Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save coldfix/21c16e066b3ff05aa34c553d65a39e34 to your computer and use it in GitHub Desktop.
Save coldfix/21c16e066b3ff05aa34c553d65a39e34 to your computer and use it in GitHub Desktop.

Recovering deleted files in Ubuntu with ext4 filesystem

Recently, I deleted some files by mistake in a Ubuntu machine with an ext4 fs. These notes document the steps I took to get them back.

Important

  • this procedure assumes that the partition that contained the deleted files is different from the root partition, as that was the scenario with which I had to deal (deleted files were in my home dir). The procedure needs that the partition that contained the files is unmounted, so if the deleted files were in the root partition, the process would be a bit different (e.g. storing the fs journal in a USB stick, using a live CD/USB to boot and issue the commands, etc.)
  • if something is not clear, you need more information, etc. check the sources below

With that out the way, let's begin.

Right after deleting the files

Right after deleting the files, open a terminal and make a copy of the filesystem journal:

sudo debugfs -R "dump <8> /opt/sda6.journal" /dev/sda6

/dev/sda6 should be the appropriate path to your device, so change it accordingly. Also, don't store the copy of the journal in /tmp, in case it gets cleaned up.

We want to minimize the amount of interactions with the system, so the blocks which contained the deleted files don't get overwritten. If possible, try to close all the programs that may be writing on the same partition.

Then, install ext4magic, a disk utility to recover files from ext3 or ext4 partitions.

sudo apt-get install ext4magic

Getting to a root shell

The goal now is logging in as root, dropping to run-level 3 and unmounting the partition that we have to process. In my case, I tried doing all that without rebooting, but systemd or something else wasn't too happy about it, so in the end I had to shutdown by just pressing the power button, as I was kind of locked out of the box.

Anyway, if you reboot too, when the grub screen shows up choose "Advanced options", and then pick the one for "recovery mode".

In the recovery mode menu, quickly select "Enable networking". This enables networking and mounts all filesystems defined in /etc/fstab. The screen will begin to show logs and may seem to hang, but just be patient. In my case it was several minutes until it returned back to the menu.

You may be wondering, why do we mount all filesystems if at the beginning it was stated that the partition shouldn't be mounted? In my case, the reason for doing this is that otherwise the system entered in emergency mode after a couple of minutes (while at the same time showing the recovery mode menu superimposed on the screen; bottom line, the interface to the system was very buggy at that point, seemed kind of dangerous, and using "Enable networking" was the only way I managed to continue the process.

Once the "Enable networking" process finishes and the menu appears again, it should say something like "read/write mode" at the top. Now choose the "root shell" option.

In the root shell

Take note that in this shell, the keyboard will likely use a UK or US layout, which may be different than your usual layout. This effectively means that all the symbols may be out of their usual place.

Having said that, the first step in the shell is unmounting the partition where the deleted files were originally:

umount /home

After that, ext4magic will be able to read the partition. Now execute something like this (explanation just below):

ext4magic /dev/sda6 -a $(date -d "-6hours" +%s) -f user/folder -j /opt/sda6.journal -l
  • again, change the path to your particular device
  • the -a option indicates the start of the time range that ext4magic will process in search of deleted files; it expects a Unix epoch but we can the use date command which is a bit more user friendly (in the example we are saying "from 6 hours ago")
  • the end of the time range can be set with the -b option, which takes the same kind of argument as -a
  • -f indicates the folder that we want ext4magic to inspect; the path is relative to the root of the partition, e.g. if the deleted files were on /home/user/folder, and the partition were /home, the path would be user/folder
  • -j indicates that ext4magic will use an external copy of the journal to do the work; if not specified, it will use the regular journal of the system will be used
  • -l lists the deleted files

All the files that are listed with 100% in the left column of the output should be recoverable.

To actually recover the files run this:

ext4magic /dev/sda6 -a 1332606716 -f user/folder -j /tmp/sda6.journal -r -d /opt/RECOVER
  • -r is supposed to recover the files that had a 100% in the output of the previous command
  • -d indicates the directory where the recovered files will be stored

After this, exit from the shell and select the "resume" option in the menu. It is normal that the process also recovers unwanted files, files with weird names or duplicated content. Just ignore/delete them.

If there were files with less than 100% in the output of ext4magic, or there were files with 100% that haven't been recovered, then try using the -m option instead of -r, which will perform a more lengthy process which may be able to get the files back (although there are no guarantees).

Sources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment