Recover deleted .ecryptfs folder using extundelete in Ubuntu
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I removed the encrypted folder containing the entire home folder on my laptop.
Disaster.
The backup I had was useless for reasons I won't go into.
(I'm not usually an idiot, though I feel like one right now).
So...
I have been using a live ubuntu usb drive to try to recover the lost files.
Not having success so far.
Using testdisk, I can only see a single ecryptfs file which I can recover, but I cannot see the deleted home folder or related ecryptfs files.
I think this may be because I am on ext4?
Using extundelete, --restore-all on the root of the drive I get a list of ECRYPTFS_FNEK_ENCRYPTED.LotsofLettersandNumbersHere files but it says 'unable to restore inode' and 'no data found'.
Can anyone guide me here, please?
I'm pretty linux competent but not familiar with file recovery.
(can not post URLs at my first post in this forum, complete the URLs themselves.)
In case you have not used the file system in the meantime, you can try ext4magic
"http: openfacts2.berlios.de/wikien/index.php/BerliosProject:Ext4magic"
The ecryptfs patch for ext4 is not included at all ext4magic packages.
The simplest you try this new TUI on the test boot image.
"http: developer.berlios.de/forum/forum.php?forum_id=35219"
Some screenshots :
"http: openfacts2.berlios.de/wikien/index.php/BerliosProject:Ext4magic-e4m-tui"
Use the "Multi-stage Mode"
To find all ecryptfs files from the restored files, you can use this script
"http: w w w.linux-club.de/viewtopic.php?f=38&t=115191&p=728657#p728657"
instead of TestDisk, I used PhotoRec instead. It comes with the TestDisk package and it will essentially find every deleted file that it can in the partition.
./photorec_static instead of ./testdisk_static
double u double u double u dot cgsecurity dot org/wiki/PhotoRec_Step_By_Step has a pretty helpful step by step.
It came up with about 45k .eCryptfs files for me. Don't ask me how to open those files, because I am still working on that. But maybe this will get you a few more files.
Ext4Magic worked like a charm! Much simpler than the method I was using. That is extremely handy. Thank you so much for posting those links. That was huge!
The PhotoRep will take a while to run... and it will find you a TON of files. When I ran it the first time, it pulled up 800k+ .txt files so if you know the extensions of the files you are looking for, I would narrow it down when you run the search.
I just followed the directions for the ext4magic from the site. I found this link was the most helpful place to start.
The only thing I had trouble with was the debugfs -R "dump <8> ... command line...
I had to look up what debugfs did and then I think I ended up doing something like..
debugfs /dev/sda6 and then i got a debugfs prompt below that that looked like this
debugfs:
and then I think I typed something like "dump <8> /media/481F-E556/journal.copy" and that seemed to put a file named journal.copy on my thumb drive. /media/481f-E556/ was just my PATH... yours will obviously be different.
When you run the Ext4Magic, you might want to have its output file go to a detachable hard drive or something because it used up all the storage space it had while on the Live disc. I ended up running it several times, until I realized how it was working. It comes up pretty fast on the screen, so keep an eye out. Once what I was looking for came up i just crtl-z'd and scrolled back to see where it put the files I wanted and then I killed the process afterwards.
The only thing I had trouble with was the debugfs -R "dump <8> ... command line...
I had to look up what debugfs did and then I think I ended up doing something like..
debugfs /dev/sda6 and then i got a debugfs prompt below that that looked like this
debugfs:
and then I think I typed something like.....
But this command is recommended for advanced users.
Who (after accidental deletion of files) created a copy of the filesystem journal, this user has read the full documentation of ext4magic or he has already some experience in restoring deleted files on ext3/4. ;-)
you can not write to a device. /dev/sdc1 is a blockdevice, and not a directory
if the filesystem not mounted, you have to mount it before
Code:
sudo mount /dev/sdc1 /mnt
sudo ext4magic /dev/sda1 -r -d /mnt/RECOVERDIR
robi1
Ok, just saw your post...after my last post.
Thanks... I have mounted the recovery drive and ext4magic seems to be ok with it.
Please see my previous post for current state of play.
All advice much appreciated.
Last edited by ambivalent; 09-07-2012 at 10:35 AM.
sda is unmounted.
Can anyone see where I'm wrong, please?
You write the recovered files to a directory on a mounted filesystem, but
ext4magic reads directly from the raw data on a device.
This filesystem should not be mounted. (or maximum read-only mounted)
Yes, that's sure what it sounds like ... but target drive sda is not mounted, and I still get the same return when I run ext4magic;
Filesystem in use: /dev/sda1
If I run - sudo umount /dev/sda -
I get; /dev/sda unmounted
but target drive sda is not mounted, and I still get the same return when I run ext4magic;
Filesystem in use: /dev/sda1
If I run - sudo umount /dev/sda -
I get; /dev/sda unmounted
I can not see your problem:
Code:
# ext4magic -r /dev/sda6 -d /tmp/RECOVER
"/tmp/RECOVER" accept for recoverdir
Filesystem in use: /dev/sda6
Using internal Journal at Inode 8
Inode 2 is allocated
-------- /tmp/RECOVER/rob/.mozilla/firefox/3f84tiip.default/.parentlock#
-------- /tmp/RECOVER/rob/.mozilla/firefox/3f84tiip.default/lock
-------- /tmp/RECOVER/rob/.mozilla/firefox/3f84tiip.default/places.sqlite-jou
rnal
ext4magic says : "I accept the directory to write the files"
the ext4magic says : "I use the filesystem on /dev/sda6"
the next : "I use the internal filesystem journal at inode 8"
and then "Inode 2 (this is the rootinode of this filesystem) is allocated (it is not deleted)"
then come the first reports of recovered files
All this are messages of ext4magic, and there is no "Error:" and no "Warning:"
Where is your problem ?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.