On Thu, 5 Dec 2002, Aaron Konstam wrote: >Date: Thu, 5 Dec 2002 10:15:57 -0600 >From: Aaron Konstam <akonstam@Trinity.Edu> >To: psyche-list@redhat.com >Content-Type: text/plain; charset=us-ascii >List-Id: Discussion of Red Hat Linux 8.0 (Psyche) <psyche-list.redhat.com> >Subject: Re: Undelete for Linux > >On Thu, Dec 05, 2002 at 03:54:40PM -0000, Rimas wrote: >> Is there a way to undelete files on RedHat 7.3/8.0? >> >> Thank you >> >For ext2 file systems this can be done with dumpe2fs, mc and a program that can >be downloaded from contributed sites called restore. > >I have yet to see any thing that admits it can recover files in ext3 file >systems but I haven't really tried. An ext3 filesystem is an ext2 filesystem, with the addition of the journal file, so recovery is identical. Another method which is much easier, is to remount the partition read-only that the files were deleted from, after forcefully doing a "kill -9" on any software preventing remounting, and then using Midnight Commander (mc) to recover the files using it's built in undelfs support. After a very long time of undelfs scanning the disk, it will present you with all of the deleted inodes, and you can select them for undeletion. Note that these files may be recoverable, or they may have already been destroyed because a deleted file's blocks are free to be used by the system for future disk writes. Attempting to recover deleted files is a crap shoot because you are praying that the OS has not yet used the deleted blocks for something else. If it has, you are screwed. The deleted files no longer have filenames, just the inode number. So you'll get a huge list of inode numbers like "#34524" for filenames. The easiest way to find your goodies, is to recover ALL of them to a separate partition that can hold all of the data, then hunt through it with unix utilities like grep/strings/etc. or you can search the list in mc sorted by date/time, etc. Recovering deleted files is not fun, but mc makes it somewhat easier than using something like debugfs. The important thing is to remount the partition readonly first that contains the files deleted. And to realize that until you get it readonly mounted, any command you run could cause the disk to be written to. For example, "init 1" to switch to single user mode might seem like a nice quick way to do it, however that will cause many services to cleanly shut down, and also to write to disk, write to syslog, etc. Make sure whatever you do, you are preventing apps from writing to the partition with the deleted files. If the partition is very very full and has little free space, this is ultraimportant. On partitions with more free space, it is less risky. Anyway, I hope this helps. -- Mike A. Harris ftp://people.redhat.com/mharris OS Systems Engineer - XFree86 maintainer - Red Hat -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
