Recover Files From Ext3/Ext4 Filesystem with Linux Live CD

At one time or another, every computer user has accidentally deleted a file on his system. This is particularly true for Linux users, where a command like rm -rf . immediately deletes all files and folders in the current directory.

Recovering files from a Windows FAT/NTFS partition has been discussed previously. This article discusses the steps to recover files from EXT3/EXT4 partitions using an Ubuntu system. The techniques are the same for every Linux distro (except for the installation process, which are distro specific).

The first thing to do immediately after realizing you’ve deleted the wrong files is to unmount the file system, or mount as read-only. If the files are on your root partition, you should immediately shut down your system, and boot a live cd. This is very important to prevent other processes from overwriting your files. Even if you don’t explicitly overwrite the files, other system processes could write to the filesystem, and overwrite your files.

This article will make use of a system that has a single partition, and uses a Xubuntu live CD to recover the deleted files. The live cd should be started with the option to “try without installing.” On bootup, we launch a terminal, create a mount point using the command:

mkdir root_dir

and mount the desired partition

sudo mount /dev/sda5 root_dir

Create a mount point.

Extundelete is an open source tool and is available on SourceForge. However, you can install it on Ubuntu using:

sudo apt-get install extundelete

Extundelete is an open source tool.

To restore a single file, (assuming you know the file name) use the command:

sudo extundelete /dev/sda5 –restore-file /home/obaro/mtetest/SpecialPic1.jpg –output-dir recovered

Restore a single file.

To restore all files in a directory, use the command:

sudo extundelete /dev/sda5 –restore-directory /home/obaro/mtetest –output-dir recovered

Restore all files in a directory.

This is also an open source tool, available on SourceForge.

It is also available in the Ubuntu repositories and can be installed using:

sudo apt-get install ext4magic

With Ext4magic, the partition can be queried for a list of deleted files and the percentage of the file available for recovery. This can be done using the -a (deleted after the given time) and/or -b (deleted before the given time) options. These times are calculated in seconds since the Unix epoch. A command to find all deleted files within the previous 24 hours in the Music folder, for example, is:

sudo ext4magic /dev/sda5 -a $(date -d "-24hours" +%s) -f home/obaro/Music -l

Find all deleted files within the previous 24 hours in the Music folder.

To recover these files, we use the -r option, together with the -d (output directory) option, like so:

sudo ext4magic /dev/sda5 -f home/obaro/Music -r -d recovered

Recover files using this command.

Note that the -f option indicates the directory within the partition structure “home/obaro/Music” without the leading “/”. To recover a single file, specify the file name for -f, rather than the directory.

The probability of recovery files using both of these tools drops significantly the longer the partition remains in use after file deletion. This is also affected by conditions where data is being written to the partition/device. It is recommended that the “/home” directory be on a separate partition from your root directory. With a file system structured this way, files can be recovered without resorting to a live cd.

The best way to ensure data recovery is to have backups. However, backups will be useless in cases where new files, which haven’t been backed up get deleted.