This mini-Howto attempts to provide hints on how to retrieve deleted files from an ext2 file system. It also contains a limited amount of discussion of how to avoid deleting files in the first place.
I intend it to be useful certainly for people who have just had, shall we say,
a little accident with rm; however, I also hope that people read it
anyway. You never know: one day, some of the information in here could save
your bacon.
The text assumes a little background knowledge about UNIX file systems in general; however, I hope that it will be accessible to most Linux users. If you are an outright beginner, I'm afraid that undeleting files under Linux does require a certain amount of technical knowledge and persistence, at least for the time being.
You will be unable to recover deleted files from an ext2 file system without
at least read access to the raw device on which the file was stored. In
general, this means that you must be root, but some distributions (such as
Debian GNU/Linux) provide a
disk group whose members have access to such devices. You also need
debugfs from the e2fsprogs package. This should have been
installed by your distribution.
Why have I written this? It stems largely from my own experiences with a
particularly foolish and disastrous rm -r command as root. I deleted
about 97 JPEG files which I needed and could almost certainly not recover from
other sources. Using some helpful tips (see section
Credits and Bibliography) and a great deal of
persistence, I recovered 91 files undamaged. I managed to retrieve at least
parts of five of the rest (enough to see what the picture was in each case).
Only one was undisplayable, and even for this one, I am fairly sure that no
more than 1024 bytes were lost (though unfortunately from the beginning of the
file; given that I know nothing about the JFIF file format I had done as much
as I could).
I shall discuss further below what sort of recovery rate you can expect for deleted files.
The various publicly-released revisions of this document (and their publication dates) are as follows:
What changes have been made in this version? First of all, the thinko in the example of file recovery has been fixed. Thankyou to all those who wrote to point out my mistaek; I hope I've learned to be more careful when making up program interaction.
Secondly, the discussion of UNIX file system layout has been rewritten to be, I hope, more understandable. I wasn't entirely happy with it in the first place, and some people's comments indicated that it wasn't clear.
Thirdly, the vast uuencoded gzipped tarball of fsgrab in the middle of the
file has been removed. The program is now available on
my website
and on
Metalab
(and mirrors).
Fourthly, the document has been translated into the Linux Documentation Project SGML Tools content markup language. This markup language can be easily converted to any of a number of other markup languages (including HTML and LaTeX) for convenient display and printing. One benefit of this is that beautiful typography in paper editions is a much more achievable goal; another is that the document has cross-references and hyperlinks when viewed on the Web.
This revision is very much an incremental change. It's here mainly to include changes suggested by readers, one of which is particularly important.
The first change was suggested by Egil Kvaleberg
egil@kvaleberg.no,
who pointed out the dump command in debugfs. Thanks again, Egil.
The second change is to mention the use of chattr for avoiding deleting
important files. Thanks to Herman Suijs
H.P.M.Suijs@kub.nl
for mentioning this one.
The abstract has been revised. URLs have been added for organisations and software. Various other minor changes have been made (including fixing typos and so on).
Though it is the first release in 17 months, there is very little that is
new here. This release merely fixes a few minor errors (typos, dangling
URLs, that sort of thing -- especially the non-link to the Open Group), and
updates a few parts of the text that have become hopelessly out-of-date,
such as the material on kernel versions and on lde. Oh, and I've
changed `Sunsite' to `Metalab' throughout.
This release is anticipated to be the last one before release 2.0, which will hopefully be a full Howto. I have been working on some substantial changes which will justify an increment of the major version number.
The latest public release of this document should always be available in on the Linux Documentation Project site (and mirrors).
The latest release is also kept on my website in several formats: