Extundelete Recovering deleted files from ext3 / ext4 filesystems using extundelete tool | GNU Tool Box
Extundelete is a simple and effective tool helps to recover files / directory from ext3 and ext4 filesystems. Although many recovery tools are available this tool is really so simple and a real life saver for admins or user who accidently removed any important files or directory. Extundelete uses the information stored in the partition’s journal to attempt to recover a file that has been deleted from the partition.
Source installation is simple and it can be done in just 2 minutes. Before installing it from source, make sure you have already installed the e2fsprogs version 1.41 and e2fslibs packages (for centOS / rhel based system package names are e2fsprogs & e2fsprogs-libs). Ssh your server as root.
- # cd /usr/src
- # wget http://gnutoolbox.com/download/linux/hdd/extundelete-0.2.0.tar
- # tar -xvf extundelete-0.2.0.tar
- # ./configure
- # make && make install
How to use Extundelete
Let us try a demo delete / recovery files / folders to get familer with this tool. I have tried a testing in one of my drive partiton /dev/sdb1 mounted as /backup. Create a folder named gnutool-delete under /backup and copy some of the files/directories inside this folder. For example
- # mkdir -p /backup/gnutool-delete
# cd /backup/gnutool-delete
# man man > file1-test.txt
# man man > file2-test.txt
#mkdir folder1; cd folder1; man man > file1-test.txt
Now delete the folder using rm -rf
- # rm -rf /backup/gnutool-delete
Once you have removed the folder you have to act quicker and either unmount or remount the partiton as read-only (For how to remount as readonly click here) as soon as possible to avoid overwritting of files/folder with new inodes. Since i have the /backup mounted on /dev/sdb1, all i did was
- # umount /backup
Recovering deleted files using Extundelete
Extundelete will restore any files it finds to a subdirectory of the current directory named “RECOVERED_FILES”. To run the program, type “extundelete –help” to see various options available to you. To recover all the deleted folder files :
- # extundelete /dev/sdb1 –restore-all
This will take a couple of minutes to read the directory structure and looking for a recoverable file within it. It will start recovering the files under the sub directory “RECOVERED_FILES” of the current directory. If you want to recover a large sized data files make sure your current directory is capable of holding the size.
- # cd RECOVERED_FILES
You will be able to see the directory “gnutool-delete” with all the files which was deleted before. You can also use the following syntax if you just want to recover the deleted folder “gnutool-delete” instead of recovering all.
- # extundelete /dev/sdb1 —-restore-directory /backup/gnutool-delete
Recovering the / partition files
If you have deleted something under the / primary partiton for example /etc/passwd and want to recover that file. Try (i assume that you have addition harddrive to store the recovered file).
- # mount -o remount,ro /
# cd /secondarydrive (should have read/write access)
# extundelete / —-restore-files /etc/passwd
# cd RECOVERED_FILES
You should be able to see the passwd file which was removed before.
NOTE : There is no guarantee that any particular file will be able to be undeleted, so always try to have a good backup system in place, or at least put one in place after recovering your files!