SuSE Linux: All versions
Kernel: Versions since 2.0
You have accidentally deleted one or more files on a Linux ext2 file system. You do not have any backup and you would like to restore the contents of these files.
Similarly to other operating systems, a file is 'deleted' on the Linux ext2 file system by deleting the relevant references in the folder file. After the deletion, the file data are released to be overwritten but they are still readable on the hard disk. The released data blocks are only overwritten when new files are created.
In addition, after the deletion there is still the so-called inode that contains the logical concatenation of the blocks and the whole access rights. The deletion time is also stored here. The file name is the only thing that has really and definitely been lost through the deletion.
In order to achieve a 'safe' (i.e. definite) deletion on the ext2 file system when
executing a delete command, you can set a flag with the command chattr
.
Thus, the deleted file will be completely overwritten with zeros by the kernel. It might
be possible to restore data deleted in such a way by using special devices, but never
with the method described here.
Warning: the program debugfs
mentioned below provides you with a system-oriented
access to the file system. However, it might be very dangerous for the remaining data to experiment
with the commands described in the 'help' and/or in the manpage if you do not have a good insight into the
ext2 file system. Therefore, we recommend you to create a test partition for experimental
purposes.
Do not execute any more write accesses on the file system where you
want to restore the files. Particularly creating new files can be fatal for the data
you want to restore. If you only use a '/' partition, shut down your computer and
boot again with a rescue system. Otherwise, you just need to append the command
umount
to the affected partition(s). Regarding the use of mount and
umount, please refer to the chapter "Getting started with Linux" in your Basics manual.
Let us assume that you have accidentally deleted the following files and you would like to restore them.
earth:/mnt/attempt # ls -la protocole_2009.txt -rw-r--r-- 1 cg suse 1050 Dec 29 13:31 protocole_2009.txt earth:/mnt/attempt # rm protocole_2009.txt
First unmount the affected partition.
earth:~# umount /mnt
According to the example above, the partition is /dev/sdc1
, which is
mounted on the mountpoint /mnt
. In the examples below you have to replace
'device name' with the actual device name in your system. Enter the
command debugfs devicename
to start the file system debugger. Once started,
it announces itself with the prompt debugfs:
. Here you can enter commands to
directly access the file system.
earth:/# debugfs /dev/sdc1 debugfs 1.17, 26-Oct-1999 for EXT2 FS 0.5b, 95/08/09 debugfs: lsdel 1 deleted inodes found. Inode Owner Mode Size Blocks Time deleted 25794 515 100644 1050 2/ 2 Wed Dec 29 13:32:32 1999
The command lsdel
displays a list of the deleted inodes.
If you have deleted several files but you want to restore only one of them, the
file permissions mode, owner (here as numeric user id),
deletion time, and the former size of file make it easier for you to find
the file you want to restore. The inode number, 25794 in the example above, is
particularly important for the dump
command explained below.
The following command enables you to restore the deleted files as new files saved in the /tmp directory with the same permissions. Do not forget to enter the left and right angle brackets < and >!
debugfs: dump -p <25794> /tmp/saved debugfs: quit earth:/# ls -l /tmp/saved -rw-r--r-- 1 cg suse 1050 Dec 29 13:31 /tmp/savedNow you can mount the file system again and retrieve the files from the /tmp directory.
There are other methods to restore these files but this one has the advantage of not requiring any write access on debugfs and not conducting a file system check after having restored the files.