Linux Ext2fs Undeletion mini-HOWTO: Introduction

Rate this post

prev-9204200 next-9154293 toc-3876514

This mini-Howto attempts to provide hints on how to retrieve deleted files from an ext2 filesystem. It also contains a limited amount of discussion of how to avoid deleting files in the first place.

I intend it to be useful certainly for people who have just had, shall we say, a little accident with rm; however, I also hope that people read it anyway. You never know: one day, some of the information in here could save your bacon.

The text assumes a little background knowledge about UNIX filesystems in general; however, I hope that it will be accessible to most Linux users. If you are an outright beginner, I’m afraid that undeleting files under Linux does require a certain amount of technical knowledge and persistence, at least for the time being.

You will be unable to recover deleted files from an ext2 filesystem without at least read access to the raw device on which the file was stored. In general, this means that you must be root. You also need debugfs from the e2fsprogs package. This should have been installed by your distribution.

Why have I written this? It stems largely from my own experiences with a particularly foolish and disastrous rm -r command as root. I deleted about 97 JPEG files which I needed and could almost certainly not recover from other sources. Using some helpful tips (see section Credits and Bibliography) and a great deal of persistence, I recovered 91 files undamaged. I managed to retrieve at least parts of five of the rest (enough to see what the picture was in each case). Only one was undisplayable, and even for this one, I am fairly sure that no more than 1024 bytes were lost (though unfortunately from the beginning of the file; given that I know nothing about the JFIF file format I had done as much as I could).

I shall discuss further below what sort of recovery rate you can expect for deleted files.

1.1 Revision history

The various publicly-released revisions of this document (and their publication dates) are as follows:

Changes in version 1.1

What changes have been made in this version? First of all, the thinko in the example of file recovery has been fixed. Thankyou to all those who wrote to point out my mistaek; I hope I’ve learned to be more careful when making up program interaction.

Lire aussi...  Le HOWTO du noyau Linux (Kernel HOWTO)

Secondly, the discussion of UNIX filesystem layout has been rewritten to be, I hope, more understandable. I wasn’t entirely happy with it in the first place, and some people’s comments indicated that it wasn’t clear.

Thirdly, the vast uuencoded gzipped tarball of fsgrab in the middle of the file has been removed. The program is now available on my website and it should soon make its way onto Sunsite (and mirrors).

Fourthly, the document has been translated into the Linux Documentation Project SGML Tools content markup language. This markup language can be easily converted to any of a number of other markup languages (including HTML and LaTeX) for convenient display and printing. One benefit of this is that beautiful typography in paper editions is a much more achievable goal; another is that the document has cross-references and hyperlinks when viewed on the Web.

Changes in v1.2

This revision is very much an incremental change. It’s here mainly to include changes suggested by readers, one of which is particularly important.

The first change was suggested by Egil Kvaleberg , who pointed out the dump command in debugfs. Thanks again, Egil.

The second change is to mention the use of chattr for avoiding deleting important files. Thanks to Herman Suijs for mentioning this one.

The abstract has been revised. URLs have been added for organisations and software. Various other minor changes have been made (including fixing typos and so on).

1.2 Canonical locations of this document

The latest public release of this document should always be available in plain text format on the Linux Documentation Project site (and mirrors).

The latest release is also kept on my website in several formats:

  • SGML source. This is the source as I have written it, using the SGML Tools package.
  • HTML. This is HTML, automatically generated from the SGML source.
  • Plain text. This is plain text, which is also automatically generated from the SGML source. Note that this file is identical to the one on Sunsite, so if you want the plain text, you are recommended to get it from your favourite LDP mirror (as it will probably be much faster).

prev-9204200 next-9154293 toc-3876514