On Apr 04, 2002 12:48 +1200, Matt Cunningham wrote:> Redhat 7.2 - ext3 filesystem.
>
> Is it possible to recover deleted files immediately after deleting them?
> I have found utilities for recovering data from ext2 filesystems...
Not easily. This is a "bug" in the ext3 code caused by the way that
the journaling is written. While it is a known issue, the fix is
apparently not very easy so it hasn't been done yet.
Two things you can do to try and recover your data (depending on what
sort of data it is):
0) Unmount your filesystem with these deleted files immediately. If
you have not already done so, the chances of you recovering them
is getting smaller all the time. This might mean booting from
a CD instead of the disk if it is your root filesystem.
1) run "strings /dev/hdX | less" on your disk and search for bits of
your text documents in the output, then cut-n-paste it to another
file ON ANOTHER FILESYSTEM. You _could_ just dump the output into
a DIFFERENT filesystem, but it could be pretty large, so you may
want to find the actual data first before doing this. If you have
a small number of deleted text (or text-containing) documents to
which you know some of the expected content, this may work.
2) (much more complex) If you haven't also deleted the directory in
which these files resided that is a big help. Do "ls -id /dir"
on the directory in which the deleted files lived. Then run
"dumpe2fs /dev/hdX" to find out which group this directory inode
lives in. You will also get a listing of free blocks for that
group. For each free block in that group do (blocksize as reported
at the beginning of debugfs output, probably 4096):
dd if=/dev/hdX bs={blocksize} skip={blocknum} count=1 > tmpfile.{blocknum}
Make sure that tmpfile is on a DIFFERENT filesystem. Look at each
block with "less" and/or "file" to see if it has the data
you want.
The "file" output can be used to identify the START of a binary
file,
but not any subsequent blocks. However, depending on how many files
you have deleted and how large they are, this may not be helpful.
In general, a file will allocate contiguous blocks, so if you find the
start of a file you want, you can try sticking all of the following
blocks after it and seeing if it works. If you have very large files,
or you deleted a lot of files spread across the whole disk, this is
basically impossible to do.
Moral of the story - depending on how valuable these files are will tell
you how much time and/or money to spend trying to get them back. If they
are really that valuable, you should have made a backup.
Cheers, Andreas
--
Andreas Dilger \ "If a man ate a pound of pasta and a pound of antipasto,
\ would they cancel out, leaving him still hungry?"
http://www-mddsp.enel.ucalgary.ca/People/adilger/ -- Dogbert