home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
BURKS 2
/
BURKS_AUG97.ISO
/
BURKS
/
LINUX
/
HOWTO
/
mini
/
e2fsundl.txt
< prev
next >
Wrap
Text File
|
1997-07-07
|
42KB
|
897 lines
Ext2fs Undeletion mini-HOWTO
****************************
by Aaron Crane <aaronc@pobox.com>
v1.0, Sat Jan 18 1997
Contents
========
0. Introduction
1. How *not* to delete files
2. What recovery rate can I expect?
3. So, how do I undelete a file?
4. Unmounting the filesystem
5. Preparing to change inodes directly
6. Preparing to write data elsewhere
7. Finding the deleted inodes
8. Obtaining details of the inodes
9. Recovering data blocks
10. Modifying inodes directly
11. Will this get easier in future?
12. Are there any tools to automate this process?
Appendices
----------
A. Colophon
B. Credits
C. Bibliography
D. Legalities
0. Introduction
================
This mini-Howto attempts to provide hints on how to retrieve deleted files
from an ext2 filesystem. There is also a limited amount of discussion of
how to avoid deleting files in the first place.
I intend it to be useful certainly for people who have just had, shall we
say, a little accident with `rm'; however, I also hope that people read it
anyway. You never know -- one day, some of the information in here could
save your bacon.
The text assumes a little background knowledge about Unix filesystems in
general; however, I hope that it will be accessible to most Linux users.
If you are an outright beginner, I'm afraid that undeleting files under
Linux *does* require a certain amount of technical knowledge and
persistence, at least for the time being.
You will be unable to recover deleted files from an ext2 filesystem without
at least read access to the raw device on which the file was stored. In
general, this means that you must be root. You also need `debugfs' from
the `e2fsprogs' package. This should have been installed by your
distribution.
Why have I written this? It stems largely from my own experiences with a
particularly foolish and disastrous `rm -r' command as root. I deleted
about 97 JPEG files which I needed and could almost certainly not recover
from other sources. Using some helpful tips (see Appendix B, `Credits')
and a great deal of persistence, I recovered 91 files undamaged. I managed
to retrieve at least parts of five of the rest (enough to see what the
picture was in each case). Only one was undisplayable, and even for this
one, I am fairly sure that no more than 1024 bytes were lost (though
unfortunately from the beginning of the file; given that I know nothing
about the JFIF file format I had done as much as I could).
I shall discuss further below what sort of recovery rate you can expect for
deleted files.
1. How *not* to delete files
=============================
It is vital to remember that Linux is not MS-DOG. For MS-DOG (including
Windoze 95), it is generally fairly straightforward to undelete a file --
the `operating system' (I use the term loosely) even comes with a utility
which automates much of the process. For Linux, this is not the case.
So. Rule number one (the prime directive, if you will) is:
*** KEEP BACKUPS ***
no matter what. I know, I'm a fine one to talk. I shall merely plead
impoverishment (being a student must have *some* perks) and exhort all
right-thinking Linux users to go out and buy a useful backup device, work
out a decent backup schedule, and to *stick to it*. For more information
on this, see Frisch (1995).
In the absence of backups, what then? (Or even in the presence of backups:
belt and braces is no bad policy where important data is concerned.)
Try to set the permissions for important files to 440 (or less): denying
yourself write access to them means that `rm' requires an explicit
confirmation before deleting. (I find, however, that if I'm recursively
deleting a directory with `rm -r', I'll interrupt the program on the first
or second confirmation request and reissue the command as `rm -rf'.)
A good trick for selected files is to create a hard link to them in a
hidden directory. I heard a story once about a sysadmin who repeatedly
deleted /etc/passwd by accident (thereby half-destroying the system). One
of the fixes for this was to do something like the following (as root):
# mkdir /.backup
# ln /etc/passwd /.backup
It requires quite some effort to delete the file contents completely: if
you say
# rm /etc/passwd
then
# ln /.backup/passwd /etc
will retrieve it. Of course, this does not help in the event that you
overwrite the file, so keep backups anyway.
Some people advocate making `rm' a shell alias or function for `rm -i'
(which asks for confirmation on *every* file you delete). Personally, I
cannot stand software which won't run unattended, so I don't do that.
There is also the problem that sooner or later, you'll be running in
single-user mode, or using a different shell, or even a different machine,
where your `rm' function doesn't exist. If you expect to be asked for
confirmation, it is easy to forget where you are and to specify too many
files for deletion. Likewise, the various scripts and programs that
replace `rm' are, IMHO, very dangerous.
A slightly better solution is to start using a package which handles
`recyclable' deletion without using any variant of the `rm' command. For
details on these, see Peek, et al (1993).
2. What recovery rate can I expect?
====================================
That depends. Among the problems with recovering files on a high-quality,
multi-tasking, multi-user operating system like Linux is that you never
know when someone wants to write to the disk. So when the operating system
is told to delete a file, it assumes that the blocks used by that file are
fair game when it wants to allocate space for a new file. (This is a
specific example of a general principle for Linux: the tools and kernel
assume that the users aren't idiots.) In general, the more usage your
machine gets, the less likely you are to be able to recover files
successfully.
Also, disk fragmentation can affect the ease of recovering files. If the
partition containing the deleted files is very fragmented, you are unlikely
to be able to read a whole file.
If your machine, like mine, is effectively a single-user workstation (mine
doesn't even have a net connection yet; maybe next year), and you weren't
doing anything disk-intensive at the fatal moment of deleting those files,
I would expect a recovery rate in the same ball-park as detailed above. I
retrieved nearly 94% of the files (and these were binary files, please
note) undamaged. If you get 80% or better, you can feel pretty pleased
with yourself, I should think.
3. So, how do I undelete a file?
=================================
The procedure principally involves finding the data on the raw partition
device and making it visible again to the operating system. There are
basically two ways of doing this: one is to modify the existing filesystem
such that the deleted inodes have their `deleted' flag removed, and hope
that the data just magically falls back into place. The other method,
which is safer but slower, is to work out where the data lies in the
partition and write it out into a new file.
Sections 4 through 6 detail some steps you need to take before beginning to
attempt your data recovery. Sections 7 through 10 discuss how to actually
retrieve your files.
4. Unmounting the filesystem
=============================
Regardless of which method you choose, the first step is to unmount the
filesystem containing the deleted files. I strongly discourage any urges
you may have to mess around on a mounted filesystem. This step should be
performed *as soon as possible* after you realise that the files have been
deleted.
The simplest method is as follows: assuming the deleted files were in the
/usr partition, say:
# umount /usr
You may, however, want to keep some things in /usr available. So remount
it read-only:
# mount -o ro,remount /usr
If the deleted files were on the root partition, you'll need to add a `-n'
option to prevent mount from trying to write to /etc/mtab:
# mount -n -o ro,remount /
Regardless of all this, it is possible that there will be another process
using that filesystem (which will cause the unmount to fa