Linux debugfs Hack: Undelete Files

by on May 3, 2012 · 22 comments· LAST UPDATED June 5, 2012

in Linux

Undeletion means restoring files which have been deleted from Linux ext3 file system using rm command. Deleted files can be recovered on ext3 file systems using the debugfs program. This quick tutorial describes how to recover a file that was recently deleted using nothing but standard Linux command line utilities.

Only sys administrators and root user can view and recover the deleted files using debugfs command. You need to immediately unmount the file system the deleted file was located on to minimizes the risk that the data of the deleted file are overwritten by other users or system process.

A step-by-step guide for recovering files using debugfs

Create a text file called data.txt, enter:
echo 'This is a test' > data.txt
Display the index number (inode) of data.txt, enter:
ls -li data.txt
Sample outputs:

7536648 -rw-r--r-- 1 root root 15 May  3 12:40 data.txt

Please note down inode # 7536648. To find out the contents of the ext3 journal (block of data) using debugfs command. The syntax is as follows:

 
debugfs -w /dev/device/name/here
debugfs /dev/sda1
debugfs /dev/mapper/SysVolGroup-LogVolRoot
 

If your file system is on /dev/sda2, enter:
# debugfs -w /dev/sda2
If your file system is on /dev/mapper/wks01-root, enter:
# debugfs -w /dev/mapper/wks01-root
After some time, you will be presented with debugfs: prompt as follows:

debugfs 1.41.12 (17-May-2010)
debugfs:

Type the following command at debugfs: prompt to get block of data:

debugfs:  logdump -i <7536648>

Sample outputs:

Inode 7536648 is at group 230, block 7536642, offset 896
Journal starts at block 10875, transaction 38398034
  FS block 7536642 logged at sequence 38398245, journal block 12418
    (inode block for inode 7536648):
    Inode: 7536648   Type: regular        Mode:  0600   Flags: 0x0   Generation: 1050194965
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4fa249ab -- Thu May  3 04:02:35 2012
    atime: 0x4fa249ab -- Thu May  3 04:02:35 2012
    mtime: 0x4fa249ab -- Thu May  3 04:02:35 2012
    dtime: 0x4fa249ab -- Thu May  3 04:02:35 2012
    Blocks:
  FS block 7536642 logged at sequence 38398250, journal block 12537
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398253, journal block 12592
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398258, journal block 12711
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398261, journal block 12765
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398266, journal block 12855
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398270, journal block 12913
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398274, journal block 12981
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398276, journal block 13034
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398280, journal block 13190
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398285, journal block 13252
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398287, journal block 13302
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398290, journal block 13355
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398293, journal block 13409
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398298, journal block 13471
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398302, journal block 13604
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398307, journal block 13700
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398311, journal block 13756
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398314, journal block 13809
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398317, journal block 13864
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398320, journal block 13921
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38398325, journal block 13980
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38401277, journal block 23924
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38401314, journal block 24107
    (inode block for inode 7536648):
    Inode: 7536648   Type: bad type        Mode:  0000   Flags: 0x0   Generation: 0
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
    Blocks:
  FS block 7536642 logged at sequence 38401325, journal block 24146
    (inode block for inode 7536648):
    Inode: 7536648   Type: regular        Mode:  0644   Flags: 0x0   Generation: 1050269005
    User:     0   Group:     0   Size: 15
    File ACL: 0    Directory ACL: 0
    Links: 1   Blockcount: 8
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4fa2c307 -- Thu May  3 12:40:23 2012
    atime: 0x4fa2c307 -- Thu May  3 12:40:23 2012
    mtime: 0x4fa2c307 -- Thu May  3 12:40:23 2012
    Blocks:  (0+1): 7559168
Found sequence 38395723 (not 38401480) at block 24688: end of journal.

Please note down Blocks: (0+1): 7559168 line. Type the following command to remove data.txt file, enter:
rm data.txt
ls data.txt

Sample outputs:

ls: cannot access data.txt: No such file or directory

To recover file, enter:
# dd if=/dev/mapper/wks01-root of=data.txt bs=4096 count=1 skip=7559168
Sample outputs:

1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.010884 seconds, 376 kB/s

Verify that data is recovered, enter:
cat data.txt
Sample outputs:

This is a test

Howto: Recover a file when you don't know inode number

Delete a file called 521.sh:
rm 521.sh
Type the following command:
# debugfs -w /dev/mapper/wks01-root
At debugfs: prompt type lsdel command:

debugfs: lsdel

Sample outputs:

 Inode  Owner  Mode    Size    Blocks   Time deleted
23601299      0 120777      3    1/   1 Tue Mar 13 16:17:30 2012
7536655      0 120777      3    1/   1 Tue May  1 06:21:22 2012
2 deleted inodes found.

Get block data, enter:

debugfs: logdump -i <7536655>

Sample outputs:

Inode 7536655 is at group 230, block 7536642, offset 1792
Journal starts at block 10875, transaction 38398034
  FS block 7536642 logged at sequence 38398245, journal block 12418
    (inode block for inode 7536655):
    Inode: 7536655   Type: symlink        Mode:  0777   Flags: 0x0   Generation: 3532221116
    User:     0   Group:     0   Size: 3
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    atime: 0x4f9fc730 -- Tue May  1 06:21:20 2012
    mtime: 0x4f9fc72f -- Tue May  1 06:21:19 2012
    dtime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    Fast_link_dest: bin
    Blocks:  (0+1): 7235938
  FS block 7536642 logged at sequence 38398250, journal block 12537
    (inode block for inode 7536655):
    Inode: 7536655   Type: symlink        Mode:  0777   Flags: 0x0   Generation: 3532221116
    User:     0   Group:     0   Size: 3
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    atime: 0x4f9fc730 -- Tue May  1 06:21:20 2012
    mtime: 0x4f9fc72f -- Tue May  1 06:21:19 2012
    dtime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    Fast_link_dest: bin
    Blocks:  (0+1): 7235938
  FS block 7536642 logged at sequence 38398253, journal block 12592
    (inode block for inode 7536655):
    Inode: 7536655   Type: symlink        Mode:  0777   Flags: 0x0   Generation: 3532221116
    User:     0   Group:     0   Size: 3
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    atime: 0x4f9fc730 -- Tue May  1 06:21:20 2012
    mtime: 0x4f9fc72f -- Tue May  1 06:21:19 2012
    dtime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    Fast_link_dest: bin
    Blocks:  (0+1): 7235938
...
...
....
output truncated
    Fast_link_dest: bin
    Blocks:  (0+1): 7235938
  FS block 7536642 logged at sequence 38402086, journal block 26711
    (inode block for inode 7536655):
    Inode: 7536655   Type: symlink        Mode:  0777   Flags: 0x0   Generation: 3532221116
    User:     0   Group:     0   Size: 3
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    atime: 0x4f9fc730 -- Tue May  1 06:21:20 2012
    mtime: 0x4f9fc72f -- Tue May  1 06:21:19 2012
    dtime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    Fast_link_dest: bin
    Blocks:  (0+1): 7235938
No magic number at block 28053: end of journal.

Type the following command:
# dd if=/dev/mapper/wks01-root of=recovered.file.001 bs=4096 count=1 skip=7235938
# file recovered.file.001

Sample outputs:

file: ASCII text, with very long lines

View file, enter:
# more recovered.file.001

A note about easy to use tool called photorec

Now, you know basic hacks for recovering files under ext3 or ext4. However, I strongly recommend that you make backups. It cannot be stressed enough how important it is to make a backup. Another, option is PhotoRec software. It is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. PhotoRec is free - this open source multi-platform application is distributed under GNU General Public License (GPLV v2+). PhotoRec is a companion program to TestDisk, an app for recovering lost partitions on a wide variety of file systems and making non-bootable disks bootable again. You can download them from this link. You can install testdisk using the following apt-get command or yum command:
# yum install testdisk
OR
# apt-get install testdisk
To recover files simply type:
# photorec
Stay tuned, for more information on photorec and testdisk data recovery tools. I recommend that you view the manual page on debugfs using the following command for more information:
$ man debugfs

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 22 comments… read them below or add one }

1 Ameya May 3, 2012 at 6:42 pm

Thats a great tutorial, very helpful to recover files which are deleted accidentally.
Thank you.
Ameya

Reply

2 Ameya May 3, 2012 at 7:05 pm

I am trying to test this but its not working for me, I tried to run the debugfs command with & without unmounting the filesystem, both result negative. I wonder whats going wrong. any suggestions?

[root@jackDr1pp3r lost+found]# cp /root/test.sh test2
[root@jackDr1pp3r lost+found]# cd
[root@jackDr1pp3r ~]# rm /boot/lost+found/test2
rm: remove regular file `/boot/lost+found/test2′? y
[root@jackDr1pp3r ~]# umount /boot/
[root@jackDr1pp3r ~]# debugfs -w /dev/sda1
debugfs 1.39 (29-May-2006)
debugfs: lsdel
Inode Owner Mode Size Blocks Time deleted
0 deleted inodes found.
debugfs:

Reply

3 Roy May 3, 2012 at 7:15 pm

Hmm.. you are using 1.39 version from 2006? I guess it is an older distro. You need to use the latest version. Are you on ext2 or ext3? For ext2, you need follows these instructions.

All in all though, a good tutorial but I prefer to use testdisk. It had saved my butt multiple times :)

Reply

4 Ameya May 3, 2012 at 7:24 pm

Thanks Roy,
Its a RHEL 5.5 with ext3. I will try with the latest one. I could recover the file using the inode but in real life incident we wont know the inode of a deleted file. I have not tried testdisk yet, I will give it a try now.

Reply

5 Bgg May 3, 2012 at 6:51 pm

Should it be used by undelete script? My brain fucked up

Reply

6 chmurli May 3, 2012 at 7:55 pm

Is work only of ext3? What about ext4?
On ext4 I have got such problem:
“debugfs: logdump -i
logdump: Filesystem not open”

Reply

7 chmurli May 3, 2012 at 8:10 pm

Is it work only for ext3? What about ext4?
On ext4 I have got such problem:
“debugfs: logdump -i
logdump: Filesystem not open”

Reply

8 sri krishna May 4, 2012 at 2:02 am

thanks vivek for the post…..really interesting………..was using testdisk for a long time with a 50-50 chance…..

Reply

9 Jalal Hajigholamali May 4, 2012 at 2:23 am

Hi,

Thanks, great article

Reply

10 vmintam May 4, 2012 at 4:04 am

Vivek,

perhap, if we don’t know inode of files deleted, really difficult for recover file in ext3 filesystem. i have tried with ext3, it’s fail. But with ext2, all is OK.

Reply

11 Rajesh Chaudhary May 4, 2012 at 5:09 am

Nice one, really a valuable share…

Reply

12 chris May 4, 2012 at 8:07 am

Have a look:
ext4magic – allows to recover deleted files on ext3/4 filesystems

Reply

13 Nikesh May 8, 2012 at 6:42 pm

excellent and very easy to use, there are many other opensource tools that can be used to recover the deleted files:

Reply

14 sathish May 28, 2012 at 3:34 pm

It will not without inode to recover the file.

It works fine. when we give inode.

Reply

15 kunal vaidya May 30, 2012 at 2:23 pm

Hi Guyz,

I did try this and found that “lsdel” will not give you any result. So i tried option ls -d and it worked.
You can use ls -d inside debugfs prompt get the inodes of deleted files irrespective of debugfs versions.

Cheers !!

Reply

16 kunal vaidya May 30, 2012 at 2:29 pm

One more thing to share, that it works even with file system mounted and for both ext2/ext3.
Also when you type command logdump -i , please take the latest Blocks: (0+1): entry as on some systems Blocks: (0+1): entry may not be the last entry.

@vmintam and @sathish , it is working even if you dont know inode number, just use ls -d to see inode of deleted file.

Reply

17 vmintam May 31, 2012 at 2:44 am

Thanks kunal vaidya .

I have just checked again with ls -d and see it fine. :)

[root@localhost vmintam]# touch test_again
[root@localhost vmintam]# rm -f test_again
[root@localhost vmintam]# debugfs /dev/sda3
debugfs 1.41.14 (22-Dec-2010)
debugfs: ls -d /vmintam
3932165 (12) . 2 (4084) .. (4072) test_again

But abit problem, if my directory have many files within. And I want find exact file deleted, what’s solution ?

Reply

18 kunal vaidya May 31, 2012 at 4:30 am

@vmintam,

I hope at least you know the name of file which you have deleted before you are going to recover it. :)
and number within is the inode of deleted file , its 4072 in you case.

Reply

19 vmintam May 31, 2012 at 4:40 am

@ kunal vaidya

of course, I know the name of file which i have deleted.

example, i deleted a file in /tmp, and name of file is : test_again,txt , i’m using ls -d /tmp for find inode of deleted file. But in /tmp, there are many files which i deleted. (about larger 1000 deleted files ).

so, i want find exact deleted file ? pls tell me, how can i do ?

I don’t know command for search it.

Reply

20 kunal vaidya May 31, 2012 at 8:12 am

@vmintam,

Here you go with your required solution.
Lets say you have 1000 files inside /tmp and you want to only inode of particular file then at debugfs promt type :
debugfs: stat test_again.txt

and it will show you the inode with other details of particular file only.
Hope this would help.

Cheers !!

Reply

21 vmintam May 31, 2012 at 8:54 am

@ kunal vaidya

I have just tested :

[root@localhost test_debugfs]# debugfs /dev/sda3
debugfs 1.41.14 (22-Dec-2010)
debugfs: ls -d /test_debugfs
3932197 (12) . 2 (4084) .. (12) 1 (12) 2
(12) 3 (12) 4 (12) 5 (12) 6
(12) 7 (72) 8 (12) 234 (12) 245
(36) 53 (12) 12 (12) 43 (12) a
(12) b (12) c (12) d (12) e
(12) f (12) g (12) h (12) i
(12) j (12) k (12) l (12) m
(12) n (12) o (12) p (24) s
(12) r (12) t (12) u (12) v
(3664) z (12) x (3640) y

debugfs: stat /test_debugfs/a
/test_debugfs/a: File not found by ext2_lookup

debugfs: stat
stat: Usage: stat

debugfs: stat a
a: File not found by ext2_lookup

perhap it not support in ext3.

:)

Reply

22 vmintam May 31, 2012 at 8:56 am

@kunal vaidya : some inode if deleted files (use ls -d command ) not show in comment!

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , ,

Previous post:

Next post: