LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-04-2012, 04:53 AM   #1
ambivalent
LQ Newbie
 
Registered: Sep 2012
Posts: 12

Rep: Reputation: Disabled
Recover deleted .ecryptfs folder using extundelete in Ubuntu


Hi to all,

My first post on these forums, though I have often found useful info here in the past. So thanks for that already.

Here's my sad (so far) tale...

I did a dumb thing.

Following this;
https://help.ubuntu.com/community/En...irectory_Setup

I removed the encrypted folder containing the entire home folder on my laptop.
Disaster.

The backup I had was useless for reasons I won't go into.
(I'm not usually an idiot, though I feel like one right now).

So...
I have been using a live ubuntu usb drive to try to recover the lost files.
Not having success so far.

Using testdisk, I can only see a single ecryptfs file which I can recover, but I cannot see the deleted home folder or related ecryptfs files.
I think this may be because I am on ext4?

Using extundelete, --restore-all on the root of the drive I get a list of ECRYPTFS_FNEK_ENCRYPTED.LotsofLettersandNumbersHere files but it says 'unable to restore inode' and 'no data found'.

Can anyone guide me here, please?
I'm pretty linux competent but not familiar with file recovery.

Thanks.
 
Old 09-04-2012, 09:30 PM   #2
robi1
LQ Newbie
 
Registered: Sep 2012
Posts: 10

Rep: Reputation: Disabled
(can not post URLs at my first post in this forum, complete the URLs themselves.)

In case you have not used the file system in the meantime, you can try ext4magic
"http: openfacts2.berlios.de/wikien/index.php/BerliosProject:Ext4magic"

The ecryptfs patch for ext4 is not included at all ext4magic packages.
The simplest you try this new TUI on the test boot image.
"http: developer.berlios.de/forum/forum.php?forum_id=35219"

Some screenshots :
"http: openfacts2.berlios.de/wikien/index.php/BerliosProject:Ext4magic-e4m-tui"


Use the "Multi-stage Mode"

To find all ecryptfs files from the restored files, you can use this script
"http: w w w.linux-club.de/viewtopic.php?f=38&t=115191&p=728657#p728657"

you'll need good luck, other ways ?????

robi1
 
1 members found this post helpful.
Old 09-05-2012, 03:43 PM   #3
Laocoon
LQ Newbie
 
Registered: Sep 2012
Posts: 3

Rep: Reputation: Disabled
This might help.. it might not.

I did something very similar..

instead of TestDisk, I used PhotoRec instead. It comes with the TestDisk package and it will essentially find every deleted file that it can in the partition.

./photorec_static instead of ./testdisk_static

double u double u double u dot cgsecurity dot org/wiki/PhotoRec_Step_By_Step has a pretty helpful step by step.

It came up with about 45k .eCryptfs files for me. Don't ask me how to open those files, because I am still working on that. But maybe this will get you a few more files.

Cheers,

J
 
Old 09-06-2012, 01:37 AM   #4
Laocoon
LQ Newbie
 
Registered: Sep 2012
Posts: 3

Rep: Reputation: Disabled
Thanks a ton Robi!

Thank You Robi!!!

Ext4Magic worked like a charm! Much simpler than the method I was using. That is extremely handy. Thank you so much for posting those links. That was huge!

Cheers,

J
 
Old 09-06-2012, 03:06 AM   #5
ambivalent
LQ Newbie
 
Registered: Sep 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Hey Guys,

Thanks.
I'll have a go at the ext4magic and PhotoRec asap.

Laocoon;
Check this for opening .eryptfs files;
http://blog.dustinkirkland.com/2011/...r-private.html
Hope it helps...
 
Old 09-06-2012, 04:01 AM   #6
Laocoon
LQ Newbie
 
Registered: Sep 2012
Posts: 3

Rep: Reputation: Disabled
The PhotoRep will take a while to run... and it will find you a TON of files. When I ran it the first time, it pulled up 800k+ .txt files so if you know the extensions of the files you are looking for, I would narrow it down when you run the search.

I just followed the directions for the ext4magic from the site. I found this link was the most helpful place to start.

http://openfacts2.berlios.de/wikien/...ject:Ext4magic

The only thing I had trouble with was the debugfs -R "dump <8> ... command line...

I had to look up what debugfs did and then I think I ended up doing something like..

debugfs /dev/sda6 and then i got a debugfs prompt below that that looked like this

debugfs:

and then I think I typed something like "dump <8> /media/481F-E556/journal.copy" and that seemed to put a file named journal.copy on my thumb drive. /media/481f-E556/ was just my PATH... yours will obviously be different.

When you run the Ext4Magic, you might want to have its output file go to a detachable hard drive or something because it used up all the storage space it had while on the Live disc. I ended up running it several times, until I realized how it was working. It comes up pretty fast on the screen, so keep an eye out. Once what I was looking for came up i just crtl-z'd and scrolled back to see where it put the files I wanted and then I killed the process afterwards.

Cheers,

J
 
Old 09-06-2012, 03:48 PM   #7
robi1
LQ Newbie
 
Registered: Sep 2012
Posts: 10

Rep: Reputation: Disabled
Smile

Quote:
Originally Posted by Laocoon View Post
The only thing I had trouble with was the debugfs -R "dump <8> ... command line...
I had to look up what debugfs did and then I think I ended up doing something like..
debugfs /dev/sda6 and then i got a debugfs prompt below that that looked like this
debugfs:
and then I think I typed something like.....
The command on this site is correct,
Code:
linux:~ # debugfs -R "dump <8> /tmp/journal.copy" /dev/sda3
debugfs 1.41.9 (22-Aug-2009)
linux:~ # ls -l /tmp/journal.copy
-rw-r--r-- 1 root root 134217728 Sep  6 21:37 /tmp/journal.copy
But this command is recommended for advanced users.
Who (after accidental deletion of files) created a copy of the filesystem journal, this user has read the full documentation of ext4magic or he has already some experience in restoring deleted files on ext3/4. ;-)

robi1
 
Old 09-07-2012, 09:57 AM   #8
ambivalent
LQ Newbie
 
Registered: Sep 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
I have ext4magic installed fine to my live pendrive.
I have an ext4 formatted external hard drive to recover to.

I use;
sudo ext4magic /dev/sda1 -r -d /dev/sdc1
I get;
ERROR cannot create the recover directory: /dev/sdc1

or

I use;
sudo ext4magic /dev/sda1 -r -d /dev/sdc1/recover
I get;
ERROR cannot create the recover directory: /dev/sdc1/recover

Sooo close...

Can anyone suggest what I'm doing wrong, please?
Thanks.
 
Old 09-07-2012, 11:17 AM   #9
robi1
LQ Newbie
 
Registered: Sep 2012
Posts: 10

Rep: Reputation: Disabled
Quote:
Originally Posted by ambivalent View Post
I use;
sudo ext4magic /dev/sda1 -r -d /dev/sdc1
I get;
ERROR cannot create the recover directory: /dev/sdc1

or

I use;
sudo ext4magic /dev/sda1 -r -d /dev/sdc1/recover
I get;
ERROR cannot create the recover directory: /dev/sdc1/recover
you can not write to a device. /dev/sdc1 is a blockdevice, and not a directory
if the filesystem not mounted, you have to mount it before
Code:
sudo mount /dev/sdc1 /mnt
sudo ext4magic /dev/sda1 -r -d /mnt/RECOVERDIR
robi1

Last edited by robi1; 09-07-2012 at 11:30 AM.
 
Old 09-07-2012, 11:30 AM   #10
ambivalent
LQ Newbie
 
Registered: Sep 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
I used;

sudo ext4magic /dev/sda1 -r -d /media/recoverext4/recover

where 'recoverext4' is the name of drive sdc.
And 'recover' the name of the directory I created.

I get;

"/media/recoverext4/recover" - accept for recoverdir
(which sounds good)

but also;

Filesystem in use: /dev/sda1

Using internal Journal at Inode 8

--

sda is unmounted.
Can anyone see where I'm wrong, please?
 
Old 09-07-2012, 11:31 AM   #11
ambivalent
LQ Newbie
 
Registered: Sep 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by robi1 View Post
you can not write to a device. /dev/sdc1 is a blockdevice, and not a directory
if the filesystem not mounted, you have to mount it before
Code:
sudo mount /dev/sdc1 /mnt
sudo ext4magic /dev/sda1 -r -d /mnt/RECOVERDIR
robi1
Ok, just saw your post...after my last post.

Thanks... I have mounted the recovery drive and ext4magic seems to be ok with it.
Please see my previous post for current state of play.
All advice much appreciated.

Last edited by ambivalent; 09-07-2012 at 11:35 AM.
 
Old 09-07-2012, 12:04 PM   #12
robi1
LQ Newbie
 
Registered: Sep 2012
Posts: 10

Rep: Reputation: Disabled
Quote:
Originally Posted by ambivalent View Post
but also;

Filesystem in use: /dev/sda1

Using internal Journal at Inode 8

--

sda is unmounted.
Can anyone see where I'm wrong, please?
You write the recovered files to a directory on a mounted filesystem, but
ext4magic reads directly from the raw data on a device.
This filesystem should not be mounted. (or maximum read-only mounted)

robi
 
Old 09-08-2012, 04:39 AM   #13
ambivalent
LQ Newbie
 
Registered: Sep 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Thanks robi,

Hmmmm...

Yes, that's sure what it sounds like ... but target drive sda is not mounted, and I still get the same return when I run ext4magic;
Filesystem in use: /dev/sda1

If I run - sudo umount /dev/sda -
I get; /dev/sda unmounted

?
 
Old 09-08-2012, 12:00 PM   #14
robi1
LQ Newbie
 
Registered: Sep 2012
Posts: 10

Rep: Reputation: Disabled
Question

Quote:
Originally Posted by ambivalent View Post
but target drive sda is not mounted, and I still get the same return when I run ext4magic;
Filesystem in use: /dev/sda1

If I run - sudo umount /dev/sda -
I get; /dev/sda unmounted
I can not see your problem:
Code:
# ext4magic -r /dev/sda6 -d /tmp/RECOVER
"/tmp/RECOVER"  accept for recoverdir
Filesystem in use: /dev/sda6

Using  internal Journal at Inode 8
Inode 2 is allocated
--------        /tmp/RECOVER/rob/.mozilla/firefox/3f84tiip.default/.parentlock#
--------        /tmp/RECOVER/rob/.mozilla/firefox/3f84tiip.default/lock
--------        /tmp/RECOVER/rob/.mozilla/firefox/3f84tiip.default/places.sqlite-jou
rnal
ext4magic says : "I accept the directory to write the files"
the ext4magic says : "I use the filesystem on /dev/sda6"
the next : "I use the internal filesystem journal at inode 8"
and then "Inode 2 (this is the rootinode of this filesystem) is allocated (it is not deleted)"
then come the first reports of recovered files

All this are messages of ext4magic, and there is no "Error:" and no "Warning:"
Where is your problem ?

robi1
 
Old 09-09-2012, 05:40 AM   #15
ambivalent
LQ Newbie
 
Registered: Sep 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Ahh.. I see...
I thought that 'file system is in use' meant ext4magic can't use the drive because it is in use.
But it doesn't mean that.
Ok, thanks.

So, in that case...
Ext4magic is not recovering any files yet for some other reason.

I guess the date time thing?
The data was deleted Mon 3rd September, so I've used;

sudo ext4magic /dev/sda1 -r -a 1346544000 -d media/recoverext4/recover

Return;

--

"media/recoverext4/recover" accept for recoverdir
Filesystem in use /dev/sda1

Using internal Journal at Inode8
Activ time after : Sun Sep 2 00:00:00 2012
Activ time before : Sun Sep 9 09:25:31 2012

--

But no data recovered at all.
Ext4magic stops running almost immediately.
I've also tried '-R' and 'm' but still nothing recovered.

What am I doing wrong?

Last edited by ambivalent; 09-09-2012 at 05:41 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to recover deleted folder 124vikas.dange@gmail.com Linux - Software 1 09-09-2009 08:21 AM
How do I recover a rm deleted folder? CrownAmbassador Linux - Desktop 13 02-16-2009 04:54 AM
How to recover permanently deleted folder in linux megerdin Linux - Newbie 2 05-06-2008 05:46 PM
I have deleted a folder accidentally? How do I recover it? srikanth_dhondi Linux - Software 2 02-19-2008 07:38 PM
Recover My Deleted File & Folder rajaniyer123 Linux - General 0 03-12-2004 01:51 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration