This mini-Howto attempts to provide hints on how to retrieve deleted files from an ext2 file system. It also contains a limited amount of discussion of how to avoid deleting files in the first place.
I intend it to be useful certainly for people who have just had, shall we say, a little accident with
rm; however, I also hope that people read it anyway. You never know: one day, some of the information in here could save your bacon.
The text assumes a little background knowledge about UNIX file systems in general; however, I hope that it will be accessible to most Linux users. If you are an outright beginner, I'm afraid that undeleting files under Linux does require a certain amount of technical knowledge and persistence, at least for the time being.
You will be unable to recover deleted files from an ext2 file system without at least read access to the raw device on which the file was stored. In general, this means that you must be root, but some distributions (such as Debian GNU/Linux) provide a
disk group whose members have access to such devices. You also need
debugfs from the
e2fsprogs package. This should have been installed by your distribution.
Why have I written this? It stems largely from my own experiences with a particularly foolish and disastrous
rm -r command as root. I deleted about 97 JPEG files which I needed and could almost certainly not recover from other sources. Using some helpful tips (see section Credits and Bibliography) and a great deal of persistence, I recovered 91 files undamaged. I managed to retrieve at least parts of five of the rest (enough to see what the picture was in each case). Only one was undisplayable, and even for this one, I am fairly sure that no more than 1024 bytes were lost (though unfortunately from the beginning of the file; given that I know nothing about the JFIF file format I had done as much as I could).
I shall discuss further below what sort of recovery rate you can expect for deleted files.
The various publicly-released revisions of this document (and their publication dates) are as follows:
What changes have been made in this version? First of all, the thinko in the example of file recovery has been fixed. Thankyou to all those who wrote to point out my mistaek; I hope I've learned to be more careful when making up program interaction.
Secondly, the discussion of UNIX file system layout has been rewritten to be, I hope, more understandable. I wasn't entirely happy with it in the first place, and some people's comments indicated that it wasn't clear.
Thirdly, the vast uuencoded gzipped tarball of
fsgrab in the middle of the file has been removed. The program is now available on my website and on Metalab (and mirrors).
Fourthly, the document has been translated into the Linux Documentation Project SGML Tools content markup language. This markup language can be easily converted to any of a number of other markup languages (including HTML and LaTeX) for convenient display and printing. One benefit of this is that beautiful typography in paper editions is a much more achievable goal; another is that the document has cross-references and hyperlinks when viewed on the Web.
This revision is very much an incremental change. It's here mainly to include changes suggested by readers, one of which is particularly important.
The first change was suggested by Egil Kvaleberg
email@example.com, who pointed out the
dump command in
debugfs. Thanks again, Egil.
The second change is to mention the use of
chattr for avoiding deleting important files. Thanks to Herman Suijs
H.P.M.Suijs@kub.nl for mentioning this one.
The abstract has been revised. URLs have been added for organisations and software. Various other minor changes have been made (including fixing typos and so on).
Though it is the first release in 17 months, there is very little that is new here. This release merely fixes a few minor errors (typos, dangling URLs, that sort of thing -- especially the non-link to the Open Group), and updates a few parts of the text that have become hopelessly out-of-date, such as the material on kernel versions and on
lde. Oh, and I've changed `Sunsite' to `Metalab' throughout.
This release is anticipated to be the last one before release 2.0, which will hopefully be a full Howto. I have been working on some substantial changes which will justify an increment of the major version number.
The latest public release of this document should always be available in on the Linux Documentation Project site (and mirrors).
The latest release is also kept on my website in several formats: