Author: Shahzad Muzaffar
NorthEastern University, USA
Dated: Sep 23, 2008
Phone: +41 (22) 767-1799
I was working on a project and developing software for reliable data transfer that suddendly i did a stupid thing and deleted all my work. I didn't have the backup for that. So I search on the web for the undelete utilities for Linux, I found 2 of those but the procedure was too long.
But one thing which i learnt from these sites was this that how Linux wrote files on disk and how did it delete them. The above two sites have allot of useful information about the way linux save files on disk. The 2nd site has a link to a program called "e2recover", which actually recover the deleted files but the disadvantage of that program is that it does not save files with the original name and also it recover all files in a single directory. e.g. as in my case i have 10 different sets of same files and when i use the e2recover program to undelete these files then it recovers all the files in a single directory and it was really hard to sort out more than 6000 files in 10 different sets. First site has a useful program called "e2dirana" which can list a directory entry. I used this program in my script to get the actual names of the deleted files and to recover the actual directory structure.
"undelete" is a Linux utility to undelete a deleted file/link or direcotry. You can also download it from here . It will recursively read all files under a given dirctory on a file system and save those undeleted files on a different file system. One must have atleast two file system on his/her machine to use this. It will not only recover deleted files but it will also set the owner and file mode to original one.What it needs
"undelete" is a perl script and it uses the "dd", "df" , "dumpe2fs" and "debugfs" commands to undelete the required files. I have tested this on Redhat Linux 6.x and 7.x, and it works fine. These script should work fine with
You can download the latest undelete utility version from here.How to install
You can also download the older version from here.
(Login as a normal user)How to use "undelete.pl":
Run the install-scripts.pl and it will install the undelete utility e.g> cd ~
> gunzip -c undelete.tar.gz | tar -xvf -
> cd undelete
If you have a different version of EXT2FS or don't have permission to read the filesystem of source then please run install-script.pl under user root.
Run the undelete.pl script to retrive the files. You have to provide a destination directory where the undeleted files will be saved. This destination directory should exist on a different filesystem. There are 2 required arguments for undelete.pl script others are optional.
"grep -i -v 'debugfs\|dumpe2fs\|records in\|records out'".
Or if you know the /home/user/important/file1 exists on device /dev/hda7 then you can also say
It will retrive the /home/user/important/file1 file and put it in /data/recovered/file1.
Or if you know the /home/user/important exists on device /dev/hda7 then you can also say
> undelete.pl --src /home/user/important --des /data/recovered
--dev /dev/hda7 --fork --start 200809231200 --end 200809231210 --owner 12345 --type d
Note: You can also provide a existing directory name to retrive all file under that. This could be use for mirroring directories.