Jump to content

File recovery?


javaguy
 Share

Recommended Posts

Okay, so I come home this evening, and my wife had a photo up that she wants to show me, or thought she did. Unfortunately our 1 year-old had been playing around the computer, and she forgot to lock the desktop. I had showed her how to lock the desktop because we have been repeatedly amazed at what a 1 year-old can do. There's a directory full of JPGs, and all the other photos are still there, but the one she wanted to show me is gone.

 

Okay, he hit the delete key, I suppose, so I open up the trash bin. It's not there. Now I'm worried.

 

I find a tutorial on recovering files with debugfs. My /home is on hdb7, so I say open /dev/hdb7, and it says the magic number is bad. :( I try opening up the root one, and that works just fine. I run lsdel, and it says no deleted inodes found. I thought that was a little odd.

 

It ocurred to me that maybe, just maybe, he had somehow renamed the file in the Konqueror window. Perhaps I would see the picture with a wierd new name at the top or bottom of the list. At this point I should have made a complete backup, or at least copied the directory. But I didn't. :( I looked at the directory in Konqueror for any screwy file names. I clicked the Show Hidden Files thingy, but nothing new appeared. Out of curiosity I right-clicked on the background and selected Properties to look at what kind of permissions it had. I didn't change anything, but clicked Okay to close the box (probably should have clicked Cancel, I know). A moment later, all the JPGs in the directory were gone. Not in the trash bin. I can't open the file system with debugfs because it still says bad magic number. Just gone.

 

So I realize I'm probably just screwed. But if anybody has any suggestions, I'm all ears.

 

I'm running Mandrake 10.1, btw.

 

[moved from Software by spinynorman]

Link to comment
Share on other sites

I believe (although I may be mistaken) that to recover files on UNIX systems, use the following command:

 

grep -a -B[size before] -A[size after] 'text' /dev/[your_partition]

 

For more information, see recover.sourceforge.net.

 

Hope this helps :)

Link to comment
Share on other sites

What should my "size before" and "size after" be? 0 for after? I have no idea what the size was before.

 

What's the text I'm looking for? Is it the file name? Remember these are JPGs.

 

My mistake, that's if you want to undelete files on a non-ext2 partition. I'm assuming your partition that the photos were deleted on is an ext2 (to find out, type "mount | column -t", find the partition that the photos were saved on, and check the file system that it is).

 

Try the program "recover":

 

http://recover.sourceforge.net

 

Here's how it works:

 

Recover automates some steps as described in the ext2-undeletion howto. This means it seeks all the deleted inodes on your hard drive with debugfs. When all the inodes are indexed, recover asks you some questions about the deleted file. These questions are:

 

    * Hard disk device name

    * Year of deletion

    * Month of deletion

    * Weekday of deletion

    * First/Last possible day of month

    * Min/Max possible file size

    * Min/Max possible deletion hour

    * Min/Max possible deletion minute

    * User ID of the deleted file

    * A text string the file included (can be ignored)

 

If that fails, or your file system is not ext2, then you can try two options:

 

1. Provided that your partition is ext3, you can unmount the partition, and mount it as ext2, hence (in this example, I'm going to use hda5, which is my home folder, as the partition that the file was stored on):

 

# umount /dev/hda5
# mount -t ext2 /dev/hda5 /home/naim
# recover (you can check the syntax yourself, here)
# umount /dev/hda5
# mount -t ext3 /dev/hda5 /home/naim

 

However, file recovery is rather difficult on an ext3 file system, as:

 

In order to ensure that ext3 can safely resume an unlink after a crash, it actually zeros out the block pointers in the inode, whereas ext2 just marks these blocks as unused in the block bitmaps and marks the inode as "deleted" and leaves the block pointers alone.

 

2. If that fails, you can use grep. However, it only *really* works on text files, but you can give it a try and hope for the best!

Edited by Naim89
Link to comment
Share on other sites

I've never heard of that file system before, lol, but I've done some research and I've found a list of instructions - maybe this should help. It's important that you haven't done very much on this partition, as the data could have been overwritten.

 

1. Once you realize that you've lost data, don't do anything else on that partition - you may cause that data to be overwritten by new data.

 

2. Unmount that partition. e.g., umount /home

 

3. Find out what actual device this partition refers to. You can usually get this information from the file /etc/fstab. We'll assume here that the device is /dev/hda3.

 

4. Run the command: reiserfsck --rebuild-tree -S -l /root/recovery.log /dev/hda3

You need to be root to do this. Read the reiserfsck man page for what these options do and for more options. Some interesting options are '--rebuild-sb, --check'. After the command finishes, which might be a long time for a big partition, you can take a look at the logfile /root/recovery.log if you wish.

 

5. Mount your partition: mount /home

 

6. Look for the lost+found directory in the root of the partition. Here, that would be: /home/lost+found

 

7. This directory contains all the files that could be recovered. Unfortunately, the filenames are not preserved for a lot of files. You'll find some sub-directories - filenames withing those are preserved!

 

8. Look through the files and copy back what you need.

Link to comment
Share on other sites

Okay, lesson learned.

 

In the future would I be better off using ext2?

 

Nope, you'd be better off doing frequent backups.

 

Heh, i learnt the hard way too. I accidentally deleted a folder with all the images I had created in the GIMP and inkscape. *fortunately* for me I had an old backup on another partition, but I still lost a bit of stuff.

 

Since then i have a bash script running at 9pm each night, copying certain directories to my external drive as backup.

 

Filesystem? I use reiser4 :devil:

Link to comment
Share on other sites

Another thing I did to prevent this from happening again (at least with my photos) is change the script I use to download pictures from my camera. I have a slick little script that grabs all the JPGs from the memory card and puts them into folders like /home/myname/Documents/Photos/2005/2005 April/batch7 (or whatever batch number I'm up to) and even opens up a Konqueror window to it when it's done. Now the script also changes owner to root:root and makes them read-only to everybody.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...