Skip to content

Instantly share code, notes, and snippets.

@ebautistabar

ebautistabar/recover-deleted-files-ext4.md

Last active April 17, 2024 14:10
Show Gist options
  • Star 80 You must be signed in to star a gist
  • Fork 8 You must be signed in to fork a gist
  • Save ebautistabar/cca12863e6335d08a019f015f53fac4a to your computer and use it in GitHub Desktop.
Save ebautistabar/cca12863e6335d08a019f015f53fac4a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
recover-deleted-files-ext4.md

Recovering deleted files in Ubuntu with ext4 filesystem

Recently, I deleted some files by mistake in a Ubuntu machine with an ext4 fs. These notes document the steps I took to get them back.

Important

  • this procedure assumes that the partition that contained the deleted files is different from the root partition, as that was the scenario with which I had to deal (deleted files were in my home dir). The procedure needs that the partition that contained the files is unmounted, so if the deleted files were in the root partition, the process would be a bit different (e.g. storing the fs journal in a USB stick, using a live CD/USB to boot and issue the commands, etc.)
  • if something is not clear, you need more information, etc. check the sources below

With that out the way, let's begin.

Right after deleting the files

Right after deleting the files, open a terminal and make a copy of the filesystem journal:

sudo debugfs -R "dump <8> /opt/sda6.journal" /dev/sda6

/dev/sda6 should be the appropriate path to your device, so change it accordingly. Also, don't store the copy of the journal in /tmp, in case it gets cleaned up.

We want to minimize the amount of interactions with the system, so the blocks which contained the deleted files don't get overwritten. If possible, try to close all the programs that may be writing on the same partition.

Then, install ext4magic, a disk utility to recover files from ext3 or ext4 partitions.

sudo apt-get install ext4magic

Getting to a root shell

The goal now is logging in as root, dropping to run-level 3 and unmounting the partition that we have to process. In my case, I tried doing all that without rebooting, but systemd or something else wasn't too happy about it, so in the end I had to shutdown by just pressing the power button, as I was kind of locked out of the box.

Anyway, if you reboot too, when the grub screen shows up choose "Advanced options", and then pick the one for "recovery mode".

In the recovery mode menu, quickly select "Enable networking". This enables networking and mounts all filesystems defined in /etc/fstab. The screen will begin to show logs and may seem to hang, but just be patient. In my case it was several minutes until it returned back to the menu.

You may be wondering, why do we mount all filesystems if at the beginning it was stated that the partition shouldn't be mounted? In my case, the reason for doing this is that otherwise the system entered in emergency mode after a couple of minutes (while at the same time showing the recovery mode menu superimposed on the screen; bottom line, the interface to the system was very buggy at that point, seemed kind of dangerous, and using "Enable networking" was the only way I managed to continue the process.

Once the "Enable networking" process finishes and the menu appears again, it should say something like "read/write mode" at the top. Now choose the "root shell" option.

In the root shell

Take note that in this shell, the keyboard will likely use a UK or US layout, which may be different than your usual layout. This effectively means that all the symbols may be out of their usual place.

Having said that, the first step in the shell is unmounting the partition where the deleted files were originally:

umount /home

After that, ext4magic will be able to read the partition. Now execute something like this (explanation just below):

ext4magic /dev/sda6 -a $(date -d "-6hours" +%s) -f user/folder -j /opt/sda6.journal -l
  • again, change the path to your particular device
  • the -a option indicates the start of the time range that ext4magic will process in search of deleted files; it expects a Unix epoch but we can the use date command which is a bit more user friendly (in the example we are saying "from 6 hours ago")
  • the end of the time range can be set with the -b option, which takes the same kind of argument as -a
  • -f indicates the folder that we want ext4magic to inspect; the path is relative to the root of the partition, e.g. if the deleted files were on /home/user/folder, and the partition were /home, the path would be user/folder
  • -j indicates that ext4magic will use an external copy of the journal to do the work; if not specified, it will use the regular journal of the system will be used
  • -l lists the deleted files

All the files that are listed with 100% in the left column of the output should be recoverable.

To actually recover the files run this:

ext4magic /dev/sda6 -a 1332606716 -f user/folder -j /tmp/sda6.journal -r -d /opt/RECOVER
  • -r is supposed to recover the files that had a 100% in the output of the previous command
  • -d indicates the directory where the recovered files will be stored

After this, exit from the shell and select the "resume" option in the menu. It is normal that the process also recovers unwanted files, files with weird names or duplicated content. Just ignore/delete them.

If there were files with less than 100% in the output of ext4magic, or there were files with 100% that haven't been recovered, then try using the -m option instead of -r, which will perform a more lengthy process which may be able to get the files back (although there are no guarantees).

Sources

@EduardoRFS
Copy link

Thank you dude, that was amazing

@caffeineLover
Copy link

Thanks. In the last command:

ext4magic /dev/sda6 -a 1332606716 -f user/folder -j /tmp/sda6.journal -r -d /opt/RECOVER

Shouldn't 1332606716 be the output of "$(date -d "-6hours" +%s)"?

@attila9778
Copy link

Don't forget to re-mount partition.

@arko36
Copy link

arko36 commented Nov 6, 2021

hi, thanks for the post. I need some help, I run into desperation and somehow I got corrupted something trying to recover the file with other linux tools, the file I want to recover now appear as a directory full of other files. Therefore, the filename as a file does not exist in the list. I got the journal backed up before this happened. Is there a way to recover the file? unfortunately may be going deeper in the scan ?.
this was a very important small file. :-(. Thanks in advance..

@guillett
Copy link

Thank you! I had an issue with Ubuntu displaying empty folders I thought I cleaned it but actually it was full of data. I don't know if I'll recover everything but that was clear and working (with adaptations). I definitely recommend using -m instead of -r but be prepared to get a lot of unsorted files.

@brianjmurrell
Copy link

ext4magic seems to be abandonware, sadly. No new release in nearly 9 years and tickets are going unrepsonded and it no longer builds on modern O/Ses.

@andreaskalin
Copy link

abandonware

I just installed ext4magic with apt-get on Ubuntu 22.04, and it works like a charm.

I just recovered a corrupt file (not deleted) w/o even umounting the filesystem (which was /):

sudo ext4magic /dev/root-device \
    -a $(date -d -24hours +%s) \
    -f /path/to/corrupt/dir \
    -j /other-fs/path/to/exported-journal \
    -R \
    -d /other-fs/destination

Capital R. I was lucky, as I did not immediately see the file was corrupt after a system crash.

Thanks, this saved me a few hours!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment