Linux debugfs Hack: Undelete Files

Undeletion means restoring files which have been deleted from Linux ext3 file system using rm command. Deleted files can be recovered on ext3 file systems using the debugfs program. This quick tutorial describes how to recover a file that was recently deleted using nothing but standard Linux command line utilities.



Only sys administrators and root user can view and recover the deleted files using debugfs command. You need to immediately unmount the file system the deleted file was located on to minimizes the risk that the data of the deleted file are overwritten by other users or system process.

ADVERTISEMENTS



A step-by-step guide for recovering files using debugfs

Create a text file called data.txt, enter:

echo 'This is a test' > data.txt

Display the index number (inode) of data.txt, enter:

ls -li data.txt

Sample outputs:

7536648 -rw-r--r-- 1 root root 15 May 3 12:40 data.txt

Please note down inode # 7536648. To find out the contents of the ext3 journal (block of data) using debugfs command. The syntax is as follows:

debugfs -w / dev / device / name / here debugfs / dev / sda1 debugfs / dev / mapper / SysVolGroup-LogVolRoot debugfs -w /dev/device/name/here debugfs /dev/sda1 debugfs /dev/mapper/SysVolGroup-LogVolRoot

If your file system is on /dev/sda2, enter:

# debugfs -w /dev/sda2

If your file system is on /dev/mapper/wks01-root, enter:

# debugfs -w /dev/mapper/wks01-root

After some time, you will be presented with debugfs: prompt as follows:

debugfs 1.41.12 (17-May-2010) debugfs:

Type the following command at debugfs: prompt to get block of data:

debugfs: logdump -i <7536648>

Sample outputs:

Inode 7536648 is at group 230, block 7536642, offset 896 Journal starts at block 10875, transaction 38398034 FS block 7536642 logged at sequence 38398245, journal block 12418 (inode block for inode 7536648): Inode: 7536648 Type: regular Mode: 0600 Flags: 0x0 Generation: 1050194965 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x4fa249ab -- Thu May 3 04:02:35 2012 atime: 0x4fa249ab -- Thu May 3 04:02:35 2012 mtime: 0x4fa249ab -- Thu May 3 04:02:35 2012 dtime: 0x4fa249ab -- Thu May 3 04:02:35 2012 Blocks: FS block 7536642 logged at sequence 38398250, journal block 12537 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398253, journal block 12592 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398258, journal block 12711 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398261, journal block 12765 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398266, journal block 12855 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398270, journal block 12913 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398274, journal block 12981 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398276, journal block 13034 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398280, journal block 13190 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398285, journal block 13252 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398287, journal block 13302 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398290, journal block 13355 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398293, journal block 13409 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398298, journal block 13471 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398302, journal block 13604 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398307, journal block 13700 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398311, journal block 13756 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398314, journal block 13809 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398317, journal block 13864 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398320, journal block 13921 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38398325, journal block 13980 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38401277, journal block 23924 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38401314, journal block 24107 (inode block for inode 7536648): Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0 User: 0 Group: 0 Size: 0 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969 atime: 0x00000000 -- Wed Dec 31 18:00:00 1969 mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969 Blocks: FS block 7536642 logged at sequence 38401325, journal block 24146 (inode block for inode 7536648): Inode: 7536648 Type: regular Mode: 0644 Flags: 0x0 Generation: 1050269005 User: 0 Group: 0 Size: 15 File ACL: 0 Directory ACL: 0 Links: 1 Blockcount: 8 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x4fa2c307 -- Thu May 3 12:40:23 2012 atime: 0x4fa2c307 -- Thu May 3 12:40:23 2012 mtime: 0x4fa2c307 -- Thu May 3 12:40:23 2012 Blocks: (0+1): 7559168 Found sequence 38395723 (not 38401480) at block 24688: end of journal.

Please note down Blocks: (0+1): 7559168 line. Type the following command to remove data.txt file, enter:

rm data.txt

ls data.txt

Sample outputs:

ls: cannot access data.txt: No such file or directory

To recover file, enter:

# dd if=/dev/mapper/wks01-root of=data.txt bs=4096 count=1 skip=7559168

Sample outputs:

1+0 records in 1+0 records out 4096 bytes (4.1 kB) copied, 0.010884 seconds, 376 kB/s

Verify that data is recovered, enter:

cat data.txt

Sample outputs:

This is a test

Howto: Recover a file when you don’t know inode number

Delete a file called 521.sh:

rm 521.sh

Type the following command:

# debugfs -w /dev/mapper/wks01-root

At debugfs: prompt type lsdel command:

debugfs: lsdel

Sample outputs:

Inode Owner Mode Size Blocks Time deleted 23601299 0 120777 3 1/ 1 Tue Mar 13 16:17:30 2012 7536655 0 120777 3 1/ 1 Tue May 1 06:21:22 2012 2 deleted inodes found.

Get block data, enter:

debugfs: logdump -i <7536655>

Sample outputs:

Inode 7536655 is at group 230, block 7536642, offset 1792 Journal starts at block 10875, transaction 38398034 FS block 7536642 logged at sequence 38398245, journal block 12418 (inode block for inode 7536655): Inode: 7536655 Type: symlink Mode: 0777 Flags: 0x0 Generation: 3532221116 User: 0 Group: 0 Size: 3 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x4f9fc732 -- Tue May 1 06:21:22 2012 atime: 0x4f9fc730 -- Tue May 1 06:21:20 2012 mtime: 0x4f9fc72f -- Tue May 1 06:21:19 2012 dtime: 0x4f9fc732 -- Tue May 1 06:21:22 2012 Fast_link_dest: bin Blocks: (0+1): 7235938 FS block 7536642 logged at sequence 38398250, journal block 12537 (inode block for inode 7536655): Inode: 7536655 Type: symlink Mode: 0777 Flags: 0x0 Generation: 3532221116 User: 0 Group: 0 Size: 3 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x4f9fc732 -- Tue May 1 06:21:22 2012 atime: 0x4f9fc730 -- Tue May 1 06:21:20 2012 mtime: 0x4f9fc72f -- Tue May 1 06:21:19 2012 dtime: 0x4f9fc732 -- Tue May 1 06:21:22 2012 Fast_link_dest: bin Blocks: (0+1): 7235938 FS block 7536642 logged at sequence 38398253, journal block 12592 (inode block for inode 7536655): Inode: 7536655 Type: symlink Mode: 0777 Flags: 0x0 Generation: 3532221116 User: 0 Group: 0 Size: 3 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x4f9fc732 -- Tue May 1 06:21:22 2012 atime: 0x4f9fc730 -- Tue May 1 06:21:20 2012 mtime: 0x4f9fc72f -- Tue May 1 06:21:19 2012 dtime: 0x4f9fc732 -- Tue May 1 06:21:22 2012 Fast_link_dest: bin Blocks: (0+1): 7235938 ... ... .... output truncated Fast_link_dest: bin Blocks: (0+1): 7235938 FS block 7536642 logged at sequence 38402086, journal block 26711 (inode block for inode 7536655): Inode: 7536655 Type: symlink Mode: 0777 Flags: 0x0 Generation: 3532221116 User: 0 Group: 0 Size: 3 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x4f9fc732 -- Tue May 1 06:21:22 2012 atime: 0x4f9fc730 -- Tue May 1 06:21:20 2012 mtime: 0x4f9fc72f -- Tue May 1 06:21:19 2012 dtime: 0x4f9fc732 -- Tue May 1 06:21:22 2012 Fast_link_dest: bin Blocks: (0+1): 7235938 No magic number at block 28053: end of journal.

Type the following command:

# dd if=/dev/mapper/wks01-root of=recovered.file.001 bs=4096 count=1 skip=7235938

# file recovered.file.001

Sample outputs:

file: ASCII text, with very long lines

View file, enter:

# more recovered.file.001

A note about easy to use tool called photorec

Now, you know basic hacks for recovering files under ext3 or ext4. However, I strongly recommend that you make backups. It cannot be stressed enough how important it is to make a backup. Another, option is PhotoRec software. It is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media’s file system has been severely damaged or reformatted. PhotoRec is free – this open source multi-platform application is distributed under GNU General Public License (GPLV v2+). PhotoRec is a companion program to TestDisk, an app for recovering lost partitions on a wide variety of file systems and making non-bootable disks bootable again. You can download them from this link. You can install testdisk using the following apt-get command or yum command:

# yum install testdisk

OR

# apt-get install testdisk

To recover files simply type:

# photorec

Stay tuned, for more information on photorec and testdisk data recovery tools. I recommend that you view the manual page on debugfs using the following command for more information:

$ man debugfs