|
||||||||
|
EXT3 RecoveryLast Updated: Nov 08 2004By: Paul Stanisci, 2byteconsulting.com This HOWTO gives a quick description of the steps necessary to recover deleted text files from an ext3 partition. Why?Linux has a utility to recover deleted files called recover, however recover only works on ext2 partitions. Mounting an ext3 partition as ext2, or converting an ext3 partition to ext2 will not allow recover to work.As Andreas Dilger (an ext3 developer) explains: "In order to ensure that ext3 can safely resume an unlink after a crash, it actually zeros out the block pointers in the inode, whereas ext2 just marks these blocks as unused in the block bitmaps and marks the inode as 'deleted' and leaves the block pointers alone." A copy of the ext3 faq can be found here (http://batleth.sapienti-sat.org/projects/FAQs/ext3-faq.html) DisclaimerI will claim no responsability for any repercussions of using this guide. These are the steps I have used to recover lost files and they may not work for everybody. You may follow these instructions at your own risk.So how to I do this?After deleting your file it is very important to unmount the host partition as quickly as possible!! You don't want new files being written to overwrite your important data!Assuming the file you deleted was in '/home' and '/home' is a seperate partition from your root partition, it can be unmounted like this: umount /homeIf your file was on a partition other than your root drive then this should be a fairly simple task. End any processes that are using that partition such as shells, services, daemons, etc... If you cannot unmount the partition because it's in use, you can use lsof to find processes using the device. This is how you use lsof to find programs using a specific directory: lsof +D /homeOnce your partition is unmounted you can begin the recovery process. This involves using dd to copy raw filesystem data from the filesystem that hosted your deleted file, to a temporary file that we can search. It is important to copy the data to somewhere temporary so we aren't working directly upon the filesystem. There is less chance of breaking something, and loading smaller chunks into an editor like vi or nano is much quicker. Assuming the partition that held your file was '/dev/hda2', use the dd command to copy 100M/Bytes of data to somewhere temporary. You may use a larger chunk of data if you wish, I just arbitrarily chose to work in 100M/Bytes chunks. This is how to use dd to copy data from a device to a temporary file: dd if=/dev/hda2 of=/root/hda2.part bs=1M count=100This copies 100 blocks of 1M/Byte each to /root/hda2.part. Once you have this chunk you can use grep to search it for a string that appeared in your lost file: grep "Service plans will be terminated immediately" /root/hda2.partIf grep returns with no results then your file (or part of it) wasn't in that block! This isn't a big deal, it just means your file wasn't in the first 100M/Bytes of the partition. To extract the next 100M/bytes use the same dd command with the 'skip' argument: dd if=/dev/hda2 of=/root/hda2.part bs=1M count=100 skip=100This will copy 100M/Bytes from /dev/hda2 to the temporary file, starting from 101st M/Byte. Once the copy is done re-run grep against this new chunk. If you find nothing move onto the next one by incrementing the value assigned to skip by 100: dd if=/dev/hda2 of=/root/hda2.part bs=1M count=100 skip=200You may continue this by hand, or write a script to do this for you. Continue searching until you've found a match. Once (if!) a match is found open the temporary file (/root/hda2.part) in your favorite editor (like vi!) and search for your string. If you are lucky the file will be one contiguous chunk. Good luck! If you would like to contribute or recommend changes/updates please e-mail Paul |
|||||||
|
||||||||
