Recover deleted files from ext4 by extundelete

Before trying to recover deleted files, we need to mount the partition as read-only, in order to prevent unexpected writes from other applications. At least, you should make sure there are as less writes as possible on that partition.

To mount as parition as readonly,

[root@admon1 python]# mount -r -n -o remount /data

If this parition is used by other applications, you might have to kill all these applications. To verify which process is using this partition, we use below command to list PIDs, then kill them:

[root@admon1 python]# fuser -v -m /data

Then, as the partition is remounted read-only, let us use extundelete to undelete files from ext4.

extundelete is a utility that can recover deleted files from an ext3 or ext4 partition. extundelete uses information stored in the partition’s journal to attempt to recover a file that has been deleted.

Download and Install extundelete

wget 'http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2?r=http%3A%2F%2Fextundelete.sourceforge.net%2F&ts=1388373275&use_mirror=nchc'
tar jxf extundelete-0.2.4.tar.bz2 && cd extundelete-0.2.4
./configure
make && make install

extundelete has dependency to libraries files of e2fsprogs, which is named asĀ e2fslibs-dev in Debian/Ubuntu, you need to install e2fslibs-dev first.

Undelete files from ext4

Suppose /data partition is mounted from /dev/sda3, then we can use below commands to do undelete:

1, recover a specified file
extundelete /dev/sda3 –restore-file /data/path-to/file

2, recover a specified directory
extundelete /dev/sda3 –restore-directory /data/important

3, Recover all the deleted files from /data
extundelete /dev/sda3 –restore-all

There are many other options of extundelete, you can read command line manual as below,

root@deb:~/extundelete-0.2.4# extundelete --help
Usage: extundelete [options] [--] device-file
Options:
  --version, -[vV]       Print version and exit successfully.
  --help,                Print this help and exit successfully.
  --superblock           Print contents of superblock in addition to the rest.
                         If no action is specified then this option is implied.
  --journal              Show content of journal.
  --after dtime          Only process entries deleted on or after 'dtime'.
  --before dtime         Only process entries deleted before 'dtime'.
Actions:
  --inode ino            Show info on inode 'ino'.
  --block blk            Show info on block 'blk'.
  --restore-inode ino[,ino,...]
                         Restore the file(s) with known inode number 'ino'.
                         The restored files are created in ./RECOVERED_FILES
                         with their inode number as extension (ie, file.12345).
  --restore-file 'path'  Will restore file 'path'. 'path' is relative to root
                         of the partition and does not start with a '/'
                         The restored file is created in the current
                         directory as 'RECOVERED_FILES/path'.
  --restore-files 'path' Will restore files which are listed in the file 'path'.
                         Each filename should be in the same format as an option
                         to --restore-file, and there should be one per line.
  --restore-directory 'path'
                         Will restore directory 'path'. 'path' is relative to the
                         root directory of the file system.  The restored
                         directory is created in the output directory as 'path'.
  --restore-all          Attempts to restore everything.
  -j journal             Reads an external journal from the named file.
  -b blocknumber         Uses the backup superblock at blocknumber when opening
                         the file system.
  -B blocksize           Uses blocksize as the block size when opening the file
                         system.  The number should be the number of bytes.
  --log 0                Make the program silent.
  --log filename         Logs all messages to filename.
--log D1=0,D2=filename   Custom control of log messages with comma-separated
   Examples below:       list of options.  Dn must be one of info, warn, or
   --log info,error      error.  Omission of the '=name' results in messages
   --log warn=0          with the specified level to be logged to the console.
   --log error=filename  If the parameter is '=0', logging for the specified
                         level will be turned off.  If the parameter is
                         '=filename', messages with that level will be written
                         to filename.
   -o directory          Save the recovered files to the named directory.
                         The restored files are created in a directory
                         named 'RECOVERED_FILES/' by default.

END

Share Button

Leave a comment

Your email address will not be published. Required fields are marked *