Before trying to recover deleted files, we need to mount the partition as read-only, in order to prevent unexpected writes from other applications. At least, you should make sure there are as less writes as possible on that partition.
To mount as parition as readonly,
[root@admon1 python]# mount -r -n -o remount /data
If this parition is used by other applications, you might have to kill all these applications. To verify which process is using this partition, we use below command to list PIDs, then kill them:
[root@admon1 python]# fuser -v -m /data
Then, as the partition is remounted read-only, let us use extundelete to undelete files from ext4.
extundelete is a utility that can recover deleted files from an ext3 or ext4 partition. extundelete uses information stored in the partition’s journal to attempt to recover a file that has been deleted.
Download and Install extundelete
wget 'http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2?r=http%3A%2F%2Fextundelete.sourceforge.net%2F&ts=1388373275&use_mirror=nchc' tar jxf extundelete-0.2.4.tar.bz2 && cd extundelete-0.2.4 ./configure make && make install
extundelete has dependency to libraries files of e2fsprogs, which is named as e2fslibs-dev in Debian/Ubuntu, you need to install e2fslibs-dev first.
Undelete files from ext4
Suppose /data partition is mounted from /dev/sda3, then we can use below commands to do undelete:
1, recover a specified file
extundelete /dev/sda3 –restore-file /data/path-to/file
2, recover a specified directory
extundelete /dev/sda3 –restore-directory /data/important
3, Recover all the deleted files from /data
extundelete /dev/sda3 –restore-all
There are many other options of extundelete, you can read command line manual as below,
root@deb:~/extundelete-0.2.4# extundelete --help Usage: extundelete [options] [--] device-file Options: --version, -[vV] Print version and exit successfully. --help, Print this help and exit successfully. --superblock Print contents of superblock in addition to the rest. If no action is specified then this option is implied. --journal Show content of journal. --after dtime Only process entries deleted on or after 'dtime'. --before dtime Only process entries deleted before 'dtime'. Actions: --inode ino Show info on inode 'ino'. --block blk Show info on block 'blk'. --restore-inode ino[,ino,...] Restore the file(s) with known inode number 'ino'. The restored files are created in ./RECOVERED_FILES with their inode number as extension (ie, file.12345). --restore-file 'path' Will restore file 'path'. 'path' is relative to root of the partition and does not start with a '/' The restored file is created in the current directory as 'RECOVERED_FILES/path'. --restore-files 'path' Will restore files which are listed in the file 'path'. Each filename should be in the same format as an option to --restore-file, and there should be one per line. --restore-directory 'path' Will restore directory 'path'. 'path' is relative to the root directory of the file system. The restored directory is created in the output directory as 'path'. --restore-all Attempts to restore everything. -j journal Reads an external journal from the named file. -b blocknumber Uses the backup superblock at blocknumber when opening the file system. -B blocksize Uses blocksize as the block size when opening the file system. The number should be the number of bytes. --log 0 Make the program silent. --log filename Logs all messages to filename. --log D1=0,D2=filename Custom control of log messages with comma-separated Examples below: list of options. Dn must be one of info, warn, or --log info,error error. Omission of the '=name' results in messages --log warn=0 with the specified level to be logged to the console. --log error=filename If the parameter is '=0', logging for the specified level will be turned off. If the parameter is '=filename', messages with that level will be written to filename. -o directory Save the recovered files to the named directory. The restored files are created in a directory named 'RECOVERED_FILES/' by default.