How to recover a deleted file on Linux manually by saving its blocks and extent information?
In this article, we will look an interesting topic how to recover a deleted file manually in Linux.
We have gone through the debugfs introduction here.
In case you are not sure what is debugfs, i would suggest you to read the above article first.
To recover a deleted file in Linux, we need to note down the file starting block and its size so that we can try to restore it later.
1. Note starting block of the file in extents.
debugfs: stat /root/file2 Inode: 928996 Type: regular Mode: 0644 Flags: 0x80000 Generation: 1214074583 Version: 0x00000000:00000001 User: 0 Group: 0 Size: 10 File ACL: 0 Directory ACL: 0 Links: 1 Blockcount: 8 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x5a5af5b1:b257cd6c -- Sat Jan 13 22:16:17 2018 atime: 0x5a5af6e7:e469299c -- Sat Jan 13 22:21:27 2018 mtime: 0x5a5af5b1:b257cd6c -- Sat Jan 13 22:16:17 2018 crtime: 0x5a5af5b1:b257cd6c -- Sat Jan 13 22:16:17 2018 Size of extra inode fields: 28 Extended attributes stored in inode body: selinux = "unconfined_u:object_r:admin_home_t:s0\000" (38) EXTENTS: (0): 3708417 debugfs:
2. Now lets remove this file.
[root@nglinux ~]# cat file2 test file [root@nglinux ~]# rm file2 rm: remove regular file `file2'? y [root@nglinux ~]#
3. Restore the number of blocks according to the file size starting from the block.
[root@nglinux ~]# dd if=/dev/sda1 of=/root/file_recover2 bs=4096 count=1 skip=3708417 1+0 records in 1+0 records out 4096 bytes (4.1 kB) copied, 0.000939556 s, 4.4 MB/s [root@nglinux ~]#
4. Verify the restored file content.
[root@nglinux ~]# cat file_recover2 test file [root@nglinux ~]#
Yipee !! And finally the file is restored.
However it is very cumbersome to note the inode number initially and keep track of file usage or blocks to restore the file content later.
So the trick is not very useful, however sometimes it is very beneficial.
I hope you liked the trick.
Do post your comments/suggestions below.