Sometimes, especially on the command line, it happens that you unintentionally deleted a file or directory. Ext3grep is a solution for recovering deleted files. Ext3grep extracts information from the file system log to recover deleted files or directories. Ext3grep can recover file (s) / directories only if the formatted disk with ext3 / ext4 extensions and the contents of the files have not been overwritten with new data. So, have we formatted the drive to ext3 / ext4? An affirmative answer! We have ext3 because ext3 has been the standard Linux filesystem for years and the best part is, ubuntu defaults to ext3 journal disk formats.
Ext3grep allows you to produce the internal structure of filesystem metadata like superblocks, bitmap inodes, etc., which helps to restore file (s) or directories.
In this guide, we are going to show you how to recover an accidentally deleted file using ext3grep (ext3 file recovery tool). This installation is based on Ubuntu 16.04 (Xenial Xerus) but should work fine with any version of Ubuntu.
Updating the cache index and updating the system
apt-get update downloads the package lists from the repositories and “updates” them to get information about the newest versions of packages and their dependencies. apt-get upgrade will get new versions of packages that exist on the machine.
$ sudo apt-get update $ sudo apt-get upgrade
Creating a 400MB ext3 extension
$ sudo dd if=/dev/zero of=/tempfs bs=1M count=400
K, G, T, P, E, Z and Y can be used in place of “M” as needed.
$ ls / $ sudo mkfs.ext3 /tempfs mke2fs 1.41.3 (17-May-2015) Discarding device block: done Creating filesystem, with 409600 1k blocks and 102400 inodes Filesystem UUID: de4f963a-12c4-4bcf-6586-1bf3366ff94d Superblock backups stored on blocks: 8193, 24777,45766, 73727, 204771, 40109 Allocating group tables: done Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done
Create a mount point
$ sudo mkdir /mnt/data $ sudo mount –t ext3 /tempfs /mnt/data/ $ df –hT
Generating data for testing
After the filesystem was mounted, we copied and immediately deleted the file
$ sudo cp –r /etc/services /mnt/data/ $ ls –la /mnt/data/ $ cd /mnt/data/ $ sudo rm –f services $ cd /
Let’s start by unmounting the partition as soon as possible so that your files are protected from being overwritten. Do not try to use ext3grep to recover from a mounted EVER file system.
Unmount / mnt / data
$ sudo umount /mnt/data
Ok, done. Now let’s relax. Unmounting prevents overwriting and creation of file descriptors for recovery in place.
Installing the ext3grep package on Ubuntu 16.04 is as easy as running the following command on a terminal:
$ sudo apt-get install ext3grep
Find / tempfs with the ext3grep option
After the file was deleted, we used the ext3grep utilities “–dump-name” to display a list of filenames
$ sudo ext3grep –-dump-name /tempfs
Restore / Locate data in / RESTORED_FILES
In the command output, you can see that the services file we deleted earlier is listed. Restore deleted files, now you have the option to restore one file or restore all, you can run ext3grep with the “-restore-file” option to restore individual files or with the “-restore-all” option to restore all deleted files:
$ sudo ext3grep –-restore-all /tempfs $ cs RESTORED_FILES/ $ ls –la
Thank you for taking the time to read How to Recover Deleted Files with ext3grep on Ubuntu 16.04 and other Ubuntu derivatives.
Please disable your ad blocker or whitelist this site!