Using debugfs

Especially if you can’t unmount the file system containing the deleted data, debugfs is a less comfortable, but usable alternative if it is already installed on your system. (If you have to install it, you can use the more comfortable e2undel as well.) Just try a

/sbin/debugfs device

Replace device by your file system, e.g. /dev/hda1 for the first partition on your first IDE drive. At the “debugfs:” prompt, enter the command

lsdel

After some time, you will be presented a list of deleted files. You must identify the file you want to recover by its owner (2nd column), size (4th column), and deletion date. When found, you can write the data of the file via

dump <inode_number> filename

The inode_number is printed in the 1st column of the “lsdel” command. The file filename should reside on a different file system than the one you opened with debugfs. This might be another partition, a RAM disk or even a floppy disk.

Repeat the “dump” command for all files that you want to recover; then quit debugfs by entering “q”.

To open in write mode:

debugfs: open -w /dev/sda5

View parameters:
debugfs: params
Open mode: read-write

Translate inode to pathname:

debugfs: ncheck 2348010
Inode Pathname
2348010 /oss/man/cat1

Stat a file to get the inode of the file

debugfs: stat giis.txt
Inode: 15 Type: regular Mode: 0664 Flags: 0x0 Generation: 3139576194
User: 500 Group: 500 Size: 18
File ACL: 505359 Directory ACL: 0
Links: 1 Blockcount: 16
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4805d3eb — Wed Apr 16 15:54:43 2008
atime: 0x4805d3e7 — Wed Apr 16 15:54:39 2008
mtime: 0x4805d3eb — Wed Apr 16 15:54:43 2008
dtime: 0x4805d445 — Wed Apr 16 15:56:13 2008
BLOCKS:
(0):10234
TOTAL: 1

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s