How to recover a deleted file on Linux manually by saving its blocks and extent information?

In this article, we will look an interesting topic how to recover a deleted file manually in Linux.

We have gone through the debugfs introduction here.

In case you are not sure what is debugfs, i would suggest you to read the above article first.

To recover a deleted file in Linux, we need to note down the file starting block and its size so that we can try to restore it later.

1. Note starting block of the file in extents.

debugfs:  stat /root/file2
Inode: 928996   Type: regular    Mode:  0644   Flags: 0x80000
Generation: 1214074583    Version: 0x00000000:00000001
User:     0   Group:     0   Size: 10
File ACL: 0    Directory ACL: 0
Links: 1   Blockcount: 8
Fragment:  Address: 0    Number: 0    Size: 0
 ctime: 0x5a5af5b1:b257cd6c -- Sat Jan 13 22:16:17 2018
 atime: 0x5a5af6e7:e469299c -- Sat Jan 13 22:21:27 2018
 mtime: 0x5a5af5b1:b257cd6c -- Sat Jan 13 22:16:17 2018
crtime: 0x5a5af5b1:b257cd6c -- Sat Jan 13 22:16:17 2018
Size of extra inode fields: 28
Extended attributes stored in inode body: 
  selinux = "unconfined_u:object_r:admin_home_t:s0\000" (38)
EXTENTS:
(0): 3708417
debugfs: 

2. Now lets remove this file.

[root@nglinux ~]# cat file2
test file
[root@nglinux ~]# rm file2
rm: remove regular file `file2'? y
[root@nglinux ~]# 

3. Restore the number of blocks according to the file size starting from the block.

[root@nglinux ~]# dd if=/dev/sda1 of=/root/file_recover2 bs=4096 count=1 skip=3708417
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.000939556 s, 4.4 MB/s
[root@nglinux ~]# 

4. Verify the restored file content.

[root@nglinux ~]# cat file_recover2 
test file
[root@nglinux ~]# 

Yipee !! And finally the file is restored.

However it is very cumbersome to note the inode number initially and keep track of file usage or blocks to restore the file content later.

So the trick is not very useful, however sometimes it is very beneficial.

I hope you liked the trick.

Do post your comments/suggestions below.

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments