Undelete a file in linux ext3 filesystem

Posted by Joel Jensen Wed, 19 Dec 2007 01:35:23 GMT

Yes I screwed up. And I needed that file too.

After alot of looking I found the solution

download sleuthkit unzip and compile. The program you need is in that-folder/bin

Basicly:
Open up a terminal session.
su root

# find the device that your hard drive is using
 mount | column -t

# open up the drive in debugfs, In my case the drive is at /dev/sda1
debugfs /dev/sda1

# cd to where the file was
cd /var/mail

# show the deleted file
ls -d

# the deleted files are in the brackets <somenumbers>
# note that number

q

# find the block group that contains that node
debugfs: imap <415926>
Inode 415926 is part of block group 25
    located at block 819426, offset 0x0a80

# find the Blocks per group for the drive
debugfs: stats
[...]
Blocks per group: 32768
[...]

# figure out the start block
# start-block= block-group * blocks-per-group

# figure out the end block
# end-block= start-block + blocks-per-group - 1

# Run sleuthkit and get the file
cd {sleuthkit directory}/bin

# for this demo case
# start-block=819200
# end-block=851867

# make sure that the file you write to ( > ) is on a different filesystem or you may overwrite your source file, I didn't do this and got lucky.
dls /dev/sda1 819200-851867 > /mnt/yourdata.dat

# your data MAY be at /mnt/yourdata.dat
Trackbacks

Use the following link to trackback from your own site:
http://www.nervetree.com/trackbacks?article_id=undelete-a-file-in-linux-ext3-filesystem&day=18&month=12&year=2007

Comments

Leave a comment

Comments