Featured Posts

GoAccess is an interactive and website / web-server log analyzer tool currently better than the ApacheTop interface. It provides fast and valuable HTTP statistics for system administrators that require a visual...

Readmore

AjaxMyTop AjaxMyTop is a Web-based tool featuring an AJAX user interface for monitoring a MySQL server. Installing and configuring is fairly simple which you can done it within 2 minutes. [caption id="attachment_587"...

Readmore

Mod_spin is a content handler and/or a filter, meaning, for a specified file extension, mod_spin will read the file (or other input), parse it into an Abstract Syntax Tree (AST) and then replace the occurrences...

Readmore

Server Monitoring using DSTAT DSTAT an excellent tool which combines the overall stats of vmstat, iostat, netstat and ifstat. Dstat allows us to view all of the system resources in the real-time including the network bandwidth, network...

Readmore

BWM-NG Monitoring Network Bandwidth and Disk I/O using BWM-NG BWN-NG (Bandwidth-NG) is old and simple tool to monitor the bandwidth and disk I/O including the RAMdisk usage, this tool really helps the...

Readmore

  • Prev
  • Next

Extundelete

Posted on : 25-10-2011 | By : admin | In : Admin Tools

Tags:

0

Extundelete is a simple and effective tool helps to recover files / directory from ext3 and ext4 filesystems. Although many recovery tools are available this tool is really so simple and a real life saver for admins or user who accidently removed any important files or directory. Extundelete uses the information stored in the partition’s journal to attempt to recover a file that has been deleted from the partition.

 

Installing Extundelete

 

Source installation is simple and it can be done in just 2 minutes. Before installing it from source, make sure you have already installed the e2fsprogs version 1.41 and e2fslibs packages (for centOS / rhel based system package names are e2fsprogs  & e2fsprogs-libs). Ssh your server as root.

 

 

 

How to use Extundelete

 

Let us try a demo delete / recovery files / folders to get familer with this tool. I have tried a testing in one of my drive partiton /dev/sdb1 mounted as /backup. Create a folder named gnutool-delete under /backup and copy some of the files/directories inside this folder. For example

 

  • # mkdir -p /backup/gnutool-delete
    # cd /backup/gnutool-delete
    # man man > file1-test.txt
    # man man > file2-test.txt
    #mkdir folder1; cd folder1; man man > file1-test.txt

 

Now delete the folder using rm -rf

 

  • # rm -rf /backup/gnutool-delete

 

Once you have removed the folder you have to act quicker and either unmount or remount the partiton as read-only (For how to remount as readonly click here) as soon as possible to avoid overwritting of files/folder with new inodes. Since i have the /backup mounted on /dev/sdb1, all i did was

 

  • # umount /backup

 

Recovering deleted files using Extundelete

 

Extundelete will restore any files it finds to a subdirectory of the current directory named “RECOVERED_FILES”. To run the program, type “extundelete –help” to see various options available to you.  To recover all the deleted folder files :

 

  • # extundelete /dev/sdb1 –restore-all

 

This will take a couple of minutes to read the directory structure and looking for a recoverable file within it. It will start recovering the files under the sub directory “RECOVERED_FILES” of the current directory. If you want to recover a large sized data files make sure your current directory is capable of holding the size.

 

  • # cd RECOVERED_FILES
    # ls

 

You will be able to see the directory “gnutool-delete” with all the files which was deleted before. You can also use the following syntax if you just want to recover the deleted folder “gnutool-delete” instead of recovering all.

 

  • # extundelete /dev/sdb1 —-restore-directory /backup/gnutool-delete

 

Recovering the / partition files

 

If you have deleted something under the / primary partiton for example /etc/passwd and want to recover that file. Try (i assume that you have addition harddrive to store the recovered file).

 

  • # mount -o remount,ro /
    # cd /secondarydrive (should have read/write access)
    # extundelete / —-restore-files /etc/passwd
    # cd RECOVERED_FILES
    # ls

 

You should be able to see the passwd file which was removed before.

 

NOTE : There is no guarantee that any particular file will be able to be undeleted, so always try to have a good backup system in place, or at least put one in place after recovering your files!

 

UseFul Links

 

Extundelete home page
Extundelete command line options
How to mount filesystem as readonly

Write a comment

You must be logged in to post a comment.