostly based on over-writing a file with one that is longer, but I have not been able to test it yet.
 
Old 12-11-2009, 08:10 AM   #8
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Hi,

Quote:
Originally Posted by pixellany View Post
If you are over-writing a file from the GUI, then you would typically be prompted by default.
Which is in the line of my previous reply: The gui (I assume you mean some sort of file manager) is programmed to check this.

Also: I am taking the OP's original post as a starting point (command line, not gui).

Quote:
My theory is mostly based on over-writing a file with one that is longer, but I have not been able to test it yet.
I'm curious what your results will be, please post them if you have done them!
 
Old 12-11-2009, 12:23 PM   #9
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728
I created a small partition and filled it to about 80% with random files.

I then copied a small file to the partition, and noted the location using
Code:
hexdump -C /dev/sda6|grep -C8 keyword
Then:
1. edited the file to be ~10X larger. Repeated the hexdump and found the old file intact, and the new longer file at a new location

2. changed 1 word in the longer file--keeping the file size the same: The system saved this to another new location---and both of the two older files were still visible in the hexdump.

In all cases, the inode number remained the same.

conclusion: Do not assume that over-writing a file destroys the old file.
 
Old 12-11-2009, 12:26 PM   #10
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728
PS:
I have not done enough testing to know if the behavior is different when modifying and then copying the file vs simply modifying it in place. My intuition is that it should not matter.
 
Old 12-12-2009, 04:15 AM   #11
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
@pixellany: Nice test, have to try that and have a better look with debugfs.

At first glance it looks like the (data) blocks that the original file used are not necessarily overwritten, but on an active (running) partition they probably will be in a relative short time due to the "defragmentation" mechanism:
Quote:
Modern Linux filesystem(s) keep fragmentation at a minimum by keeping all blocks in a file close together, even if they can't be stored in consecutive sectors. Some filesystems, like ext3, effectively allocate the free block that is nearest to other blocks in a file.
In theory you can probably restore parts (most?/all??) of the overwritten file by immediately "freezing" the partition it happened on, look for and gather the still available blocks and put them back together (possibly filling in the missing gaps yourself). Having just one partition (probably true for most users) makes this a lot harder to do.

Guess the conclusion should be: Yes, (partial) recovery is theoretically possible, but very hard to do in real life.

BTW: I came accross this article: HOWTO recover deleted files on an ext3 file system. Interesting read.
 
Old 03-31-2010, 10:24 PM   #12
frankie_DJ
Member
 
Registered: Sep 2004
Location: NorCal
Distribution: slackware 10.1 comfy, Solaris10 learning
Posts: 232

Rep: Reputation: 30
HOWTO recover overwritten text file, file copied over with cp

Here is my experience.

I accidentaly copied over a text file using cp. This file I've been editing for
about 3 months now, about once per week.

I use reiserfs filesystem and have a separate partition for /home.

I realized the blunder immediately and took the following steps.

1. I became a root, changed to root's home and unmounted the partition:

$sudo su -
#cd
#umount /home

2. Find out which partition is mounted as /home. In my case it was /dev/sda2
so that's what I'm gonna use from this point on.

3. If it's a text file you've been editing yourself, you probably remember some
words that you used. These words you will use as a search pattern to look for
your file (the more specific the better). You also approximately remember the size
of the file - as a number of lines or smtng. Say, you know that the file was about
800lines long and you know for certain you've had the word "soldier" somewhere
in that file.

4. With this information, you will pattern-search your unmounted /home partition
using the following command:

#grep -a -A800 -B800 'soldier' /dev/sda2 | strings > recovered_file

This might take a while.

5. Look thru the file "recovered_file". It will probably be very large. If you've
edited your lost text file more then once, you will for sure find several
instances of the text file you're looking for. A different copy for every time you edited it. You probably want to recover the very last instance.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Attributes of the file which can not be overwritten linuxdoniv Programming 6 08-07-2008 12:51 AM
How can I recover firefox which was overwritten bhatmahesht Linux - Software 1 05-05-2008 05:18 AM
need to recover from disk partion info being overwritten jhoggatt Linux - General 6 03-01-2007 04:59 PM
fstab file being overwritten MacLin Fedora 3 07-26-2004 01:25 PM
Overwritten start of TAR File AllynCarter Linux - General 9 03-22-2002 05:50 AM


All times are GMT -5. The time now is 04:47 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration