Undelete

Julio Batista Silva
Last updated on Jun 26, 2011 2 min read Linux, Tutorial

Today I deleted some files from my external hard drive, which is formatted in ext4, and realized that I had selected the wrong files. But luckily, I know a few things about file recovery and managed to recover everything in 5 minutes. The process can be seen below:

  1. I immediately closed all applications with access to that disk and unmounted the partition so that the inodes would not be overwritten:

    julio@julio-acer ~> sudo umount /dev/sdb3

  2. I installed a program available in the Arch Linux repository called extundelete, which uses the information recorded in the ext3 and ext4 partition journals for recovering deleted files:

    julio@julio-acer ~> sudo pacman -S extundelete

  3. I read the program’s help (extundelete --help) and the instructions available on the website http://extundelete.sourceforge.net.

  4. I switched to my home directory (which is on the internal hard drive) and ran the following command, which recovers all deleted files in the specified directory:

    julio@julio-acer ~  $  sudo extundelete /dev/sdb3 --restore-directory "Documentos/Música/recorder"
WARNING: Extended attributes are not restored.
Loading filesystem metadata … 14145 groups loaded.
Loading journal descriptors … 25337 descriptors loaded.
Searching for recoverable inodes in directory Documentos/Música/recorder …
149 recoverable inodes found.
Looking through the directory structure for deleted files …
Restored inode 100928610 to file RECOVERED_FILES/Documentos/Música/recorder/Metodo per Flauto Dolce (1^ parte).pdf
Restored inode 100928611 to file RECOVERED_FILES/Documentos/Música/recorder/Metodo Per Flauto Dolce (2^Parte).pdf
Block 404247082 is allocated.
Failed to restore inode 100928612 to file RECOVERED_FILES/Documentos/Música/recorder/Metodo per Flauto dolce (adatto per scuola media).zip:Some blocks were allocated.
Failed to restore inode 101040146 to file RECOVERED_FILES/Documentos/Música/recorder/metodo:Inode does not correspond to a regular file.
145 recoverable inodes still lost.

There you go! The files I had deleted were the two PDFs, which the program successfully recovered and placed in a folder called RECOVERED_FILES.

EXT4 Extundelete Data Recovery File System Undelete
Julio Batista Silva
Julio Batista Silva
Data Engineer

I’m a computer engineer passionate about science, technology, photography, and languages. Currently working as a Data Engineer in Germany.

comments powered by Disqus