Last active
February 21, 2026 11:18
-
-
Save ebautistabar/cca12863e6335d08a019f015f53fac4a to your computer and use it in GitHub Desktop.
Revisions
-
ebautistabar revised this gist
Jul 15, 2016 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -41,7 +41,7 @@ Having said that, the first step in the shell is unmounting the partition where ``` umount /home ``` After that, `ext4magic` will be able to read the partition. Now execute something like this (explanation just below): ``` ext4magic /dev/sda6 -a $(date -d "-6hours" +%s) -f user/folder -j /opt/sda6.journal -l ``` @@ -63,7 +63,7 @@ ext4magic /dev/sda6 -a 1332606716 -f user/folder -j /tmp/sda6.journal -r -d /opt After this, exit from the shell and select the "resume" option in the menu. It is normal that the process also recovers unwanted files, files with weird names or duplicated content. Just ignore/delete them. If there were files with less than 100% in the output of `ext4magic`, or there were files with 100% that haven't been recovered, then try using the `-m` option instead of `-r`, which will perform a more lengthy process which may be able to get the files back (although there are no guarantees). ### Sources -
Jul 15, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -33,7 +33,7 @@ You may be wondering, why do we mount all filesystems if at the beginning it was Once the "Enable networking" process finishes and the menu appears again, it should say something like "read/write mode" at the top. Now choose the "root shell" option. ## In the root shell Take note that in this shell, the keyboard will likely use a UK or US layout, which may be different than your usual layout. This effectively means that all the symbols may be out of their usual place. -
Jul 15, 2016 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,14 +10,14 @@ With that out the way, let's begin. ## Right after deleting the files Right after deleting the files, open a terminal and make a copy of the filesystem journal: ``` sudo debugfs -R "dump <8> /opt/sda6.journal" /dev/sda6 ``` `/dev/sda6` should be the appropriate path to your device, so change it accordingly. Also, don't store the copy of the journal in `/tmp`, in case it gets cleaned up. We want to minimize the amount of interactions with the system, so the blocks which contained the deleted files don't get overwritten. If possible, try to close all the programs that may be writing on the same partition. Then, install `ext4magic`, a disk utility to recover files from ext3 or ext4 partitions. ``` sudo apt-get install ext4magic -
Jul 15, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,7 @@ Recently, I deleted some files by mistake in a Ubuntu machine with an ext4 fs. These notes document the steps I took to get them back. ### Important - this procedure assumes that the partition that contained the deleted files is different from the root partition, as that was the scenario with which I had to deal (deleted files were in my home dir). The procedure needs that the partition that contained the files is unmounted, so if the deleted files were in the root partition, the process would be a bit different (e.g. storing the fs journal in a USB stick, using a live CD/USB to boot and issue the commands, etc.) - if something is not clear, you need more information, etc. check the [sources below](#sources) -
Jul 15, 2016 . 1 changed file with 6 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -67,9 +67,9 @@ If there were files with less than 100% in the output of ext4magic, or there wer ### Sources - https://wiki.ubuntu.com/RecoveryMode - http://ext4magic.sourceforge.net/howto_en.html#Files_were_deleted_in_a_directory_but_unfortunately_some_of_them_should_have_been_kept - http://manpages.ubuntu.com/manpages/xenial/man8/ext4magic.8.html - https://en.wikipedia.org/wiki/British_and_American_keyboards - https://askubuntu.com/questions/20783/how-is-the-tmp-directory-cleaned-up - https://serverfault.com/questions/377348/when-does-tmp-get-cleared -
Jul 15, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,75 @@ # Recovering deleted files in Ubuntu with ext4 filesystem Recently, I deleted some files by mistake in a Ubuntu machine with an ext4 fs. These notes document the steps I took to get them back. Important: - this procedure assumes that the partition that contained the deleted files is different from the root partition, as that was the scenario with which I had to deal (deleted files were in my home dir). The procedure needs that the partition that contained the files is unmounted, so if the deleted files were in the root partition, the process would be a bit different (e.g. storing the fs journal in a USB stick, using a live CD/USB to boot and issue the commands, etc.) - if something is not clear, you need more information, etc. check the [sources below](#sources) With that out the way, let's begin. ## Right after deleting the files We want to minimize the amount of interactions with the system, so the blocks which contained the deleted files don't get overwritten. Right after deleting the files, open a terminal and make a copy of the filesystem journal: ``` sudo debugfs -R "dump <8> /opt/sda6.journal" /dev/sda6 ``` `/dev/sda6` should be the appropriate path to your device, so change it accordingly. Also, don't store the copy of the journal in `/tmp`, in case it gets cleaned up. Then, install `ext4magic`, a disk utility to recover files from ext3 or ext4 partitions. ``` sudo apt-get install ext4magic ``` ## Getting to a root shell The goal now is logging in as root, dropping to run-level 3 and unmounting the partition that we have to process. In my case, I tried doing all that without rebooting, but systemd or something else wasn't too happy about it, so in the end I had to shutdown by just pressing the power button, as I was kind of locked out of the box. Anyway, if you reboot too, when the grub screen shows up choose "Advanced options", and then pick the one for "recovery mode". In the recovery mode menu, quickly select "Enable networking". This enables networking and mounts all filesystems defined in `/etc/fstab`. The screen will begin to show logs and may seem to hang, but just be patient. In my case it was several minutes until it returned back to the menu. You may be wondering, why do we mount all filesystems if at the beginning it was stated that the partition shouldn't be mounted? In my case, the reason for doing this is that otherwise the system entered in emergency mode after a couple of minutes (while at the same time showing the recovery mode menu superimposed on the screen; bottom line, the interface to the system was very buggy at that point, seemed kind of dangerous, and using "Enable networking" was the only way I managed to continue the process. Once the "Enable networking" process finishes and the menu appears again, it should say something like "read/write mode" at the top. Now choose the "root shell" option. # In the root shell Take note that in this shell, the keyboard will likely use a UK or US layout, which may be different than your usual layout. This effectively means that all the symbols may be out of their usual place. Having said that, the first step in the shell is unmounting the partition where the deleted files were originally: ``` umount /home ``` After that, ext4magic will be able to read the partition. Now execute something like this (explanation just below): ``` ext4magic /dev/sda6 -a $(date -d "-6hours" +%s) -f user/folder -j /opt/sda6.journal -l ``` - again, change the path to your particular device - the `-a` option indicates the start of the time range that `ext4magic` will process in search of deleted files; it expects a Unix epoch but we can the use `date` command which is a bit more user friendly (in the example we are saying "from 6 hours ago") - the end of the time range can be set with the `-b` option, which takes the same kind of argument as `-a` - `-f` indicates the folder that we want `ext4magic` to inspect; the path is relative to the root of the partition, e.g. if the deleted files were on `/home/user/folder`, and the partition were `/home`, the path would be `user/folder` - `-j` indicates that `ext4magic` will use an external copy of the journal to do the work; if not specified, it will use the regular journal of the system will be used - `-l` lists the deleted files All the files that are listed with 100% in the left column of the output should be recoverable. To actually recover the files run this: ``` ext4magic /dev/sda6 -a 1332606716 -f user/folder -j /tmp/sda6.journal -r -d /opt/RECOVER ``` - `-r` is supposed to recover the files that had a 100% in the output of the previous command - `-d` indicates the directory where the recovered files will be stored After this, exit from the shell and select the "resume" option in the menu. It is normal that the process also recovers unwanted files, files with weird names or duplicated content. Just ignore/delete them. If there were files with less than 100% in the output of ext4magic, or there were files with 100% that haven't been recovered, then try using the `-m` option instead of `-r`, which will perform a more lengthy process which may be able to get the files back (although there are no guarantees). ### Sources https://wiki.ubuntu.com/RecoveryMode http://ext4magic.sourceforge.net/howto_en.html#Files_were_deleted_in_a_directory_but_unfortunately_some_of_them_should_have_been_kept http://manpages.ubuntu.com/manpages/xenial/man8/ext4magic.8.html https://en.wikipedia.org/wiki/British_and_American_keyboards https://askubuntu.com/questions/20783/how-is-the-tmp-directory-cleaned-up https://serverfault.com/questions/377348/when-does-tmp-get-cleared