File undelete for ext3fs? - Questions

This is a discussion on File undelete for ext3fs? - Questions ; Hi, Recently I lost over 30 files, most of which are relatively small ( doing, I do not have backups of them and hence would really like to try to recover them. That directory has had very little file writing ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: File undelete for ext3fs?

  1. File undelete for ext3fs?

    Hi,

    Recently I lost over 30 files, most of which are relatively small
    (< 12 kB), from /tmp. Although this mishap was not due to my own
    doing, I do not have backups of them and hence would really like
    to try to recover them.

    That directory has had very little file writing activity since
    the deletion, so most of the removed files should not yet have been
    overwritten. However, all of the methods of Linux file recovery I
    know about only work for ext2fs, and this system uses ext3fs which
    I thought was safer due to its journalling capability. I have tried
    using "debugfs" with "lsdel" to see if it could find the removed
    files but it reported no file activity - probably because it only
    works on ext2fs. How can I possibly recover those missing files?

    TIA,
    Charles

  2. Re: File undelete for ext3fs?

    Charles wrote:
    > Hi,


    Hiya!!!

    > Recently I lost over 30 files, most of which are relatively small
    > (< 12 kB), from /tmp. Although this mishap was not due to my own
    > doing, I do not have backups of them and hence would really like
    > to try to recover them.


    > That directory has had very little file writing activity since


    Doesn't matter. The freed blocks are available to the whole file
    system, not just the directory!

    > the deletion, so most of the removed files should not yet have been


    Not true.

    > overwritten. However, all of the methods of Linux file recovery I
    > know about only work for ext2fs, and this system uses ext3fs which


    Doesn't matter. Switch the partition back to e2fs. Mount it as e2fs.

    > I thought was safer due to its journalling capability. I have tried


    Why? I don't understand why people think that journalling is somehow
    safer. Well, it is /slightly/ safer, but not much safer. What I
    don't understand is why people think so! What can be the safety
    mechanism that they are thinking of? It's a convenience more than
    anything else.

    > using "debugfs" with "lsdel" to see if it could find the removed
    > files but it reported no file activity - probably because it only
    > works on ext2fs. How can I possibly recover those missing files?


    You don't. ext3fs removes the traces that allows debugfs to find them
    under ext2. Grep the raw disk for their contents.

    Peter

  3. Re: File undelete for ext3fs?

    Charles wrote (in part):
    > Hi,
    >
    > Recently I lost over 30 files, most of which are relatively small
    > (< 12 kB), from /tmp. Although this mishap was not due to my own
    > doing, I do not have backups of them and hence would really like
    > to try to recover them.
    >

    I wonder why you would keep precious files in /tmp?

    Many systems delete the contents of /tmp at each reboot.

    Those systems that stay up 24/7 often have cron regularly schedule a
    cleanup of /tmp (and other directories) as well.

    So you should not expect files stored there to stick around in the first
    place.

    --
    .~. Jean-David Beyer Registered Linux User 85642.
    /V\ Registered Machine 73926.
    /( )\ Shrewsbury, New Jersey http://counter.li.org
    ^^-^^ 7:30am up 12 days, 16:57, 2 users, load average: 2.00, 2.09, 2.09


  4. Re: File undelete for ext3fs?

    On Tue, 02 Sep 2003 23:26:14 -0700, Charles wrote:

    > Hi,
    >
    > Recently I lost over 30 files, most of which are relatively small
    > (< 12 kB), from /tmp. Although this mishap was not due to my own
    > doing, I do not have backups of them and hence would really like
    > to try to recover them.
    >


    Well, if /tmp is on its own partition, then that's a bonus. If you're
    searching for text files, that's a double bonus, and your highly likely to
    get almost everything back using "grep" and "strings" on the raw
    partition. Make sure the partition containing /tmp never gets mounted
    until you have recovered everything or at least copied it somewhere else
    using "dd" on the partition.

    > That directory has had very little file writing activity since
    > the deletion, so most of the removed files should not yet have been
    > overwritten. However, all of the methods of Linux file recovery I
    > know about only work for ext2fs, and this system uses ext3fs which
    > I thought was safer due to its journalling capability. I have tried
    > using "debugfs" with "lsdel" to see if it could find the removed
    > files but it reported no file activity - probably because it only
    > works on ext2fs. How can I possibly recover those missing files?
    >
    > TIA,
    > Charles



  5. Re: File undelete for ext3fs?

    Charles wrote:

    > Hi,
    >
    > Recently I lost over 30 files, most of which are relatively small
    > (< 12 kB), from /tmp. Although this mishap was not due to my own
    > doing, I do not have backups of them and hence would really like
    > to try to recover them.



    It may very well be due to your doing. /tmp is a place for processes to
    store temporary files. Temporary means that an application program may not
    assume that a file in /tmp stays there between invocations of the program.
    That is the rule from the Filesystem Hierarchy Standard. Distributions may
    have mechanisms to remove old files from /tmp. It is a particularly bad
    idea to store anything one wants to keep in /tmp. Users have their home
    directories for that, they have no reason to explicitly touch /tmp at all.


    Ralf

  6. Re: File undelete for ext3fs?

    I should clarify that the missing files are all in plain text, and
    /tmp is in a different partition (not just a separate directory)
    from /usr, /home, /var. Because I am a new Linux user, I did not
    fully understand some of the feedback and would like to ask for
    clarification. I prefer to have further correspondence to be sent
    to my mail account.

    "Peter T. Breuer" wrote
    > Charles wrote:


    > > overwritten. However, all of the methods of Linux file recovery I
    > > know about only work for ext2fs, and this system uses ext3fs which


    > Doesn't matter. Switch the partition back to e2fs. Mount it as e2fs.


    How do I do that? (See also below.)

    > > I thought was safer due to its journalling capability. I have tried

    >
    > Why? I don't understand why people think that journalling is somehow
    > safer. Well, it is /slightly/ safer, but not much safer. What I
    > don't understand is why people think so! What can be the safety
    > mechanism that they are thinking of? It's a convenience more than
    > anything else.


    Although this is off the original topic, I would like to understand
    why journalling does not add safety but merely convenience.
    For instance, if the system or hard disk crashes, does journalling
    make no difference at all?

    > > using "debugfs" with "lsdel" to see if it could find the removed
    > > files but it reported no file activity - probably because it only
    > > works on ext2fs. How can I possibly recover those missing files?

    >
    > You don't. ext3fs removes the traces that allows debugfs to find them
    > under ext2. Grep the raw disk for their contents.


    If ext3fs does that, will switching the partition in question to ext2
    as you suggested above still work?
    How do you grep for the contents of the raw disk?


    Mephistopheles Jones wrote

    > Well, if /tmp is on its own partition, then that's a bonus. If you're
    > searching for text files, that's a double bonus, and your highly likely to
    > get almost everything back using "grep" and "strings" on the raw
    > partition. Make sure the partition containing /tmp never gets mounted
    > until you have recovered everything or at least copied it somewhere else
    > using "dd" on the partition.


    Thanks for the good news. But as a new user, I do not quite know how
    to use those commands to do the job. So could you provide, or point me
    to where I can find, more specific guidance?

    Thanks to those who provided constructive feedback. OTOH, some of the
    comments provided by others which just seemed to criticize are just not
    useful. It is easy for experienced users to forget what it was like
    when they were starting out. The missing files, which were originally
    moved onto a floppy from elsewhere, belong to another new user who was
    supposed to copy them into a /tmp directory so that they could shared
    with other users - /tmp was the only shared directory where he could
    write. Some time later I noticed the files disappearing, and it was
    only after that I learned about cron from the default install for my
    distribution periodically deleting files. Morever, the copies which
    should still have been on the floppy were no longer there because the
    other user being very new had apparently moved rather than copied
    those files (easy to do when not careful using a GUI tool).

  7. Re: File undelete for ext3fs?

    Charles wrote:
    > I should clarify that the missing files are all in plain text, and
    > /tmp is in a different partition (not just a separate directory)


    Than the data is probably still there. Scan the raw partition for it.

    > "Peter T. Breuer" wrote
    >> Charles wrote:


    >> > overwritten. However, all of the methods of Linux file recovery I
    >> > know about only work for ext2fs, and this system uses ext3fs which


    >> Doesn't matter. Switch the partition back to e2fs. Mount it as e2fs.


    > How do I do that? (See also below.)


    I said! So you read the man page for mount. Or fstab.

    >> > I thought was safer due to its journalling capability. I have tried

    >>
    >> Why? I don't understand why people think that journalling is somehow
    >> safer. Well, it is /slightly/ safer, but not much safer. What I
    >> don't understand is why people think so! What can be the safety
    >> mechanism that they are thinking of? It's a convenience more than
    >> anything else.


    > Although this is off the original topic, I would like to understand
    > why journalling does not add safety but merely convenience.
    > For instance, if the system or hard disk crashes, does journalling
    > make no difference at all?


    In certain senses, no. If the disk dies, you lose your data. If the
    system dies, you lose the data that was on the way to the disk. Ditto
    metadata.

    What you gain is the loss of the risk that on next reboot, the AI in
    the recovery routines will mess up. This is not really a question
    of journalling at all, but a byproduct of it - namely that the
    journalling filesystems are transactional, and perform relatively atomic
    operations designed to always leave the FS in a consistent state, so no
    repairs are required, and no messup on next reboot can happen.

    But that doesn't stop you losing data, or having existing data messed
    up by the crash itself. The type of journalling doen by the fs also
    influences the type of errors you see. The usual type is "meta data
    only", or "metadata written before data". This means that you will be
    susceptible to finding files that were open for writing at the time of
    the crash contain rubbish at the end on reboot, even though they are the
    right size. The size got adjusted right, but the data in it didn't make
    it to where it should have gone.

    Etc.

    >> > using "debugfs" with "lsdel" to see if it could find the removed
    >> > files but it reported no file activity - probably because it only
    >> > works on ext2fs. How can I possibly recover those missing files?

    >>
    >> You don't. ext3fs removes the traces that allows debugfs to find them
    >> under ext2. Grep the raw disk for their contents.


    > If ext3fs does that, will switching the partition in question to ext2
    > as you suggested above still work?


    Proably not. Try it and see.

    > How do you grep for the contents of the raw disk?


    Where does the difficulty lie? In using grep? Or accessing the raw
    partition? /dev/hdaX.

    > Mephistopheles Jones wrote


    >> Well, if /tmp is on its own partition, then that's a bonus. If you're
    >> searching for text files, that's a double bonus, and your highly likely to
    >> get almost everything back using "grep" and "strings" on the raw
    >> partition. Make sure the partition containing /tmp never gets mounted
    >> until you have recovered everything or at least copied it somewhere else
    >> using "dd" on the partition.


    > Thanks for the good news. But as a new user, I do not quite know how
    > to use those commands to do the job. So could you provide, or point me
    > to where I can find, more specific guidance?


    Sure. The man page for the command.

    Peter

  8. Re: File undelete for ext3fs?

    On Wed, 03 Sep 2003 23:43:01 -0700, Charles wrote:

    > I prefer to have further correspondence to be sent to my mail account.


    Why? You ask here, you should expect to be answered here. Exceptions
    are made when the subject becomes interesting to only two or three
    people, but such is not the case here: hello, mass quantities of lurkers
    reading this thread!

    > Although this is off the original topic, I would like to understand
    > why journalling does not add safety but merely convenience.


    Depends on what you want safety *from*. See below.

    > For instance, if the system or hard disk crashes, does journalling
    > make no difference at all?


    As Peter noted, it's a byproduct of the journalled filesystem using
    largely atomic operations when writing to the drive. If the computer
    loses power in mid-stream, it will probably recover a consistent state
    upon reboot. (And much more quickly than ext2 + fsck; this is where
    the convenience comes in.)

    If the hard disk *physically* crashes (e.g. you put a bullet through
    it), then only backup or (certain types of) RAID will get your data
    back in a reliable fashion.

    > The missing files, which were originally
    > moved onto a floppy from elsewhere, belong to another new user who was
    > supposed to copy them into a /tmp directory so that they could shared
    > with other users - /tmp was the only shared directory where he could
    > write.


    He could have created one:

    mkdir ~/shared
    chmod 755 ~/shared

    or chmod 777, to allow other users to edit the files in place.


  9. Post Re: File undelete for ext3fs?

    Quote Originally Posted by Charles View Post
    Hi,

    Recently I lost over 30 files, most of which are relatively small
    (< 12 kB), from /tmp. Although this mishap was not due to my own
    doing, I do not have backups of them and hence would really like
    to try to recover them.

    That directory has had very little file writing activity since
    the deletion, so most of the removed files should not yet have been
    overwritten. However, all of the methods of Linux file recovery I
    know about only work for ext2fs, and this system uses ext3fs which
    I thought was safer due to its journalling capability. I have tried
    using "debugfs" with "lsdel" to see if it could find the removed
    files but it reported no file activity - probably because it only
    works on ext2fs. How can I possibly recover those missing files?

    TIA,
    Charles
    Hi,greetings!
    Maybe this file undelete software would help you. This tool saved me some time before so you can give it a try.You can download this software for free here:http://www.fileundelete.net

+ Reply to Thread