|
Recover deleted files from ext3 filesystem
Hello. I have accidentally deleted some files off of an ext3 filesystem and I am willing to jump through some hoops and / or shell out some $$$ to get them back. I have already searched this topic on this forum and throughout the internet, and have found various sources of information. Some state that it is impossible to restore files on an ext3 filesystem, but it is not ... I already have restored some files and data.
Other posts recommended using the strings command as follows: cat /dev/sda8 | strings > stringsfile.txt So far, the "stringsfile.txt" file is 8 GB and rising, has many repeats of the same line over and over, but it also contains some of the textual data and email messages I want to attempt to recover. I have also encountered a product called 'foremost' which appears to be able to pick out image and .doc files out of a filesystem image by searching for their signatures. I have run this tool, and recovered some of my images. However, only some of the images appear correct. For others, the first 30 or so "rows" of the image show up, but the rest of it appears like a snowy TV set. I also encountered various commercial products that claim they can recover lost files out of an ext3 filesystem. However, they all run on windows. Does anybody know of a utility to recover ext3 files that runs on a Linux desktop? If not, does anybody have a recommendation for a product that runs on windows, but can examine a ext3 filesystem and recover deleted files off of it? Has anybody used any of these products and had success with them? Thanks. |
Forgot to mention:
1. When I ran 'foremost' I ran it with the -q (quick) option enabled. I will try it again without that option once 'strings' is done. 2. Once I was aware that I had deleted files I didn't want to delete, I rebooted into single user mode and unmounted the filesystem that has the files I want to recover on it, to avoid making any more changes to that filesystem. |
I would try PhotoRec:
http://www.cgsecurity.org/wiki/PhotoRec I was actually looking for testdisk; I thought that was something for you but then I ran into that PhotoRec and it looks better; not sure whether it's as good as promised, though, I've never used it. |
Some solutions ... Some questions
I have had some sucsess restoring files deleted by 'rm -rf /home/dir' on ext3. However, the process was not straight forward, time consuming, and I did not get all the files I hoped it would. I ended up purchasing a second hard-drive and installing Fedora Core 6 on it, plus I have a second computer running Windows XP. I had to swap the orriginal drive containing lost files back and forth between these two PC's while attempting to recover the deleted files.
My understanding of the problem is that ext3 overwrites information that describes the physical hard-disk location(s) of the particular file. Thus, I have only had sucess with restoration software that scans the partition in whole chunks and searches for patterns or "headers" enbedded in these chunks. Here are my results: Windows Software: ----------------- 1. Disk Internals Linux Recovery http://www.diskinternals.com/linux-recovery/ I was able to see the directory and file names of files that were deleted, but they were all zero byte files, and I couldn't restore them. Had to leave this running overnight. 2. Stellar Phoenix Linux http://www.stellarinfo.com/linux-data-recovery.htm I was able to bring back some multimedia files (Images, Movies, MP3's) and Word .doc files, and other files that have enough of a signature in them to be detectable. Unfortunately, the file names and directory structure was not restored by this product. The restored files all had names similar to 83772928.gif . 3. Nucleus Kernel Linux http://www.nucleustechnologies.com/L...-Software.html I wasn't able to see anything in the list of recoverable files using this software. The only files it listed were ones that were not deleted. But perhaps I was using it wrong. Linux Software: --------------- 1. Foremost: http://foremost.sourceforge.net/ I was quite sucsessful with this program. It restored allot of multimedia files and .doc files, but the directory structure and files names were all similar to /gif/83772928.gif . 2. Photorec http://www.cgsecurity.org/wiki/PhotoRec The results were quite similar to those produced by Foremost or Stellar Phoenix Linux. However, it also restored some .tar and .gz files, which is more along the lines of what I need. --- With the above software and the "strings" command, I was able to get back some info and records that were in plain text that I needed. Fortunately, I had a backup of most of my Multimedia and .doc MS Word files. What I didn't have a backup of was: .tar.gz files .thunderbird Email repository Questions: ---------- 1. Does anybody have any advice on recovering deleted .tar.gz files and the .thunderbird directory? 2. Does anybody know how to setup a filesystem so that undeleting is easy if it is done fast enough? Can an ext3 filesystem be setup this way, or should I use a filesystem like ext2 or ReiserFS? Thanks. |
You really have to use plain vanilla ext2 file systems to have any success, or have your /home directory as a fat32.
If you are using Linux as your O.S.; set it up as you like, then don't f*ck with it. If you want to experiment and have "fun", set up a separate Linux installation, or as many as you like, and boot with grub. Only when you are sure of the changes should you change your default installation. The most robust and understandable multi-boot set-up for Linux is to have one "/boot" partition located on the first hard drive as the second primary partition with grub installed into that hard drive MBR pointing to that "/boot" partition. Then manually copy the kernels and initrds into separate directories located on that /boot partition. So, the "/boot" directory/partition will have a default set of kernels and default boot located in the root of the /boot partition. The others will have directories labeled for the specific distros: ie. /debian /puppy /damnSmallLinux /[whatever distro you are playing with] /grub vmlinuz->linux-whatever.kernel.in.your.default.distro initrd.whatever.kernel.in.your.default.distro system.map.of.your.default.distro [Get the idea?] The /grub/menu.lst will take entries which contain a relative path to whatever kernel/distro you wish to boot. With the proper entries, after the kernel and initrd load into ram; the "pivot_root" command is run, and the kernel will read the system map and other configuration files from the "/" {root of the other installed distro} including the configuration files that are located in the specific "/boot" directory on the specific distro installation. Eqwatz |
Quote:
I'm trying to recover a ext3 partition. The cause for the corruption, was that ive deleted all the folders except the /home ... Well now i cant even mount the disk and e2fsck gives me a bunch of errors, even using the backup superblocks Code:
[admin@myasus root]$ fsck.ext3 -b 32768 /dev/discs/disc0/part5In my search found this sites, may be helpful for somebody Hack 94. Recover Data from Crashed Disks LiveCD - (R)ecovery (I)s (P)ossible Linux rescue system |
Well give the notice here:
WEEEEEE SUCCESS Solution (make backups if you can :p) mke2fs -S /dev/ida/c0d0p7 fsck ... mount :D bahh :scratch: it seems to only recovered some files .... i can see all the folders but some of them are unredable |
When you say "ive deleted all the folders except the /home", how did you do that? What commands did you use? This post is about the fact that ext3 filesystems overwrite the inode data when you delete a file (using the 'rm' command), so it is quite hard to get the file back. If your loss of data comes from some sort of filesystem corruption, the tools I mentioned might not help.
I wish ext3 would make some sort of backup of the inode data when a file is deleted, and delete the backup automatically after it is an hour old or so. Instead of deleting the inode data, it might be better to move it somewhere else (perhaps the Journal space?). According to my research, ext3 wipes the inode data because this is better in terms of recovering from a sudden power loss. Wouldn't relocating the data instead still provide the protection from power loss, and provide the ability to undelete? |
yes it was the old
Quote:
will backup the recovered data, and them I will run again fsck to see if fixes more problems.. |
Well, after some time to relax from the problem
Here i am again :p No, i can see some files 23GB of 250GB. Backed up those files :D Now try to run fsck, but it gives me the Signal 11 (segmentation fault) I'm runing from vmware virtual machine using the RIP live cd. Every time i try it stops in Pass 1: Checking Inodes at 9.1%. I think that i can only see the 23GB because of this (9% of 250GB). -------------------------- Will try now to use boot only with the live cd ... nop same problem with live cd. It seems that the fsck is buggy in the RIP live cd Now with the ubunto image in vmware it is fixing ;) |
Well after a night doing the fsck -yf
there apered a lost+found folder. with all the folders messedup, #1676865 ... BUT ive discovered some files inside them :D THe problem is that they are more than 2000 folders :( But the end is near LOL well instled treesize pro ;) i can see now some files that i were looking for :D I hope that this report help others with the same problem ;) Bye all :P |
Hello again, after a while, ive repaired the disk, runned FSCK a bunch of times
I can now mount even in windows with the EXTFS program :D Now i want to mount in a router (asus wl-500qp) it has a linux os. Problem is the invalid argument thing .... Code:
[admin@myasus root]$ fdisk /dev/discs/disc0/disc The mount version is this Quote:
Quote:
Quote:
RRRRHHHHHH Quote:
|
[QUOTE]In my search found this sites, may be helpful for somebody
I am new to Linux. Is there any GUI program I can use to recover the deleted files? thanks |
Quote:
Yes. Are the ones in this 9 year old thread not GUI? (It's called necro-posting and is poor form on a lot of boards) "new to Linux". Which one? r-linux. photorec. both should be GUI. r-Linux is. |
Quote:
You could try the QPhotoRec GUI application, although I never have. Searching on the web will show you how to install it. Please let us know how you get on. As Habitual mentioned, you should have started a new thread, not relaunched one that was years old. But you weren't to know. Also, for future questions, please tell us which Linux distro and flavour you're using (or add it to your profile and/or signature so that it is readily available). P.S. Welcome to LinuxQuestions. :) |
Quote:
|
| All times are GMT -5. The time now is 02:32 AM. |