Extundelete

Extundelete is a simple and effective tool helps to recover files / directory from ext3 and ext4 filesystems. Although many recovery tools are available this tool is really so simple and a real life saver for admins or user who accidently removed any important files or directory. Extundelete uses the information stored in the partition’s journal to attempt to recover a file that has been deleted from the partition.

 

Installing Extundelete

 

Source installation is simple and it can be done in just 2 minutes. Before installing it from source, make sure you have already installed the e2fsprogs version 1.41 and e2fslibs packages (for centOS / rhel based system package names are e2fsprogs  & e2fsprogs-libs). Ssh your server as root.

 

 

• # cd /usr/src
• # wget http://gnutoolbox.com/download/linux/hdd/extundelete-0.2.0.tar
• # tar -xvf extundelete-0.2.0.tar
• # ./configure
• # make && make install

 

How to use Extundelete

 

Let us try a demo delete / recovery files / folders to get familer with this tool. I have tried a testing in one of my drive partiton /dev/sdb1 mounted as /backup. Create a folder named gnutool-delete under /backup and copy some of the files/directories inside this folder. For example

 

• # mkdir -p /backup/gnutool-delete
  # cd /backup/gnutool-delete
  # man man > file1-test.txt
  # man man > file2-test.txt
  #mkdir folder1; cd folder1; man man > file1-test.txt

 

Now delete the folder using rm -rf

 

• # rm -rf /backup/gnutool-delete

 

Once you have removed the folder you have to act quicker and either unmount or remount the partiton as read-only (For how to remount as readonly click here) as soon as possible to avoid overwritting of files/folder with new inodes. Since i have the /backup mounted on /dev/sdb1, all i did was

 

• # umount /backup

 

Recovering deleted files using Extundelete

 

Extundelete will restore any files it finds to a subdirectory of the current directory named “RECOVERED_FILES”. To run the program, type “extundelete –help” to see various options available to you.  To recover all the deleted folder files :

 

• # extundelete /dev/sdb1 –restore-all

 

This will take a couple of minutes to read the directory structure and looking for a recoverable file within it. It will start recovering the files under the sub directory “RECOVERED_FILES” of the current directory. If you want to recover a large sized data files make sure your current directory is capable of holding the size.

 

• # cd RECOVERED_FILES
  # ls

 

You will be able to see the directory “gnutool-delete” with all the files which was deleted before. You can also use the following syntax if you just want to recover the deleted folder “gnutool-delete” instead of recovering all.

 

• # extundelete /dev/sdb1 —-restore-directory /backup/gnutool-delete

 

Recovering the / partition files

 

If you have deleted something under the / primary partiton for example /etc/passwd and want to recover that file. Try (i assume that you have addition harddrive to store the recovered file).

 

• # mount -o remount,ro /
  # cd /secondarydrive (should have read/write access)
  # extundelete / —-restore-files /etc/passwd
  # cd RECOVERED_FILES
  # ls

 

You should be able to see the passwd file which was removed before.

 

NOTE : There is no guarantee that any particular file will be able to be undeleted, so always try to have a good backup system in place, or at least put one in place after recovering your files!

 

UseFul Links

 

Extundelete home page
Extundelete command line options
How to mount filesystem as readonly