How to recover deleted files using ext3grep on Ubuntu

Sometimes, especially on the command line, it happens that you unintentionally deleted a file or directory. Ext3grep is a solution for recovering deleted files. Ext3grep extracts information from the file system log to recover deleted files or directories. Ext3grep can recover file (s) / directories only if the formatted disk with ext3 / ext4 extensions and the contents of the files have not been overwritten with new data. So, have we formatted the drive to ext3 / ext4? An affirmative answer! We have ext3 because ext3 has been the standard Linux filesystem for years and the best part is, ubuntu defaults to ext3 journal disk formats.

Ext3grep allows you to produce the internal structure of filesystem metadata like superblocks, bitmap inodes, etc., which helps to restore file (s) or directories.

In this guide, we are going to show you how to recover an accidentally deleted file using ext3grep (ext3 file recovery tool). This installation is based on Ubuntu 16.04 (Xenial Xerus) but should work fine with any version of Ubuntu.

Updating the cache index and updating the system

apt-get update downloads the package lists from the repositories and “updates” them to get information about the newest versions of packages and their dependencies. apt-get upgrade will get new versions of packages that exist on the machine.

$ sudo apt-get update

$ sudo apt-get upgrade

Creating a 400MB ext3 extension

$ sudo dd if=/dev/zero of=/tempfs bs=1M count=400

K, G, T, P, E, Z and Y can be used in place of “M” as needed.

$ ls /

$ sudo mkfs.ext3 /tempfs

mke2fs 1.41.3 (17-May-2015)
 Discarding device block: done
 Creating filesystem, with 409600 1k blocks and 102400 inodes
 Filesystem UUID: de4f963a-12c4-4bcf-6586-1bf3366ff94d
 Superblock backups stored on blocks:
 8193, 24777,45766, 73727, 204771, 40109
 Allocating group tables: done
 Writing inode tables: done
 Creating journal (8192 blocks): done
 Writing superblocks and filesystem accounting information: done

Create a mount point

$ sudo mkdir /mnt/data

$ sudo mount –t ext3 /tempfs /mnt/data/

$ df –hT

Generating data for testing

After the filesystem was mounted, we copied and immediately deleted the file

$ sudo cp –r /etc/services /mnt/data/

$ ls –la /mnt/data/

$ cd /mnt/data/

$ sudo rm –f services

$ cd /

Let’s start by unmounting the partition as soon as possible so that your files are protected from being overwritten. Do not try to use ext3grep to recover from a mounted EVER file system.

Unmount / mnt / data

$ sudo umount /mnt/data

Ok, done. Now let’s relax. Unmounting prevents overwriting and creation of file descriptors for recovery in place.

Installing ext3grep

Installing the ext3grep package on Ubuntu 16.04 is as easy as running the following command on a terminal:

$ sudo apt-get install ext3grep

Find / tempfs with the ext3grep option

After the file was deleted, we used the ext3grep utilities “–dump-name” to display a list of filenames

$ sudo ext3grep –-dump-name /tempfs

Restore / Locate data in / RESTORED_FILES

In the command output, you can see that the services file we deleted earlier is listed. Restore deleted files, now you have the option to restore one file or restore all, you can run ext3grep with the “-restore-file” option to restore individual files or with the “-restore-all” option to restore all deleted files:

$ sudo ext3grep –-restore-all /tempfs

$ cs RESTORED_FILES/

$ ls –la

Thank you for taking the time to read How to Recover Deleted Files with ext3grep on Ubuntu 16.04 and other Ubuntu derivatives.

Please disable your ad blocker or whitelist this site!

Related Posts