Trying to undelete directory in a ext4 filesystem

English Install/Boot/Login
#1

Hi!

Today making some clean of a filesystem with mc being root I deleted by error 2 directories I didn’t want to delete. ( I know, I know, I must have been more careful)
They weren’t very important, of course I have backups of almost everything, but I want to try to recover for two reasons:

  1. just in case there were something important i’m missing
  2. To learn about recovering just in case I need it in the future

I was deleting the this directories (mc warned me “are you sure yo want to delete all?” YES… “are you sure yo want to delete them recursively?” YES >:( )
the it begun to delete. Actually I wanted to delete all of them except these two. When I realized I have selected the two wrong directories I stop the deleting but they were already erased.
I unmounted the filesystem (the were in a filesystem mounted on /data ) and then begun trying to recover them.

The filesystem is in /dev/sda2 in the same disk I have my root filesystem ( my root filesystem is /dev/sda6 ) and my home

I’ve been reading about recovering. One useful tool seems to beextundelete.

I tried to install it in opensuse but

andromeda:/home/fernando/tmp/extundelete-0.2.4 # ./configure
Configuring extundelete 0.2.4
configure: error: Can't find ext2fs library

I guess I would have fixed the error but I’m a bit lazy today so I booted my system with System Rescue CD which has extundelete installed, I mounted my root partition /dev/sda6 in order to recover the directories into it and then


#extundelete --restore-directory /musica /dev/sda2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 801 groups loaded.
Loading journal descriptors ... 32436 descriptors loaded.
Searching for recoverable inodes in directory /musica ... 
66317 recoverable inodes found.
Looking through the directory structure for deleted files ... 
66299 recoverable inodes still lost.

So It restore SOME of the files in the directory and none of the directories inside it.

Then I tried with the other

NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 801 groups loaded.
Loading journal descriptors ... 32436 descriptors loaded.
Searching for recoverable inodes in directory /software ... 
66317 recoverable inodes found.
Looking through the directory structure for deleted files ... 
66317 recoverable inodes still lost.
No files were undeleted.

Less luck. No file nor directory recovered.

I have used testdisk and photorec sometimes to recover files from SD cards. So I tried

# testdisk /dev/sda2

But It seems IOt try to use a complete disk and /dev/sda is my root disk so I went no further.

I will continue testing and I will report any success. Anyhow seems to be a hard work. Better be careful in the future.

#2

I’ve tried again with testdisk. With “Advanced” I selected sda2, then option “list” I could enter the filesystem, but when trying to enter any of the directories I received an error


TestDisk 6.13, Data Recovery Utility, November 2011
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
 2 P Linux                  784   0  1 13838 254 63  209728575
Directory /software

No file found, filesystem may be damaged.
#3

On 2014-01-31 18:46, fperal wrote:

> I’ve been reading about recovering. One useful tool seems to be’
> extundelete.’ (http://extundelete.sourceforge.net/)

Well, ‘mc’ has an undelete function, but AFAIK it was designed for ext2.


Undelete File System
On  Linux  systems,  if  you  asked configure to use the ext2fs
undelete facilities, you will have  the  undelete  file  system
available.  Recovery of deleted files is only available on ext2
file systems.  The undelete file system is just an interface to
the  ext2fs  library to retrieve all of the deleted files names
on an ext2fs and provides and to  extract  the  selected  files
into a regular partition.

To  use  this  file  system, you have to chdir into the special
file name formed by the "undel://" prefix  and  the  file  name
where the actual file system resides.

For  example,  to recover deleted files on the second partition
of the first SCSI disk on Linux, you would  use  the  following
path name:

undel://sda2

It may take a while for the undelfs to load the required infor-
mation before you start browsing files there.

I learned recently about two utilities:


foremost        http://foremost.sourceforge.net/
http://en.wikipedia.org/wiki/Foremost_(software)

Foremost is a forensic data recovery program for Linux used to recover
files using their headers, footers, and data structures through
a process known as file carving.[3] Although written for law enforcement
use, it is freely available and can be used as a general data recovery
tool.[2]

ext4magic


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

#4

After testing different recovering tools none of them succeded recovering all my files. The one which achieved the best results was ext4magic which seems a fork of extundelete and is included in Opensuse repos 8i installed it through “zypper in”.
But even ext4undelete only recovered less than a 10% of the deleted files and directories… seems that the journal did not have enough information for recovering.

Of course the solution is always having backups, but I’m testing other stuff like snapshots. “Back in time” seems a nice tool to try.

#5

On 2014-02-09 21:06, fperal wrote:
>
> After testing different recovering tools none of them succeded
> recovering all my files. The one which achieved the best results was
> ‘ext4magic’ (http://developer.berlios.de/projects/ext4magic/) which
> seems a fork of ‘extundelete’ (http://extundelete.sourceforge.net/) and
> is included in Opensuse repos 8i installed it through “zypper in”.
> But even ext4undelete only recovered less than a 10% of the deleted
> files and directories… seems that the journal did not have enough
> information for recovering.

Oh, thanks for the feedback.

> Of course the solution is always having backups, but I’m testing other
> stuff like snapshots. “Back in time” seems a nice tool to try.

Or a btrfs filesystem with snapshots active.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

#6

Yes, I’ve thought on that too. I’ve never used btrfss but I’m thinking on giving it a try. But I think back in time may work fine because I use some directories mounted from a remote system with nfs under my home directory, and I think back in time may back it up too as well as all my entire /home directory (in case a loose my mind and do “rm -rf *” :wink: ). Back in time make hard links from one snapshot to another and obviously it is not possible with NFS, so I have to see which procedure uses back in time with files that haven’t been changed.
For what I have tested It does not charge the system much when working (it uses rsync with nice and ionice)

#7

On 2014-02-09 22:26, fperal wrote:

> Yes, I’ve thought on that too. I’ve never used btrfss but I’m thinking
> on giving it a try. But I think back in time may work fine because I use
> some directories mounted from a remote system with nfs under my home
> directory, and I think back in time may back it up too as well as all my
> entire /home directory (in case a loose my mind and do “rm -rf *” :wink:
> ). Back in time make hard links from one snapshot to another and
> obviously it is not possible with NFS, so I have to see which procedure
> uses back in time with files that haven’t been changed.
> For what I have tested It does not charge the system much when working
> (it uses rsync with nice and ionice)

Well, btrfs should be even lighter load. Mind, I do not use it myself,
but it does by design have the feature of going back in time to a
previous version of any file - as long as a snapshot was made, and the
files are local.

However, it is somewhat experimental. I would make frequent backups if I
used it. And you need a larger partition.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

#8

From wikipedia: “It is still in heavy development and marked as unstable, especially since when the filesystem becomes full, no-space conditions arise which might make it challenging to delete files.[7]](https://en.wikipedia.org/wiki/Btrfs#cite_note-BTRFS_Stability-7)[8]](https://en.wikipedia.org/wiki/Btrfs#cite_note-8)”
I think I,m going to wait a bit. I’m not such adventurous :slight_smile:

#9

On 2014-02-09 23:36, fperal wrote:

> From wikipedia: "It is still in heavy development and marked as
> unstable, especially since when the filesystem becomes full, no-space
> conditions arise which might make it challenging to delete
> files.’[7]’

But the developers at openSUSE say different :slight_smile:

> I think I,m going to wait a bit. I’m not such adventurous :slight_smile:

I’m not using it, anyway. O:-)


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))