Saturday, June 05, 2010

extundelete to the rescue! usual fashion, I had a minor foul up today. I was overzealous in my desire to reclaim disk space and zapped some primary source vids off of my ext4 partition. Ooops. Thankfully, I found extundelete, a program that scans ext3 and ext4 filesystem journals and recovers files from those journals:

Here's what I did to recover the files.
1) In order to prevent the deleted files being overwritten, I immediately stopped whatever work I was doing and unmounted the drive that the files were on. In my case:
umount /dev/mapper/vg_ogre-lv_root

2) Well, that's my root drive. So before rebooting to my Fedora 12 Live CD, I checked that Fedora had the extundelete program in its repository. I was in luck!
[root@localhost ~]# yum install extundelete
Loaded plugins: presto, refresh-packagekit

20 kB 00:00
4.2 kB 00:00
9.7 MB 00:10
16 kB 00:00
4.5 kB 00:00
4.3 MB 00:01
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package extundelete.i686 0:0.1.8-2.fc12 set to be updated
--> Finished Dependency Resolution

You can also compile from source at the link above.

3) Since extundelete requires you to access an unmounted filesystem, I rebooted to Fedora 12 Live CD

4) I installed extundelete from the Fedora Updates repository
Transaction Summary
Install 1 Package(s)
Upgrade 0 Package(s)

Total download size: 52 k
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
4.4 kB 00:00
Processing delta metadata
Package(s) data still to download: 52 k
rpm 52 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : extundelete-0.1.8-2.fc12.i686

extundelete.i686 0:0.1.8-2.fc12


5) In order to restore deleted files, you must have a partition mounted that has enough space for the recovered files. I have a second partition (/mnt/backups) that I use to backup my main root partition. So while running under the Live CD, I created a destination directory and mounted /mnt/backups:
[root@localhost /]# mkdir /mnt/backup[root@localhost /]# mount -t ext3 /dev/mapper/vg_ogre-lv_backup /mnt/backup

6) Though you can specify that extundelete undeletes individual files or all files on a filesystem, I ran extundelete with the proper command switches to undelete an entire directory of files.  Note that you should be in the directory that has plenty of space for the restore, as extundelete defaults to restoring what it finds to the present working directory:
[root@localhost backup]# extundelete /dev/mapper/vg_ogre-lv_root --restore-directory "mnt/videos/stormpigs/20100408"

WARNING: Extended attributes are not restored.

Loading group metadata ... 27025 groups loaded.

Loading journal descriptors ... 30695 descriptors loaded.

Writing output to directory RECOVERED_FILES/

Searching for recoverable inodes in directory mnt/videos/stormpigs/20100408 ...

309 recoverable inodes found.

Looking through the directory structure for deleted files ...
Restored inode 2495842 to file RECOVERED_FILES/mnt/videos/

Restored inode 2495844 to file RECOVERED_FILES/mnt/videos/

Restored inode 57147521 to file RECOVERED_FILES/mnt/videos/

Restored inode 57147522 to file RECOVERED_FILES/mnt/videos/

Restored inode 57147525 to file RECOVERED_FILES/mnt/videos/

Restored inode 57147528 to file RECOVERED_FILES/mnt/videos/

Restored inode 57147532 to file RECOVERED_FILES/mnt/videos/

Success..or close enough to it
This is good..I've undeleted all but one of the files I had deleted. So, it looks like before I unmounted my root partition, the inode for "20100408_1.m2t" was overwritten. Oh well, two out of three ain't bad.

Update 2011/10/05
This works nicely with ext4 partitions as well.
*** end update ***

Anyway, this short post should give you some comfort that extundelete actually does what it is supposed to. Thanks number9652!!