Yesterday, I’ve just deleted something which I didn’t want to delete! If you use ext3/ext4 you may be able to recover the file with ext3grep or extundelete with information from the file system journal if the content of the file wasn’t already overwritten by new data. Your partition uses ext4 you have to use extundelete, if it’s ext3 you can use also ext3grep
The first step should be to stop all writing processes on the related partition and unmount that partition as soon as possible. Getting the disk unmounted or re-mounted as read only helps a great deal in the recovery effort. Data recovery, especially on EXT file systems, should be attempted from a live CD or other system that isn’t depending on the partition you’re undeleting from.
If you can, just backup the partition or disk using dd or a similar tool:
# dd if=/dev/sd[xx] of=/media/portable-drive/backup-partition.img Once you have your image, you can use a tool like ext3grep or extundelete to try and find the files you’re looking for. There are lots of different switches that you can try, but this might be a good start:
# ext3grep --restore-file '/path/to/deleted-file' backup-partition.img If you use extundelete to recover deleted files on ext4:
# extundelete --restore-file /relative/path/deleted.file /dev/sda[xx] As soon as extundelete finished, you’ll find the recovered file in RECOVERED_FILES/ folder.
To recover deleted directory:
# extundelete --restore-directory /relative/path/deleted/directory /dev/sda[xx] Note: In both cases you need to know the device, /dev/sda[xx] to perform this command. You’ll have to remount the filesystem as readonly. This is one of the conditions of using extundelete and there isn’t any way around this.
The ext3grep and extundelete utilities also provides several different ways to search through the file system if you don’t know the name of the file. Check --help for the various methods of searching.