Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Find the answer to your Linux question:
Write an article for LinuxForums Today! Win Great Prizes!
Many times in we require to recover a deleted files for eg. If we delete any files accidently or if we are doing digital forensics on Linux server. In Windows we get many free as well as commercial tools but in Linux there are very less tools for this. Here I am trying to explain same thing without any GUI tool. It is completely CLI based solution on Linux.
Recovering deleted data from ext3 filesystem on linux
Linux machine with/home having ext3 type of filesystem. You have welcome.jpg file in /home/test. And you have deleted it by "rm -f " command. Now we will recover that welcome.jpg Required Tools: debugfs, foremost & blkls
The debugfs program is an interactive file system debugger that is installed by default with most common Linux distributions. This program is used to manually examine and change the state of a filesystem. In our situation, we're going to use this program to determine the inode which stored information about the deleted file and to what block group the deleted file belonged.
debugfs: ls -d 32769 (12) . 2 (4084) .. <32770> (4072) welcome.jpg ---> Here we got Inode number which is in RED
The next command we want to run is imap, giving it the inode number above so we can determine to which block group the file belonged. We see by the output that it belonged to block group 4.
debugfs: imap <32770> Inode 32770 is part of block group 4 -----------> Here we got block group no. ---> BG located at block 131074, offset 0x0100
Running the stats command will generate a lot of output. The only data we are interested in from this list, however, is the number of blocks per group. In this case, and most cases, its 32768. Now we have enough data to be able to determine the specific set of blocks in which the data resided. We're done with debugfs now, so we type q to quit.
debugfs: stats << lots of content>> Blocks per group: 32768 ---> BPG <<lots of content>>
debufs: q -------> To quit debugfs
Step 3. --> Recovering data in dat format.
The next thing we need to do is pull all unallocated blocks from block group 56 so we can examine their content. The blkls program, from The Sleuth Kit (TSK), allows us to do just that. We simply need to know the device file, a range of blocks, and have enough space in the appropriate place to output this data. Using the information above, we can calculate the block range by multiplying the block group number and the block group size and then multiplying the block group number plus one by the blocks per group minus one. In this case, the formula would look like this:
(BG * BPG) through ((BG + 1) * BPG -1)
In above example, it will look like: BPG --> 32768 BG --> 4 (4 * 32768) through ((4+1) * 32768 -1) 131072 through 163839
And here we got the jpg file in /root/output directory. Filename will be different that original. But content will be same.
Comparing size only works, of course, if you "know your data". Integrity checking programs such as Tripwire play a big role in a recovery operation as you can identify the recovered data without ever inspecting the content, as well as verify its integrity. This becomes quite useful if the information you're attempting to recover is confidential and you are not authorized to view the data.
File formats supported by Foremosts are jpg, gif, png, bmp, avi, exe, mpg, wav, riff, wmv, mov, pdf, ole, doc, zip, rar, htm, and cpp. If you need to recover data beyond these built-in data types, you will need to define custom types in Foremost's configuration file foremost.conf.
Comments about this article
I use photorec to recover deleted files in Linux
writen by: Shannon_VanWagner on 2010-04-28 07:56:46
I use Christophe GRENIER's photorec to recover deleted files in Linux.
This is from the photorec website:
Photorec ignores the file system, this way it works even if the file system is severely damaged.
It can recover lost files at least from
* EXT2/EXT3 filesystem
RE: I use photorec to recover deleted files in Linux written by Shannon_VanWagner:
RE: I use photorec to recover deleted files in Lin
writen by: neel.gurjar on 2010-04-30 17:25:17
I have not used this tool but I will like to use it.
Reply to neel.gurjar:
writen by: Lakshmipathi on 2010-05-06 02:31:48
good one,but ext3grep is know to work with ext3 recovery. It uses journal to recover files. http://www.xs4all.nl/~carlo17/howto/undelete_ext3.html
and of course my tool giis can be used as fail safe. www.giis.co.in/download.html
RE: ext3grep written by Lakshmipathi:
writen by: sholdowa on 2010-05-06 23:08:17
... one thing you haven't considered is that linux is a multiuser system. Also, the free block list is ( well was, last time I looked which was quite some time ago! ) a last in first out list. So the most important thing to do IMMEDIATELY is to remount the partition readonly ( sudo mount -o remount,ro /home ) to protect your lost files.
RE: but.... written by sholdowa:
Comment title: * please do not put your response text here