File undelete for ext3fs?
Hi,
Recently I lost over 30 files, most of which are relatively small
(< 12 kB), from /tmp. Although this mishap was not due to my own
doing, I do not have backups of them and hence would really like
to try to recover them.
That directory has had very little file writing activity since
the deletion, so most of the removed files should not yet have been
overwritten. However, all of the methods of Linux file recovery I
know about only work for ext2fs, and this system uses ext3fs which
I thought was safer due to its journalling capability. I have tried
using "debugfs" with "lsdel" to see if it could find the removed
files but it reported no file activity - probably because it only
works on ext2fs. How can I possibly recover those missing files?
TIA,
Charles
Re: File undelete for ext3fs?
Charles <clmail2000@yahoo.com> wrote:[color=blue]
> Hi,[/color]
Hiya!!!
[color=blue]
> Recently I lost over 30 files, most of which are relatively small
> (< 12 kB), from /tmp. Although this mishap was not due to my own
> doing, I do not have backups of them and hence would really like
> to try to recover them.[/color]
[color=blue]
> That directory has had very little file writing activity since[/color]
Doesn't matter. The freed blocks are available to the whole file
system, not just the directory!
[color=blue]
> the deletion, so most of the removed files should not yet have been[/color]
Not true.
[color=blue]
> overwritten. However, all of the methods of Linux file recovery I
> know about only work for ext2fs, and this system uses ext3fs which[/color]
Doesn't matter. Switch the partition back to e2fs. Mount it as e2fs.
[color=blue]
> I thought was safer due to its journalling capability. I have tried[/color]
Why? I don't understand why people think that journalling is somehow
safer. Well, it is /slightly/ safer, but not much safer. What I
don't understand is why people think so! What can be the safety
mechanism that they are thinking of? It's a convenience more than
anything else.
[color=blue]
> using "debugfs" with "lsdel" to see if it could find the removed
> files but it reported no file activity - probably because it only
> works on ext2fs. How can I possibly recover those missing files?[/color]
You don't. ext3fs removes the traces that allows debugfs to find them
under ext2. Grep the raw disk for their contents.
Peter
Re: File undelete for ext3fs?
Charles wrote (in part):[color=blue]
> Hi,
>
> Recently I lost over 30 files, most of which are relatively small
> (< 12 kB), from /tmp. Although this mishap was not due to my own
> doing, I do not have backups of them and hence would really like
> to try to recover them.
>[/color]
I wonder why you would keep precious files in /tmp?
Many systems delete the contents of /tmp at each reboot.
Those systems that stay up 24/7 often have cron regularly schedule a
cleanup of /tmp (and other directories) as well.
So you should not expect files stored there to stick around in the first
place.
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ Registered Machine 73926.
/( )\ Shrewsbury, New Jersey [url]http://counter.li.org[/url]
^^-^^ 7:30am up 12 days, 16:57, 2 users, load average: 2.00, 2.09, 2.09
Re: File undelete for ext3fs?
On Tue, 02 Sep 2003 23:26:14 -0700, Charles wrote:
[color=blue]
> Hi,
>
> Recently I lost over 30 files, most of which are relatively small
> (< 12 kB), from /tmp. Although this mishap was not due to my own
> doing, I do not have backups of them and hence would really like
> to try to recover them.
>[/color]
Well, if /tmp is on its own partition, then that's a bonus. If you're
searching for text files, that's a double bonus, and your highly likely to
get almost everything back using "grep" and "strings" on the raw
partition. Make sure the partition containing /tmp never gets mounted
until you have recovered everything or at least copied it somewhere else
using "dd" on the partition.
[color=blue]
> That directory has had very little file writing activity since
> the deletion, so most of the removed files should not yet have been
> overwritten. However, all of the methods of Linux file recovery I
> know about only work for ext2fs, and this system uses ext3fs which
> I thought was safer due to its journalling capability. I have tried
> using "debugfs" with "lsdel" to see if it could find the removed
> files but it reported no file activity - probably because it only
> works on ext2fs. How can I possibly recover those missing files?
>
> TIA,
> Charles[/color]
Re: File undelete for ext3fs?
Charles wrote:
[color=blue]
> Hi,
>
> Recently I lost over 30 files, most of which are relatively small
> (< 12 kB), from /tmp. Although this mishap was not due to my own
> doing, I do not have backups of them and hence would really like
> to try to recover them.[/color]
It may very well be due to your doing. /tmp is a place for processes to
store temporary files. Temporary means that an application program may not
assume that a file in /tmp stays there between invocations of the program.
That is the rule from the Filesystem Hierarchy Standard. Distributions may
have mechanisms to remove old files from /tmp. It is a particularly bad
idea to store anything one wants to keep in /tmp. Users have their home
directories for that, they have no reason to explicitly touch /tmp at all.
Ralf
Re: File undelete for ext3fs?
I should clarify that the missing files are all in plain text, and
/tmp is in a different partition (not just a separate directory)
from /usr, /home, /var. Because I am a new Linux user, I did not
fully understand some of the feedback and would like to ask for
clarification. I prefer to have further correspondence to be sent
to my mail account.
"Peter T. Breuer" <ptb@oboe.it.uc3m.es> wrote[color=blue]
> Charles wrote:[/color]
[color=blue][color=green]
> > overwritten. However, all of the methods of Linux file recovery I
> > know about only work for ext2fs, and this system uses ext3fs which[/color][/color]
[color=blue]
> Doesn't matter. Switch the partition back to e2fs. Mount it as e2fs.[/color]
How do I do that? (See also below.)
[color=blue][color=green]
> > I thought was safer due to its journalling capability. I have tried[/color]
>
> Why? I don't understand why people think that journalling is somehow
> safer. Well, it is /slightly/ safer, but not much safer. What I
> don't understand is why people think so! What can be the safety
> mechanism that they are thinking of? It's a convenience more than
> anything else.[/color]
Although this is off the original topic, I would like to understand
why journalling does not add safety but merely convenience.
For instance, if the system or hard disk crashes, does journalling
make no difference at all?
[color=blue][color=green]
> > using "debugfs" with "lsdel" to see if it could find the removed
> > files but it reported no file activity - probably because it only
> > works on ext2fs. How can I possibly recover those missing files?[/color]
>
> You don't. ext3fs removes the traces that allows debugfs to find them
> under ext2. Grep the raw disk for their contents.[/color]
If ext3fs does that, will switching the partition in question to ext2
as you suggested above still work?
How do you grep for the contents of the raw disk?
Mephistopheles Jones <junkmail@whistlin.com> wrote
[color=blue]
> Well, if /tmp is on its own partition, then that's a bonus. If you're
> searching for text files, that's a double bonus, and your highly likely to
> get almost everything back using "grep" and "strings" on the raw
> partition. Make sure the partition containing /tmp never gets mounted
> until you have recovered everything or at least copied it somewhere else
> using "dd" on the partition.[/color]
Thanks for the good news. But as a new user, I do not quite know how
to use those commands to do the job. So could you provide, or point me
to where I can find, more specific guidance?
Thanks to those who provided constructive feedback. OTOH, some of the
comments provided by others which just seemed to criticize are just not
useful. It is easy for experienced users to forget what it was like
when they were starting out. The missing files, which were originally
moved onto a floppy from elsewhere, belong to another new user who was
supposed to copy them into a /tmp directory so that they could shared
with other users - /tmp was the only shared directory where he could
write. Some time later I noticed the files disappearing, and it was
only after that I learned about cron from the default install for my
distribution periodically deleting files. Morever, the copies which
should still have been on the floppy were no longer there because the
other user being very new had apparently moved rather than copied
those files (easy to do when not careful using a GUI tool).
Re: File undelete for ext3fs?
Charles <clmail2000@yahoo.com> wrote:[color=blue]
> I should clarify that the missing files are all in plain text, and
> /tmp is in a different partition (not just a separate directory)[/color]
Than the data is probably still there. Scan the raw partition for it.
[color=blue]
> "Peter T. Breuer" <ptb@oboe.it.uc3m.es> wrote[color=green]
>> Charles wrote:[/color][/color]
[color=blue][color=green][color=darkred]
>> > overwritten. However, all of the methods of Linux file recovery I
>> > know about only work for ext2fs, and this system uses ext3fs which[/color][/color][/color]
[color=blue][color=green]
>> Doesn't matter. Switch the partition back to e2fs. Mount it as e2fs.[/color][/color]
[color=blue]
> How do I do that? (See also below.)[/color]
I said! So you read the man page for mount. Or fstab.
[color=blue][color=green][color=darkred]
>> > I thought was safer due to its journalling capability. I have tried[/color]
>>
>> Why? I don't understand why people think that journalling is somehow
>> safer. Well, it is /slightly/ safer, but not much safer. What I
>> don't understand is why people think so! What can be the safety
>> mechanism that they are thinking of? It's a convenience more than
>> anything else.[/color][/color]
[color=blue]
> Although this is off the original topic, I would like to understand
> why journalling does not add safety but merely convenience.
> For instance, if the system or hard disk crashes, does journalling
> make no difference at all?[/color]
In certain senses, no. If the disk dies, you lose your data. If the
system dies, you lose the data that was on the way to the disk. Ditto
metadata.
What you gain is the loss of the risk that on next reboot, the AI in
the recovery routines will mess up. This is not really a question
of journalling at all, but a byproduct of it - namely that the
journalling filesystems are transactional, and perform relatively atomic
operations designed to always leave the FS in a consistent state, so no
repairs are required, and no messup on next reboot can happen.
But that doesn't stop you losing data, or having existing data messed
up by the crash itself. The type of journalling doen by the fs also
influences the type of errors you see. The usual type is "meta data
only", or "metadata written before data". This means that you will be
susceptible to finding files that were open for writing at the time of
the crash contain rubbish at the end on reboot, even though they are the
right size. The size got adjusted right, but the data in it didn't make
it to where it should have gone.
Etc.
[color=blue][color=green][color=darkred]
>> > using "debugfs" with "lsdel" to see if it could find the removed
>> > files but it reported no file activity - probably because it only
>> > works on ext2fs. How can I possibly recover those missing files?[/color]
>>
>> You don't. ext3fs removes the traces that allows debugfs to find them
>> under ext2. Grep the raw disk for their contents.[/color][/color]
[color=blue]
> If ext3fs does that, will switching the partition in question to ext2
> as you suggested above still work?[/color]
Proably not. Try it and see.
[color=blue]
> How do you grep for the contents of the raw disk?[/color]
Where does the difficulty lie? In using grep? Or accessing the raw
partition? /dev/hdaX.
[color=blue]
> Mephistopheles Jones <junkmail@whistlin.com> wrote[/color]
[color=blue][color=green]
>> Well, if /tmp is on its own partition, then that's a bonus. If you're
>> searching for text files, that's a double bonus, and your highly likely to
>> get almost everything back using "grep" and "strings" on the raw
>> partition. Make sure the partition containing /tmp never gets mounted
>> until you have recovered everything or at least copied it somewhere else
>> using "dd" on the partition.[/color][/color]
[color=blue]
> Thanks for the good news. But as a new user, I do not quite know how
> to use those commands to do the job. So could you provide, or point me
> to where I can find, more specific guidance?[/color]
Sure. The man page for the command.
Peter
Re: File undelete for ext3fs?
On Wed, 03 Sep 2003 23:43:01 -0700, Charles wrote:
[color=blue]
> I prefer to have further correspondence to be sent to my mail account.[/color]
Why? You ask here, you should expect to be answered here. Exceptions
are made when the subject becomes interesting to only two or three
people, but such is not the case here: hello, mass quantities of lurkers
reading this thread!
[color=blue]
> Although this is off the original topic, I would like to understand
> why journalling does not add safety but merely convenience.[/color]
Depends on what you want safety *from*. See below.
[color=blue]
> For instance, if the system or hard disk crashes, does journalling
> make no difference at all?[/color]
As Peter noted, it's a byproduct of the journalled filesystem using
largely atomic operations when writing to the drive. If the computer
loses power in mid-stream, it will probably recover a consistent state
upon reboot. (And much more quickly than ext2 + fsck; this is where
the convenience comes in.)
If the hard disk *physically* crashes (e.g. you put a bullet through
it), then only backup or (certain types of) RAID will get your data
back in a reliable fashion.
[color=blue]
> The missing files, which were originally
> moved onto a floppy from elsewhere, belong to another new user who was
> supposed to copy them into a /tmp directory so that they could shared
> with other users - /tmp was the only shared directory where he could
> write.[/color]
He could have created one:
mkdir ~/shared
chmod 755 ~/shared
or chmod 777, to allow other users to edit the files in place.
Re: File undelete for ext3fs?
[QUOTE=Charles;56691]Hi,
Recently I lost over 30 files, most of which are relatively small
(< 12 kB), from /tmp. Although this mishap was not due to my own
doing, I do not have backups of them and hence would really like
to try to recover them.
That directory has had very little file writing activity since
the deletion, so most of the removed files should not yet have been
overwritten. However, all of the methods of Linux file recovery I
know about only work for ext2fs, and this system uses ext3fs which
I thought was safer due to its journalling capability. I have tried
using "debugfs" with "lsdel" to see if it could find the removed
files but it reported no file activity - probably because it only
works on ext2fs. How can I possibly recover those missing files?
TIA,
Charles[/QUOTE]
Hi,greetings!:)
Maybe this file undelete software would help you. This tool saved me some time before so you can give it a try.You can download this software for free here:[url]http://www.fileundelete.net[/url]
