Tuesday, August 09, 2011

How to undelete files from ext3/ext4

Sometimes, especially on the command line, it happens that you delete a file or directory you didn't really plan to delete. A second after hit enter you realize what you have done, maybe you are fast enough to stop the deletion process and save some files, but in the most cases it's already to late, at least for some files.  If you have no or a too old backup you're screwed. 
If you use ext3/ext4 you may be able to recover the file with ext3grep or extundelete with information from the file system journal if the content of the file wasn't already overwritten by new data. 
The first step should be to stop all writing processes on the related partition and unmount that partition as soon as possible. Now you have the choice: if your partition uses ext4 you have to use extundelete, if it's ext3 you can use also ext3grep. Personally, I prefer extundelete, since it supports both file systems and seems on one hand much faster to me than ext3grep and it's also easier to use on the other hand. Due to that, the following examples are for extundelete (you can find a ext3grep How-To here).
If you know the path and the name of the file (let's assume it's /home/tux/cv.tex and /dev/sda4 is mounted to /home) you deleted, switch to root and go to a partition with enough free space to store the deleted files. Then:
# extundelete need the relative file path 
me:/tmp # extundelete --restore-file tux/cv.tex /dev/sda4
As soon as extundelete finished, you'll find the recovered file in /tmp/RECOVERED_FILES/tux/ .
If you deleted more than one file in a directory or a directory itself, you can use --restore-directory :
# extundelete need the relative dir path 
me:/tmp # extundelete --restore-directory tux/Documents/tex/ /dev/sda4
There are some more useful options as --restore-all , --restore-files, --after 'dtime' or --before 'dtime', but in the most cases the two examples above should be enough. You can find both tools in my buildservice repository.