YaK:: HOWTO rescue deleted Linux files | undelete | unremove | unrm | rm -v [Changes]   [Calendar]   [Search]   [Index]   [PhotoTags]   
[mega_changes]
[photos]

HOWTO rescue deleted Linux files | undelete | unremove | unrm | rm -v

Here's how we rescued a LaTeX *.tex file that was accidentally removed on a Linux box.

  1. Stop doing anything else on the system. The idea is to use the disk as little as possible. (We stopped short of killing idle daemons, because we didn't want them scribbling stuff in log files. )

  2. Know the first few bytes of the file you want. Hopefully they are fairly unique. The LaTeX document we wanted began with the characters "\document", so we used that pattern.

  3. Write a program that will read each sector from the raw partition (you must be root) (assuming 512 byte sectors is safest) and see if it begins with the pattern. If not, it loops and reads the next 512 bytes... If it finds it, it saves that sector and some fixed amount of following sectors (we did 600 more sectors, which is 300 KBytes) in a rescue file. Save probably twice as long a file as you think you're looking for. Save them to an extra partition -- or invoke "scp" or something to save them on another machine. (Usually ext2 & ext3 store files contiguously on disk -- especially if they are not too big & are written all at once.)

  4. The following TCL script did the job. Make it open the exact partition you want to scan. It needs another partition to write the rescue files to.

    grope.tcl

  5. Use "less" to examine the rescue files to see if you can find your data. Also the "strings" command is very good about extracting ASCII text portions.

  6. Even better, if you have physical access to the machine, shut down the system IMMEDIATELY and physically install its disk as an extra drive in another unix box. Do your scanning of the raw disk from there. (In our recent case, we didn't have access to this box.) Or boot a KNOPPIX CD (which will not write to any partitions unless you specifically mount them writeable from a root shell.)

  7. I've also used this kind of technique to rescue JPEG files from a digital camera's Compact Flash with a corrupted FAT file system. We wrote a program that started a new rescue file every time it found "JFIF" as the first 4 bytes of a sector, even if it was still saving the previous rescue file. We completely rescued about 3/4 of the images this way, and fragments of more.

Obviously the data you are rescuing must be important enough to warrent this much trouble with no guarentee of successfull results.

Your file could always have been overwritten, or it could be fragmented so you don't find the pieces. But the couple of times I've had to do this (for someone else's data!) we've had pretty good success.

Good luck!

p.s. For different techniques, which can be much better, and tools that can help you, see http://www.faqs.org/docs/Linux-mini/Ext2fs-Undeletion.html

(unless otherwise marked) Copyright 2002-2014 YakPeople. All rights reserved.
(last modified 2005-04-14)       [Login]
(No back references.)