Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Find the answer to your Linux question:
Site Navigation
Linux Forums
Linux Articles
Product Showcase
Linux Downloads
Linux Hosting
Free Magazines
Job Board
IRC Chat
RSS Feeds
Free Publications

Many times in we require to recover a deleted files for eg. If we delete any files accidently or if we are doing digital forensics on Linux server. In Windows we get many free as well as commercial tools but in Linux there are very less tools for this. Here I am trying to explain same thing without any GUI tool. It is completely CLI based solution on Linux.

Recovering deleted data from ext3 filesystem on linux


    Linux machine with/home having ext3 type of filesystem.
    You have welcome.jpg file in /home/test. And you have deleted it by "rm -f " command.
    Now we will recover that welcome.jpg
    Required Tools: debugfs, foremost & blkls

    Step 1. --> Check which Filesystem /home is.

    linux-remo:~ # df -h
    Filesystem    Size     Used     Avail     Use%      Mounted on
    /dev/sda       2 7.8G   5.3G     2.2G      71%          /
    udev              122M    168K    121M       1%         /dev
    /dev/sda3      12G       158M    11G         2%         /home

    So we got Filesystem ID - /dev/sda3

    Step 2. -->  Debugfs to get necessary information

    The debugfs program is an interactive file system debugger that is installed by default with most common Linux distributions. This program is used to manually examine and change the state of a filesystem. In our situation, we're going to use this program to determine the inode which stored information about the deleted file and to what block group the deleted file belonged.

    linux-remo:~ # debugfs /dev/sda3
    debugfs 1.41.1 (01-Sep-2008)

    debugfs:  cd test

    debugfs:  ls -d
    32769  (12) .    2  (4084) ..   <32770> (4072) welcome.jpg    ---> Here we got Inode number which is in RED

    The next command we want to run is imap, giving it the inode number above so we can determine to which block group the file belonged. We see by the output that it belonged to block group 4.

    debugfs:  imap <32770>
    Inode 32770 is part of block group 4    -----------> Here we got block group no. ---> BG
    located at block 131074, offset 0x0100

    Running the stats command will generate a lot of output. The only data we are interested in from this list, however, is the number of blocks per group. In this case, and most cases, its 32768. Now we have enough data to be able to determine the specific set of blocks in which the data resided. We're done with debugfs now, so we type q to quit.

    debugfs: stats
    << lots of content>>
    Blocks per group:         32768   ---> BPG
    <<lots of content>>

    debufs: q    -------> To quit debugfs

    Step 3.  --> Recovering data in dat format.

    The next thing we need to do is pull all unallocated blocks from block group 56 so we can examine their content. The blkls program, from The Sleuth Kit (TSK), allows us to do just that. We simply need to know the device file, a range of blocks, and have enough space in the appropriate place to output this data. Using the information above, we can calculate the block range by multiplying the block group number and the block group size and then multiplying the block group number plus one by the blocks per group minus one. In this case, the formula would look like this:

    (BG * BPG) through ((BG + 1) * BPG -1)

    In above example, it will look like:
    BPG --> 32768
    BG --> 4
    (4 * 32768) through ((4+1) * 32768 -1)
    131072 through 163839

    So now need to give following command:

    linux-remo:~ # blkls /dev/sda3 131072-163839 > /root/block.dat

    Step 4. -->  Recovering file from dat file using "Foremost" tool

    Create output directory first.
    linux-remo:~ # mkdir /root/output  

    linux-remo:~ # foremost -dv -t jpg -o /root/output/ -i /root/block.dat
    Foremost version 1.5.6 by Jesse Kornblum, Kris Kendall, and Nick Mikus
    Audit File
    Foremost started at Sat Sep 26 12:11:59 2009
    Invocation: foremost -dv -t jpg -o /root/output/ -i /root/block.dat
    Output directory: /root/output
    Configuration file: /usr/local/etc/foremost.conf
    Processing: /root/block.dat
    File: /root/block.dat
    Start: Sat Sep 26 12:11:59 2009
    Length: 125 MB (132108288 bytes)
    Num Name (bs=512)       Size File Offset Comment
    0: 00012272.jpg      65 KB    6283264  (IND BLK bs:=4096)
    Finish: Sat Sep 26 12:12:03 2009
    jpg:= 1
    Foremost finished at Sat Sep 26 12:12:03 2009

    And here we got the jpg file in /root/output directory. Filename will be different that original. But content will be same.

    Comparing size only works, of course, if you "know your data". Integrity checking programs such as Tripwire play a big role in a recovery operation as you can identify the recovered data without ever inspecting the content, as well as verify its integrity. This becomes quite useful if the information you're attempting to recover is confidential and you are not authorized to view the data.

    File formats supported by Foremosts are jpg, gif, png, bmp, avi, exe, mpg, wav, riff, wmv, mov, pdf, ole, doc, zip, rar, htm, and cpp. If you need to recover data beyond these built-in data types, you will need to define custom types in Foremost's configuration file  foremost.conf.

Rate This Article: poor excellent
Comments about this article
I use photorec to recover deleted files in Linux
writen by: Shannon_VanWagner on 2010-04-28 07:56:46
I use Christophe GRENIER's photorec to recover deleted files in Linux.

This is from the photorec website:
Photorec ignores the file system, this way it works even if the file system is severely damaged.
It can recover lost files at least from

* FAT,
* EXT2/EXT3 filesystem

Shannon VanWagner
RE: I use photorec to recover deleted files in Linux written by Shannon_VanWagner:
RE: I use photorec to recover deleted files in Lin
writen by: neel.gurjar on 2010-04-30 17:25:17
Thanks Shannon.
I have not used this tool but I will like to use it.

Reply to neel.gurjar:
writen by: Lakshmipathi on 2010-05-06 02:31:48
good one,but ext3grep is know to work with ext3 recovery. It uses journal to recover files. http://www.xs4all.nl/~carlo17/howto/undelete_ext3.html
and of course my tool giis can be used as fail safe. www.giis.co.in/download.html
RE: ext3grep written by Lakshmipathi:
writen by: sholdowa on 2010-05-06 23:08:17
... one thing you haven't considered is that linux is a multiuser system. Also, the free block list is ( well was, last time I looked which was quite some time ago! ) a last in first out list. So the most important thing to do IMMEDIATELY is to remount the partition readonly ( sudo mount -o remount,ro /home ) to protect your lost files.

RE: but.... written by sholdowa:

Comment title: * please do not put your response text here