written by Oliver Diedrich (firstname.lastname@example.org)
This text describes the steps needed do recover the data of a file that was recently deleted. It is neither a complete usage instruction for the e2undel and debugfs tools nor does it explain the backgrounds of file undeletion on the ext2 filesystem.
First of all: Immediately unmount the file system the deleted file was located on. This minimizes the risk that the data of the deleted file are overwritten while taking steps to recover them. All data written to the file system containing the deleted file - either by you or by any other process running on your machine - might overwrite some of the data you want to recover!
If you can't unmount the file system, e.g. because the deleted file was located on your root file system, you should consider to shut down the computer, remove the hard drive and put it into another Linux machine. Probably, you will have to compile and install some software, such possibly destroying the data you want to recover.
I strongly suggest this option if either the deleted data are so important that you don't want to take any unnecessary risk to loose them, or if the file system has very few unused space available (less then 20 percent or less than 100 MByte), or if the file is larger than 48 kByte: If few free space is available on the file system, ext2 might choose to store new data in areas that were recently used by deleted files; and if the file is larger than 48 kBytes, its data may be distributed across the file system, such enhancing the risk of overwriting parts of the deleted data with new files. It is your decision; but you have been warned.
If you are in the very unpleasant situation that you neither can use your system without the file system containing the deleted file nor have another Linux machine available, I strongly suggest to create a RAM disk to build and install the necessary software. With kernel 2.4, it is quite easy: Just do a mount tmpfs /mnt -t tmpfs. This will create a dynamically growing RAM disk on directory /mnt.
Especially if you can't unmount the file system containing the deleted data, debugfs is a less comfortable, but usable alternative if it is already installed on your system. (If you have to install it, you can use the more comfortable e2undel as well.) Just try a
/sbin/debugfs deviceReplace device by your file system, e.g. /dev/hda1 for the first partition on your first IDE drive. At the "debugfs:" prompt, enter the command
lsdelAfter some time, you will be presented a list of deleted files. You must identify the file you want to recover by its owner (2nd column), size (4th column), and deletion date. When found, you can write the data of the file via
dump <inode_number> filenameThe inode_number is printed in the 1st column of the "lsdel" command. The file filename should reside on a different file system than the one you opened with debugfs. This might be another partition, a RAM disk or even a floppy disk.
Repeat the "dump" command for all files that you want to recover; then quit debugfs by entering "q".
e2undel works in a similar way, using the same deleted file detection routines, but provides a somewhat friendlier user interface and some additional help to identify the files you want to recover.
Download the sources from sourceforge.net/projects/e2undel. Don't save the tgz file found there on the file system with the deleted file! (You should have unmounted it, do you remember?) Use a different file system or a RAM disk.
Now build e2undel: Untar the tgz file (tar xzf e2undel-nnn.tgz), change to the resulting e2undel directory, and do a simple make in that directory. If erverything works fine, this will result in an executable e2undel binary. Again, even if it annoys you, this old warning about file systems containing deleted files that are not unmounted (just skip to the next paragraph if you are not concerned): Building the program will create some object files in the e2undel directory and some temporary compiler files in /tmp. Each of these files could overwrite the data you want to recover...
If the compiler complains about missing header files or unknown variable types, you probably lack the e2fsprogs include files. They usually are included in your Linux distribution, hidden in a package named e2fsprogs-devel, ext2fs-devel or something similar. Simply install this package from your distribution, or from the web. Attention: This rpm will install a lot of files in your /usr file system.
If this does not not work for you not or your system is not rpm based, you have to download the source code of Ted Ts'o's Ext2 Filesystem Utilities, untar the tgz file, build and install at least the ext2fs library contained within, and change the path to the ext2 related header files in e2undel's e2undel.h file. Attention: Just the tgz file contains about 1000 files, summing up to 6 MByte (without even having started the compiler). If you have to install and build the ext2fs library on the file system containg your deleted file: This is the point you seriously should think about doing all the build stuff on another machine.
The synopsis of e2undel is
e2undel -d device -s path [-a] [-t]-d: file system where to look for deleted files (e.g., /dev/hdb1 for the 1st partition on the 2nd IDE drive)
The -a option always must be given in your situation, and the -t option will help you a lot in finding the files you want to recover.
Suppose, your system uses two partitions, one (let's say, /dev/hdb5) is mounted on /, the other one (let's say, /dev/hdb6) is mounted on /home. You as user foo just deleted a file in your home directory and noticed your error. You have logged out, logged in as root and unmounted the /home partition.
e2undel -d /dev/hdb6 -s /tmp -a -twill scan your home partition for deleted files, and present you a table like this:
user name | 1 <12 h | 2 <48 h | 3 <7 d | 4 <30 d | 5 <1 y | 6 older -------------+---------+---------+---------+---------+---------+-------- foo | 10 | 72 | 33 | 28 | 384 | 0 bar | 0 | 83 | 48 | 35 | 114 | 0 Select user name from table or press enter to exit:Enter your user name ("foo"), then choose the time interval when you deleted the file (1: within the last 12 hours; 2: more then 12, but less then 48 hours ago; 3: more than 2, but less than 7 days ago; etc). You will get a list similar to this:
inode size deleted at name ----------------------------------------------------------- 184219 7240 Dec 9 18:14 2001 * data 184231 2192 Dec 9 18:14 2001 * ASCII C program text 184233 42024 Dec 9 18:28 2001 * application/x-gzip 184235 1520 Dec 9 18:28 2001 * text/html 184237 1780 Dec 9 18:28 2001 * ASCII text 184239 0 Dec 9 16:18 2001 * empty 184246 30032 Dec 9 16:18 2001 * data 202733 1344 Dec 9 12:51 2001 * ASCII English text 217164 7404 Dec 9 17:58 2001 * image/jpeg 217165 13998 Dec 9 17:58 2001 * ASCII text Select an inode listed above or press enter to go back:Choose the file you're interested in by size, deletion data, and file type (displayed in the "name" column). After entering the inode number, the file is automatically named after its inode number and the file type and stored in the directory you entered with the "-s" option when starting e2undel (e.g., /tmp/inode-217165-ASCII_text). Repeat for all files you want to recover, then press Enter two times to go back to the table and then exit e2undel.
The file type is determined by the mechanism the file(1) program uses. "data" means that no specific file type has been found: Either, it is a file type not known by the program, or the file contains some random binary data.
The data of files printed in red are partly overwritten. e2undel will give its best, but expect the resulting files to be corrupted. However, a large text file might be of use even if it partly contains garbage.