Undeleting Files

Up to this point, we have discussed backing up data and restoring that data. In some situations, however, you need to restore data that has not been backed up because you just accidentally deleted it. File recovery (and system recovery, which you learn about in a later section) requires a high level of expertise to successfully complete. There are data recovery businesses that are good at data and system recovery, and they prosper because the task is so difficult. The information presented here, along with practice on your part, can assist you in attempting to do-it-yourself or enable you to recognize when a professional service is warranted.

Using the ext2fs Undeletion Process

On multiuser systems, when files are deleted, their inodes are made available immediately for use by the system. In that case, recovering that data intact is very unlikely, although not impossible. The first rule in undeleting a file is to stop all disk writes as soon as possible. If the system is heavily used, the old inode will likely be overwritten quite soon. The sooner you stop disk writes after deleting a file, the better chance you have of restoring at least some of the file.

After you have unmounted the file system containing the deleted files, you must attempt to methodically find the deleted parts of the file and reassemble them. Essentially, this involves examining the raw data on the disk using pattern matching to identify candidates for recovery, and then decoding the candidates' inode information to relink the files if possible. It is a time-consuming process and should be reason enough to encourage you to back up the files in the first place. On a single-user system, the chances of recovery are better because fewer writes to the disk have occurred after the file deletion.

File recovery is not something to be attempted without preparation and practice; both will improve your chances of recovering more of the data. The Ext2fs Undeletion mini-HOWTO (see "Reference") has been written to detail the process. Again, file recovery requires some practice before you would be ready to use it in the real world.

Reformatting with the -S Option When Experiencing Unrecoverable File System Errors

In attempting to recover data from a damaged disk with file system errors that cannot be fixed with fsck, you can run the mke2fs command with the -S option like this (for example, if you are having trouble with the ext2/3 partition on /dev/hda2):

 # mke2fs -S /dev/hda2 

The -S argument writes new superblock information, but does not write new inodes; this might make the missing data salvageable, or it might not depending on the damage. You must run e2fsck on the unmounted partition after using the mke2fs command in this manner.

Because a directory is a file as well, the same techniques for file recovery can be used to recover entire directories. The Ext2fs Undeletion of Directory Structures mini-HOWTO (see "Reference") is written as a companion to the Ext2fs Undeletion mini-HOWTO both of which should be on everyone's required reading list if you want to successfully undelete any files. The manual technique described in the HOWTOs is too long and complex to be covered in this book.

Undeleting Files Using mc

The Midnight Commander can make use of a virtual file system and includes a special undelete file system that can be used on ext2/3 partitions. The mc utility is just an interface to the ext2fs library, and the virtual file system handles for you the nitty-gritty details of the file system that the previous paragraph alluded to. As with any simplified solution to complex issues, mc must make some assumptions for you that might result in less data being recovered than if you use the manual method. For that reason, using mc for recovering deleted files is not a standard method.

To use the recovery file system, you must cd in one of the panels to the special filename formed by combining the prefix /#undel: with the partition name where your deleted file resides. For example, to attempt to recover a deleted file on /dev/hda2, do this:

 # cd /#undel:hda2 

Be patient because it will take quite a while for the deleted files to be displayed. You will see a list of inodes that you can examine with the text editor (using the F4 key); then use the F12 key to perform a Save As operation, renaming the file to something appropriate for your use. Repeat this process until you have renamed and saved all the files. Press the Shift+F10 key to exit when done. Note that you might be able to recover only pieces of files and might not be able to recover any at all.

NOTE

If you need to know what is on a drive or disk that cannot be easily mounted (it could be a non-Linux format, or could contain un-formatted, raw data), use

 # dd if=/dev/hda1 count=1 bs=512 | file  

which produces output similar to the following:

 1+0 records in 1+0 records out standard input:              x86 boot sector, \ system MSWIN4.1, FAT (16 bit) 

To discover what an unknown floppy disk is, use this:

 # dd if=/dev/fd0 count=1 bs=512 | file  

which produces output similar to the following:

 1+0 records in 1+0 records out standard input:              x86 boot sector, system )\ _3oEIHC, FAT (12 bit