undelete files on ext4

You can also use extundelete

First unmount (umount) the file system where the files have been deleted.
Then read the chapter What to do if you've deleted a file.

You can install extundelete from classic Ubuntu repository:

sudo apt-get install extundelete

Or better, you can download the latest version and compile it:

cd ~/Download
tar -xf extundelete-*.*.*-.tar.bz2  #Replace *.*.* by the version
cd      extundelete-*.*.*
sudo apt-get install e2fslibs-dev   #Required for compilation
./configure
make
sudo make install
extundelete --version               #Should be your *.*.* version

Example of usage: restore all deleted files from directory Images into new created directory restore

sudo extundelete --restore-directory Images/ -o restore /dev/sda3

Bad news if you see your file XXXX within the following format:

Unable to restore inode NNN (Images/XXXX): Space has been reallocated.

See all restored files (look for your file):

find restore -name '*'

Backup your file(s) and remove this temporary directory restore

cp restore/Images/XXXX MY_BACKUP_DIRECTORY
sudo rm -rf restore  

Data recovery, especially on EXT file systems, should be attempted from a live CD or other system that isn't depending on the partition you're undeleting from. Getting the disk unmounted or re-mounted as read only helps a great deal in the recovery effort.

Most of the time I try to create an image of the partition or disk using dd or a similar tool, so that I'm not working on the disk itself:

dd if=/dev/sd[xx] of=/media/backup_drive/recovery.img

Once you have your image, you can use a tool like ext3grep to try and find the files you're looking for. There are lots of different switches that you can try, but this might be a good start:

ext3grep --restore-file 'tmp/moms-file.txt' recovery.img

The ext3grep utility also provides several different ways to search through the file system if you don't know the name of the file. Check ext3grep --help for the various methods of searching.

I prefered to use ext4magic as :

sudo ext4magic  /dev/sdc3 -r -f $USERl/Documents/ -d /tmp/local/tmp/

Note you have to resolv symlink by your own

References:

http://ext4magic.sourceforge.net/howto_en.html

http://sourceforge.net/projects/ext4magic/

http://rzr.online.fr/q/recover

AnalyzeEXT

Parse data blocks for EXT directory data.

Detailed documentation on EXT4 can be found here:

• https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout
• https://digital-forensics.sans.org/blog/tags/ext4

Download the perl script with

git clone https://github.com/halpomeranz/analyzeEXT

No guarantee but may be able to reconstruct deleted filesystems.

I could not recover my crontab file by using ext4magic or extundelete.

On Debian, the crontab for root is here:

/var/spool/cron/crontabs/root

But, by using the following command, I was able to at least manually recover my crontab from the logs.

 grep CRON /var/log/syslog.* -i| awk -F " CMD " {'print $2;'} |sort | uniq

It will output only the executed cron jobs (no timings), but at least this is a lot more than starting from scratch.

If you don't remember how often certain cron jobs run, take a full log e.g. syslog.1 and this will give you the count for runs trough the day:

grep CRON /var/log/syslog.1 -i| awk -F " CMD " {'print $2;'} |sort | uniq -c |sort -n