IT

Manually undeleting a file from ext2, ext3, ext4 or any other filesystem

Yesterday, I worked on a PHP project all day. At the end of the day, I moved it from development to staging. And finally I deleted it from staging. Oops!

I just discovered an hour ago what I did. What to do, what to do...?

Back in the old days, Midnight Commander supported some undelete function, but this option has been removed in the CentOS 6 version I'm running.

Then there's the option to use extundelete, but that would need compiling and a lot of other disk activity before I could use it. Normally, I would compile such a program on another server, then hook up the disk. But since it's a cloud server that I cannot access in any other way but SSH, that's not an option.

And finally there's the option to use ext3undel+foremost+testdisk from rpmforge to undelete information, but somehow I couldn't get all dependencies to install. So there's no usable software to fix this.

Or is there?

Manual recovery

Most filesystems, except for filesystems that do raid/compression/encryption, just write data to blocks on the disk in a structured manner. If you could save and access the blocks, you may be able to do some manual recovery.

I happened to know that the missing file contains the string Code or signature broken. So lets see what we can do:

i=0
while true; do
    i=$((i+1))
    echo $i
    #To prevent more disk actions, I use /dev/shm (ramdisk) to store temporary files
    #my disk is /dev/xvda1
    dd if=/dev/xvda1 bs=10M count=1 skip=$i > /dev/shm/mytmpfile 2>/dev/null
    grep "Code or signature broken" /dev/shm/mytmpfile
    usleep 10000
done

When running the script, I saw:

[...]
316
317
318
319
320
Binary file /dev/shm/mytmpfile matches

Ah, there may be my file. After pressing CTRL+C to stop the action, I started:

dd if=/dev/xvda1 bs=10M count=1 skip=320 > /dev/shm/tmpfile.320

There I could get my file back by editting /dev/shm/tmpfile.320 manually and removing everything not needed.

This approach won't be very useful for binary files, but in this case, it saved me a day's worth of work.

© GeekLabInfo Manually undeleting a file from ext2, ext3, ext4 or any other filesystem is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 4.00 out of 5)
Loading...

Leave a Reply