Undelete Linux Files from an ext2 File System
A few days ago, I run into big trouble as I deleted accidentally the whole home directory of an employee.
I knew that there is no trash can in Linux like in Windows.
So the work of 6 months seemed to be destroyed.
While doing a long research on the web, I found some ways and tools to recover deleted
files on an ext2 Linux file system.
I tested all the tools on a second machine, while deleting files and trying to recover them,
but only with more or less random success.
Late at night I found a tool, which seemed to be the right one to help me.
Sebastian Hetze from the company Lunetix developed a tool called: undelete.
While testing this tool, I got the best results, specially for text files.
Using the undelete program, I got 99% of the files back.
Here are the steps, I did to recover the files.
Steps to undelete files from an ext2 file system:
- preparations
- prevent any write action on the partition, where the files are deleted
- the affected partition must be unmounted to use the undelete tool
on it
- deleted files are on the root partition (like in my case)
- turn the computer off without shut down
- add the affected hard drive as a second hard drive in another Linux machine
- do no install operations like fdisk with this second hard drive
- Linux should detect it automatically while booting
- if the name of the affected partition on the second hard drive is unknown,
use only the read-only mount mode to figure the name out, e.g. mount -o ro /dev/hdc3
don't forget to unmount, before running the undelete tool
on it
- download the undelete tool on another partition or machine
- download the e2fsprogs package on another partition or machine (needed to re-compile the undelete tool)
- follow the install and compile instructions for the e2fsprogs package and the undelete tool
- for better results, the undelete tool should be re-compiled with the current kernel
- read the README file of the undelete tool
- open a root console
- copy the undelete binary to: /usr/bin
- create a new directory e.g. mkdir dump
- change to the new directory
- run the undelete tool on the affected partition, e.g. machine:~/dump # undelete -d /dev/hdc3 -a 10
- pray, or if you are faithless: stay cool
- follow the instructions given by the tool
- be happy
Helpful links about this topic
Linux Ext2fs Undeletion mini-HOWTO
Disc recovery tools for EXT2FS
Recovering Deleted Files with mc
Löschen und Restaurieren von Dateien
Holger Rath, 20. November 2001