Monday, 18 May 2015 00:00

Recovering files deleted from Linux (ext3) and FreeBSD partitions

Rate this item
(0 votes)

The easiest way is to use the TestDisk universal utility (http://www.cgsecurity.org/wiki/TestDisk, /usr/ports/sysutils/testdisk), which supports a variety of file systems, for instance, ext2, ext3, ufs, fat, NTFS. Besides file recovery, TestDisk can find and recover the contents of the deleted drive partitions.

For recovery of deleted files by their type (i.e. photos), you can use the PhotoRec tool (http://www.cgsecurity.org/wiki/PhotoRec).

Both TestDisk and PhotoRec utilities work in the interactive fashion, gradually refining recovery options.

It is enough to unmount a partition, from which we are going to recover files, execute "testdisk" and select the desired recovery options.

The demonstration of the recovery process is given in the screenshot reviews:

http://www.cgsecurity.org/wiki/TestDisk:_undelete_file_for_ext2

http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step

The second way is more suitable for Ext3 users and is associated with the use of ext3grep tool.

Install ext3grep (http://code.google.com/p/ext3grep/) or better boot from the LiveCD which contains the utility, for example PartedMagic (http://partedmagic.com/), occupying about 50 Mb.

Let's suppose that files from the directory /home/test/db, located on the ext3 /dev/sda6 partition, were accidentally deleted.

The faster we attempt to recover them, the higher the probability of success is.

We make sure that the /dev/sda6 partition is not mounted. And go to the directory, available for writing and having enough space for the recovered files.

To recover the /home/test/db/test.txt file we run

   ext3grep /dev/sda6 --restore-file test/db/test.txt

To recover the directory

   ext3grep /dev/sda6 --restore-file test/db

The recovery results will be placed in the RESTORED_FILES directory, which will be created by ext3grep utility in the current directory.

We can view all found file names by executing the following command:

   ext3grep /dev/sda6 --dump-names

To recover all the files deleted from the time 1202351117:

   ext3grep /dev/sda6 --restore-all --after=1202351117

If 30 minutes passed after removal, you can see a timestamp, for example, as follows:

   perl -e 'print time()-30*60';

Last modified on Monday, 18 May 2015 19:24
Data Recovery Expert

Viktor S., Ph.D. (Electrical/Computer Engineering), was hired by DataRecoup, the international data recovery corporation, in 2012. Promoted to Engineering Senior Manager in 2010 and then to his current position, as C.I.O. of DataRecoup, in 2014. Responsible for the management of critical, high-priority RAID data recovery cases and the application of his expert, comprehensive knowledge in database data retrieval. He is also responsible for planning and implementing SEO/SEM and other internet-based marketing strategies. Currently, Viktor S., Ph.D., is focusing on the further development and expansion of DataRecoup’s major internet marketing campaign for their already successful proprietary software application “Data Recovery for Windows” (an application which he developed).

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.