Sometimes, especially on the command line, it happens that you delete a file or directory unintentionally. Ext3grep is a solution to recover deleted files. Ext3grep fetches information from the file system journal for recovering the deleted files or directory. Ext3grep can recover file(s)/directory only if you have formatted drive with ext3/ext4 extensions and content of the files are not overwritten by new data. So, have I formatted drive in ext3/ext4 ? Yes! I have because ext3 is Standard Linux filesystem for many years & best part is, by default ubuntu formats drive with ext3 journal.
Ext3grep allows you to poke & produce ext filesystem metadata structure like superblocks, inode bitmaps, block details etc. which helps to recover file(s) or directory.
Refer Also : Detailed Understanding Of Linux Inodes With Example
In this guide I'm going to show you how to recover unintentionally deleted file using ext3grep (ext3 file recovery tool). This setup is based on Ubuntu 16.04 (Xenial Xerus) but should work fine with any Ubuntu version.
Update cache index & do system upgrade
apt-get update downloads the package lists from the repositories and "updates" them to get information on the newest versions of packages and their dependencies. apt-get upgrade will fetch new versions of packages existing on the machine.
$ sudo apt-get update $ sudo apt-get upgrade
Create ext3 extension location with 400MB size
$ sudo dd if=/dev/zero of=/tempfs bs=1M count=400
The K, G, T, P, E, Z, and Y may be used in place of "M" as required.
$ ls / $ sudo mkfs.ext3 /tempfs mke2fs 1.41.3 (17-May-2015) Discarding device block: done Creating filesystem, with 409600 1k blocks and 102400 inodes Filesystem UUID: de4f963a-12c4-4bcf-6586-1bf3366ff94d Superblock backups stored on blocks: 8193, 24777,45766, 73727, 204771, 40109 Allocating group tables: done Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done
Create Mounting Point
$ sudo mkdir /mnt/data $ sudo mount –t ext3 /tempfs /mnt/data/ $ df –hT
Create data for test
Once the file system was mounted, I copied over and immediately removed a file
$ sudo cp –r /etc/services /mnt/data/ $ ls –la /mnt/data/ $ cd /mnt/data/ $ sudo rm –f services $ cd /
Then lets start with unmounting the partition as soon as possible, so that your files are safe from getting overwritten. Do not attempt to use ext3grep for recovery from a mounted filesystem EVER.
$ sudo umount /mnt/data
OK, done. Now Relax. Unmounting prevents from overwriting and creating inodes for files to recover in the location.
Installing ext3grep package on ubuntu 16.04 is as easy as running the following command on terminal:
$ sudo apt-get install ext3grep
Find /tempfs using ext3grep option
After the file was removed, I used the ext3grep utilities “–dump-name” option to display a list of file names
$ sudo ext3grep –-dump-name /tempfs
Restore / Locate data in /RESTORED_FILES
In Command output, you can see that the services file I previously removed is listed. To recover deleted files, now you have option to recover one file or recover all, you can run ext3grep with “–restore-file” option to restore individual files, or with the “–restore-all” option to restore all deleted files:
$ sudo ext3grep –-restore-all /tempfs $ cs RESTORED_FILES/ $ ls –la
Thanks for taking your time to read 'How to Recover Deleted File Using ext3grep' on ubuntu 16.04 and other Ubuntu derivatives.