How to Recover Deleted File Using ext3grep on Ubuntu

Sometimes, especially on the command line, it happens that you delete a file or directory unintentionally. Ext3grep is a solution to recover deleted files. Ext3grep fetches information from the file system journal for recovering the deleted files or directory. Ext3grep can recover file(s)/directory only if you have formatted drive with ext3/ext4 extensions and content of the files are not overwritten by new data. So, have I formatted drive in ext3/ext4 ? Yes! I have because ext3 is Standard Linux filesystem for many years & best part is, by default ubuntu formats drive with ext3 journal.

Ext3grep allows you to poke & produce ext filesystem metadata structure like superblocks, inode bitmaps, block details etc. which helps to recover file(s) or directory.

Refer AlsoDetailed Understanding Of Linux Inodes With Example

In this guide I'm going to show you how to recover unintentionally deleted file using ext3grep (ext3 file recovery tool). This setup is based on Ubuntu 16.04 (Xenial Xerus) but should work fine with any Ubuntu version.

Update cache index & do system upgrade

apt-get update downloads the package lists from the repositories and "updates" them to get information on the newest versions of packages and their dependencies. apt-get upgrade will fetch new versions of packages existing on the machine.

$ sudo apt-get update

$ sudo apt-get upgrade

Create ext3 extension location with 400MB size

$ sudo dd if=/dev/zero of=/tempfs bs=1M count=400

The K, G, T, P, E, Z, and Y may be used in place of "M" as required.

$ ls /

$ sudo mkfs.ext3 /tempfs

mke2fs 1.41.3 (17-May-2015)
 Discarding device block: done
 Creating filesystem, with 409600 1k blocks and 102400 inodes
 Filesystem UUID: de4f963a-12c4-4bcf-6586-1bf3366ff94d
 Superblock backups stored on blocks:
 8193, 24777,45766, 73727, 204771, 40109
 Allocating group tables: done
 Writing inode tables: done
 Creating journal (8192 blocks): done
 Writing superblocks and filesystem accounting information: done

Create Mounting Point

$ sudo mkdir /mnt/data

$ sudo mount –t ext3 /tempfs /mnt/data/

$ df –hT

Create data for test

Once the file system was mounted, I copied over and immediately removed a file

$ sudo cp –r /etc/services /mnt/data/

$ ls –la /mnt/data/

$ cd /mnt/data/

$ sudo rm –f services

$ cd /

Then lets start with unmounting the partition as soon as possible, so that your files are safe from getting overwritten. Do not attempt to use ext3grep for recovery from a mounted filesystem EVER.

Unmount /mnt/data

$ sudo umount /mnt/data

OK, done. Now Relax. Unmounting prevents from overwriting and creating inodes for files to recover in the location.

Install ext3grep

Installing ext3grep package on ubuntu 16.04 is as easy as running the following command on terminal:

$ sudo apt-get install ext3grep

Find /tempfs using ext3grep option

After the file was removed, I used the ext3grep utilities “–dump-name” option to display a list of file names

$ sudo ext3grep –-dump-name /tempfs

Restore / Locate data in /RESTORED_FILES

In Command output, you can see that the services file I previously removed is listed. To recover deleted files, now you have option to recover one file or recover all, you can run ext3grep with “–restore-file” option to restore individual files, or with the “–restore-all” option to restore all deleted files:

$ sudo ext3grep –-restore-all /tempfs


$ ls –la

Thanks for taking your time to read 'How to Recover Deleted File Using ext3grep' on ubuntu 16.04 and other Ubuntu derivatives.

Leave a Comment