Undelete for the ext2 filesystem (version 0.3)

I have added a restore command to the debugfs utility that is able to recover deleted files on ext2 filesystems. Please download the patch for the ext2progs 1.32 or the complete archiv from http://www.twerner42.de/undelete/ . It does not (and probably will never) work with ext3 filesystems! It even does not work with kernel 2.4 but that could be worked around if we have a backup inode numbers (ls -Ri).

But note: there is NO warranty, debugfs may irreversibly destroy your data. The tool is currently only tested on x86 hardware. It is highly recommended to use it only on a copy of your partition image. As an important rule you should umount or remount the partition read only after the disaster and never write to it again as long you have not recovered all your data. In doubt you should consult a professional but expensive company which is specialized in data recovery. NEVER use the utility if you have hardware errors! It is intended only for files that are deleted by software accident (e.g. rm -rf /).

First I recommend to test the undeletion facility on a test image on another computer to get familiar with it. That can even be done before any disaster to prepare yourself for the day X and to help finding bugs. Bug reports are welcome at twerner@debian.org. The test procedure is described now:

1. create an image file (100 MB in this case)
   $ dd if=/dev/zero of=testimage bs=100k count=1k
2. format the image (paths may be specific to Debian/GNU, please adjust)
   $ /sbin/mke2fs testimage
3. mount the image (root access required)
   # mount testimage -o loop /mnt
4. copy some data to the filesystem
   $ cp -r /usr/src/linux/* /mnt
5. sync the filesystem
   $ sync
6. remove the files
   $ rm -rf /mnt/*
7. umount the image
   # umount /mnt
8. start recovering! (the -w flag is required)
   $ /usr/sbin/debugfs -w testimage
> restore
... (prints the restored files)
> quit
9. run fsck
   $ /sbin/e2fsck -y testimage
10. mount the image again
    # mount testimage -o loop /mnt

Your files should be there again.

The algorithm is not complete because it only recovers files that still have a name. If you have already written some data to the filesystem after the disaster then it cannot recover all data. But you can still try to use the lsdel command of debugfs to recover the remaining files. That strategy is described in the ext2 undeletion howto and already implemented by some programs (e.g. midnight commander).

The restore command supports an additional option: For instance
> restore 0x3a66e300
will restore only files that have a deletion timestamp newer than 0x3a66e300. To find a useful value you can use the lsdel command, its output is sorted by the deletion timestamp.

Downloads

• the debugfs binary for arch i386
• the modified source archive
• the source patch

Changes

version 0.3

• updated for e2fsprogs 1.32

version 0.2

• adds the deletion timestamp option to the restore command
• fixes an endless loop bug

version 0.1

• fixes a minor glitch (tried to undelete the invalid inode 0)
• works with older filesystems too (linux 2.0)

version 0.0

• initial release

Good luck,
Torsten Werner <twerner@debian.org>
2003/04/20