undelete text files on Linux ext3 partition
tech tips December 20th, 2005Every once in a while I do something really, really stupid. Like, say, for instance, delete a whole directory of very important code that I'm working on and my last backup is a couple of weeks old (because of a server move and my failure to re-setup my cron backup). How did this happen? Well, for one, I was coding at about 5:30 a.m. before my caffeine had set in, and, secondly, I was rm -rf'ing with tab-completion. Almost instantly after I pressed Enter I realized what I had done. Tragedy. Or so I thought…
In Linux, you can undelete files if you are using the ext2 file system. A very handy tool called debugfs allows you to list files marked as deleted. I'm using the ext3 file system (ext2's successor), so I thought the debugfs solution would work. Unfortunately, ext3 actually zeros out the block pointer (the pointer to the file's data), so reconstructing the file becomes impossible with debugfs.
So, what to do? I had seen some mailing list posts refering to 'grepping' the data from the disk drive. Most everything I lost was code (specifically, Ruby). I attempted to use grep to search my hard disk device (/dev/sda7 in my case), but grep kept erroring out with "memory exhausted" errors. Hrrm.
A rethink of the problem led me to the 'strings' program, which extracts text from files, stdin, or even a disk device. I dumped all text from the disk partition to a text file like so:
#strings /dev/sda7 > /path/to/big_text_file
Note: It is probably a good idea to put the big text file on a separate partition. Otherwise, you risk writing over some of your deleted files on the partition you are attempting to recover from.
I was now able to open the big_text_file in vim and recover all of my deleted code by searching for particular code snippets. It's not ideal, but I was able to recover everything. Instead of losing several days worth of work, I only lost a couple of hours.
And, of course, my backup is re-setup.
June 28th, 2006 at 2:44 am
Hello Mr.Summers,
I have been dashing around for the last couple of hours trying to find out how to recover deleted jpeg files from ext3. I'm not sure how many dozens of discussions I have read, but all say that recovery is impossible. Given that the photos have great sentimental value, I don't want to give up yet. (I cannot recover from the flash card because images have already been saved over the deleted files). I'm not even sure how I erased the files - I was copying the folder from my desktop to be burned onto the CD, overwrote a folder name, and then the photos were gone. I'm using Mandriva 2006, am I bit of newbie and would appreciate any help you could offer.
-Phillip
June 28th, 2006 at 5:09 am
Phillip,
Turns out that anything other than text is a real booger to recover on ext3.
However, you may just be in luck for pictures with this:
PhotoRec - digital picture recovery
It's free and distributed under the GPL.
I've not used this before, so please report back here and tell us all if it worked for you. This particular post is one of the main traffic flows onto my site, so I'm sure there are lots of folks out there interested in your results.
Thanks,
Curt
June 29th, 2006 at 1:43 pm
I spent hours yesterday trying to recover the lost jpegs with PhotoRec - but no luck. However, I'm not so sure that it was the "fault" of PhotoRec. I did find thousands of jpegs that I thought had been deleted from my browser, and I did find a few that I had expunged through the trash folder (photos currently held in the trash bin did not show up). However, I'm not so sure I deleted the files so much as I wrote over them with empty files names. Whatever be the case, they are gone for good. I highly recommend PhotoRec - it can even recover photos from camera memory cards (I had already taken more photos by the time I figured out there was a problem).
June 29th, 2006 at 1:47 pm
Thanks for the report! Sorry it didn't work out for the files you needed.
Curt
April 17th, 2007 at 1:57 am
Sir,
I am trying to use strings but, it complains:
strings: Warning: '/dev/sda2' is not an ordinary file
can you please suggest something.
Regards,
Ravi
April 17th, 2007 at 2:10 am
I wrote an ext3 undelete tool.I tested in Redhat FC 2.
I'll be glad to have your comments and feedback
Link:
https://sourceforge.net/projects/giis
Thanks
April 17th, 2007 at 6:20 am
Ravi,
What version of strings are you using?
$ strings -v
I'm using 2.16.1 and don't have the problem. Maybe you have an older version? Or maybe a newer version has this error message?
May 9th, 2007 at 12:14 pm
Hi,
Just wanted to confirm that this bit of trickery just saved my butt! Lost over two weeks of work but recovered in a little more than a day. Many thanks for the tip!!!
Jon
June 21st, 2007 at 4:54 am
Ravi, or anyone who has the older strings version, try cat /dev/partition | strings > txtfile
July 10th, 2007 at 10:34 pm
wow… what a help… i just deleted my entire ~/www/ directory, while trying to back it up of all things! i have backups of the pictures, and most of the web content, but a cgi script i've been working on for about 10 hours or more was part of the loss. using grep, it seems like it's all there, but i don't have time to fix it tonight. thanks and you're a complete lifesaver!!
October 31st, 2007 at 5:33 am
Thanks for this article to help me find my important files back. I wanna quote this article to my blog. And translate to chinese language. Sure I will put the address of this article in as well. If there has any problem, pls let me know.
Thank you for the help again.
October 31st, 2007 at 6:58 am
[...] 他在这里: http://www.csummers.org/index.php/2005/12/20/undelete-text-files-on-linux-ext3-partition/ 他的开头是这么写的 Every once in a while I do something really, really stupid. Like, say, [...]
November 26th, 2007 at 6:07 pm
Oh, this post has really SAVED me! Thank you.
I stayed up pretty late last night writing a perl script that does some cool text processing on a web log. The script gives some fancy reports like how often a given user returns to your site and other statistics.
I had just finished it, and set up a cronjob to run it daily.
I needed to delete an extraneous file, and intended to re-run the perl script, but what I typed was:
rm Visits..html proclog.pl full carhart-access_log
There should have been a semicolon there.
I deleted my perl script (proclog.pl) and my log file (carhart-access_log) all at once!
The log file was easy enough to get back, since apache was still running and so it still had a handle to the file. The perl script however — Hours and Hours of blood, sweat, and tears, was _gone_.
I poked around online, and found your post. So I mounted my Windoze box's C Drive, executed:
strings /dev/hds1 > /var/tmp/mnt/bigfkenfile
and waited…. The resulting file is 18GB on my Windoze box (which is almost full now). I'm still waiting, but I just grepped for one line from my perl script, and FOUND IT! I am very optimistic now, and have you to thank.
November 27th, 2007 at 10:36 pm
You wouldn't happen to know of a way to recover files from the resulting text file? I accidentally deleted a whole bunch of mp3s and was wondering if you know of any recovery programs (windows probably) that will let you look at a text file?
February 16th, 2008 at 5:00 am
No dice. =/ I guess that since I was working directly on a busy webserver that my Perl files just went *poof!* amidst the massive amount of activity… I've spent hours now just trying to grep through fs dumps of various sorts onto my backup partition and can't find a trace of my code. =/ About 15 minutes from the time I accidentally nuked a maintenance directory of Perl scripts, I found your article - too late I guess. Can't stress that this needs to get done IMMEDIATELY if you're on a busy server…