extundelete usage

Reference: http://extundelete.sourceforge.net/

http://www.gnutoolbox.com/extundelete/

About extundelete

extundelete is a utility that can recover deleted files from an ext3 or ext4 partition. The ext3 file system is the most common file system when using Linux, and ext4 is its successor. extundelete uses the information stored in the partition's journal to attempt to recover a file that has been deleted from the partition. There is no guarantee that any particular file will be able to be undeleted, so always try to have a good backup system in place, or at least put one in place after recovering your files!

Download the latest version

The latest version of extundelete is 0.2.0, which was released in May 2010. Click the link to download extundelete. For information about old versions of extundelete, or to download the previous version, see the old extundelete information page. For brief descriptions of the various options the program understands, see the extundelete command-line options summary. Binary packages are available for some distributions, but may not have the latest version. To take advantage of the latest features and bug fixes, read the notes on compiling and using the program below. The first version of extundelete was released in April 2009.

Why use extundelete?

If you have deleted files from an ext4 file system, the choice is easy: extundelete is the first and only program able to restore both the contents and the file name of a deleted file. If the partition you have deleted files from is an ext3 file system, extundelete still has several advantages over ext3grep. extundelete is able to restore a file immediately after parsing the journal file. ext3grep parses the entire hard drive before it begins to restore files from the hard disk. The ext3grep method is efficient for restoring many files from a small partition. extundelete is designed to be faster if you need to restore files from a large partition. Also, because extundelete uses the ext2fs library, many features of the ext3 or ext4 filesystems will be automatically supported by extundelete if it is compiled and run with a version of the ext2fs library that supports those features.

Documentation

How to compile and install extundelete

To compile and install this program, you must first install the binary and development packages for e2fsprogs and e2fslibs. You must also have installed a C++ compiler and a make utility to be able to compile extundelete. If any of the above conditions are not met, the configure step (below) will not complete successfully. For ext4 support, ensure you have e2fsprogs version 1.41 or newer (which may be found by running the command 'dumpe2fs' and noting the version it outputs).

To compile extundelete, extract the contents of the downloaded file, which creates a directory with the program name and version. From that directory, execute the configure script by typing “./configure” in the terminal window. If the configuration step does not end in error, continue by entering the command “make” and waiting for compilation to complete. When make successfully completes, an executable file called “extundelete” resides in the “src” directory, which you can use directly, or you can enter the command “make install” to install extundelete where the terminal can easily find it.

How to use extundelete

extundelete is designed to undelete files from an unmounted partition to a separate (mounted) partition. extundelete will restore any files it finds to a subdirectory of the current directory named “RECOVERED_FILES”. To run the program, type “extundelete --help” to see various options available to you.

Typical usage to restore all deleted files from a partition looks like this:
$ extundelete /dev/sda4 --restore-all

It is normal for extundelete to appear to pause (while reading from the disk) for a minute or longer; during this time, the program is reading the directory structure and looking for a recoverable file within it. To restore important files quickly, you may use the --restore-file, --restore-files, or --restore-directoryoptions.

If you have questions or comments about using extundelete or how to recover your lost files, or to report a success/failure of your recovery efforts with this utility, send a note to the extundelete mailing list.

What to do if you've deleted a file (or multiple files)

Do not save any more data to the partition with the deleted file for any reason! Doing so may overwrite your deleted data and sabotage any recovery effort. Typically, background processes will periodically write to disk, so work quickly until the partition is unmounted.

If you think the file may be still open by some program (for example, if it is a movie file currently being played by a movie player), and you know the filename, then first follow this procedure:
$ lsof|grep "/path/to/file"
progname 5559 user 22r REG 8,5 1282410 1294349 /path/to/file
Notice the number in the second column is 5559 and the number in the fourth column is 22. The command to restore that file is:
$ cp /proc/5559/fd/22 restored.file

If lsof doesn't find your file, then immediately remount the partition read-only:
$ mount -o remount,ro /dev/partition
or unmount the partition:
$ umount /dev/partition
Typically, you would replace "partition" in the above examples by a device name like "sda4" or "hdb7". When either of those commands successfully completes, you can now take the next steps leisurely - you will no longer make anything worse by waiting. If you would like to make a backup of your partition, you may do so by a command such as:
$ dd bs=4M if=/dev/partition of=partition.backup

Now is the time to run extundelete, which you may safely run on either the backup you may have made above or the raw device, as long as it is not mounted (or mounted read-only). See the section above for details on how to use this program. If extundelete was unable to recover your files, and you are using an ext3 partition, then you may try to recover your files with debugfs, a tool included with the e2fsprogs distribution. If you unmounted the partition before the file system got a chance to fully delete the files you are interested in, running debugfs may allow you to recover the files before the file system deletes them (which it may do the next time the partition is mounted). The 'dump' and 'rdump' commands in debugfs may be useful to you for these purposes. If you were unable to recover your files using extundelete or debugfs, and you are using an ext3 partition, then you may try to recover your files with ext3grep. The generation of ext3grep's stage2 cache file depends on the size and speed of your hard drive's partition, with typical speeds close to one minute for every 2 GB (30 s per GB, or 8 hours per TB).

If the above options didn't recover your files, then you may try a program that searches for identifying patterns throughout the entire partition, like foremost, scalpel, or Photorec. ext3grep's --search options may also be used for this purpose.

-------------------------

Extundelete is a simple and effective tool helps to recover files / directory from ext3and ext4 filesystems. Although many recovery tools are available this tool is really so simple and a real life saver for admins or user who accidently removed any important files or directory. Extundelete uses the information stored in the partition’s journal to attempt to recover a file that has been deleted from the partition.

 

Installing Extundelete

 

Source installation is simple and it can be done in just 2 minutes. Before installing it from source, make sure you have already installed the e2fsprogs version 1.41 and e2fslibspackages (for centOS / rhel based system package names are e2fsprogs  & e2fsprogs-libs). Ssh your server as root.

 

 

• # cd /usr/src
• # wget http://gnutoolbox.com/download/linux/hdd/extundelete-0.2.0.tar
• # tar -xvf extundelete-0.2.0.tar
• # ./configure
• #make -s all-recursive
• 
  

 

How to use Extundelete

 

Let us try a demo delete / recovery files / folders to get familer with this tool. I have tried a testing in one of my drive partiton /dev/sdb1 mounted as /backup. Create a folder named gnutool-delete under /backup and copy some of the files/directories inside this folder. For example

 

• # mkdir -p /backup/gnutool-delete
  # cd /backup/gnutool-delete
  # man man > file1-test.txt
  # man man > file2-test.txt
  #mkdir folder1; cd folder1; man man > file1-test.txt

 

Now delete the folder using rm -rf

 

• # rm -rf /backup/gnutool-delete

 

Once you have removed the folder you have to act quicker and either unmount orremount the partiton as read-only (For how to remount as readonly click here) as soon as possible to avoid overwritting of files/folder with new inodes. Since i have the /backupmounted on /dev/sdb1, all i did was

 

• # umount /backup

 

Recovering deleted files using Extundelete

 

Extundelete will restore any files it finds to a subdirectory of the current directory named “RECOVERED_FILES”. To run the program, type “extundelete –help” to see various options available to you.  To recover all the deleted folder files :

 

• # extundelete /dev/sdb1 –restore-all

 

This will take a couple of minutes to read the directory structure and looking for a recoverable file within it. It will start recovering the files under the sub directory “RECOVERED_FILES” of the current directory. If you want to recover a large sized data files make sure your current directory is capable of holding the size.

 

• # cd RECOVERED_FILES
  # ls

 

You will be able to see the directory “gnutool-delete” with all the files which was deleted before. You can also use the following syntax if you just want to recover the deleted folder “gnutool-delete” instead of recovering all.

 

• # extundelete /dev/sdb1 —-restore-directory /backup/gnutool-delete

 

Recovering the / partition files

 

If you have deleted something under the / primary partiton for example /etc/passwd and want to recover that file. Try (i assume that you have addition harddrive to store the recovered file).

 

• # mount -o remount,ro /
  # cd /secondarydrive (should have read/write access)
  # extundelete / —-restore-files /etc/passwd 
  # cd RECOVERED_FILES
  # ls

How to remount the system

There are different ways to mount / remount the file system as readonly. Here are few simple steps which might be helpful if you want to remount your filesystem/partition as readonly. This is especially  useful if you want to run fsck on a selective partition for example /home , /var etc from init 3 runlevel.

 

• # mount -o remount,ro /

(or)

• # mount -o remount,ro /dev/sdaX /

 

The above command will remount the / root file system as read-only where sdaX is the partiton number. If you want to remount only your /home or /var mounted on a seperate partion. Just use

 

 

• # mount -o remount,ro /home

(or)

• # mount -o remount,ro /dev/sdaX /home

 

To remount it back to read-write. Try

 

• # mount -o remount,rw /

 

Using sysrq-trigger

 

You can also use the sysrq-trigger magic key under /proc to remount all the mounted filesystems as readonly. To do that, just use

• # echo u > /proc/sysrq-trigger

This will remount all the mounted filesystem in your system to read-only.

error will meet during the compile process: can't find the ext2fs libs then need to install  e2fslibs-dev lib