70

Is there a simple option on extundelete how I can try to undelete a file called /var/tmp/test.iso that I just deleted?

(it is not so important that I would start to remount the drive read-only or such things. I can also just re-download that file again)

I am looking for a simple command with that I could try if I manage to fast-recover it.

I know, it is possible with remounting the drive in read-only: (see How do I simply recover the only file on an empty disk just deleted?)

But is this also possible somehow on the still mounted disk?

For info:
if the deleted file is on an NTFS partition it is easy with ntfsundelete e.g. if you know the size was about 250MB use

sudo ntfsundelete -S 240m-260m -p 100 /dev/hda2

and then undelete the file by inode e.g. with

sudo ntfsundelete /dev/hda2 --undelete --inodes 8270
Sanushi Salgado
  • 113
rubo77
  • 28,966
  • General question with any utility: http://unix.stackexchange.com/questions/2677/recovering-accidentally-deleted-files – Ciro Santilli OurBigBook.com Apr 17 '15 at 08:45
  • That other question is too broad. Here I am looking for a fast insecure solution without much effort (and less chance for success) – rubo77 Apr 17 '15 at 08:48
  • I did not mean to imply duplicate, but you might want to add it to the question why that question was not enough. – Ciro Santilli OurBigBook.com Apr 17 '15 at 08:57
  • seg fault: "it appears that the extundelete utility has fallen out of maintenance and that it requires a version of e2fsprogs that is too old.." https://superuser.com/a/1716473/388883 try Testdisk or Photorec..? – alchemy Apr 15 '22 at 19:25

4 Answers4

47

Looking at the usage guide on extundelete it seems as though you're limited to undeleting files to a few ways.

Restoring all

extundelete is designed to undelete files from an unmounted partition to a separate (mounted) partition. extundelete will restore any files it finds to a subdirectory of the current directory named “RECOVERED_FILES”. To run the program, type “extundelete --help” to see various options available to you.

Typical usage to restore all deleted files from a partition looks like this:

    $ extundelete /dev/sda4 --restore-all

Restoring a single file

In addition to this method highlighted in the command line usage:

--restore-file path/to/deleted/file
    Attemps to restore the file which was deleted at the given filename, 
    called as "--restore-file dirname/filename".

So you should be able to accomplish what you want doing this:

$ extundelete --restore-file /var/tmp/test.iso /dev/sda4

NOTE: In both cases you need to know the device, /dev/sda4 to perform this command. You'll have to remount the filesystem as readonly. This is one of the conditions of using extundelete and there isn't any way around this.

slm
  • 369,824
  • 1
    @rubo77 - correct, there isn't any way around that. – slm Mar 31 '14 at 00:20
  • 2
    This actually worked for me an an ext4 filesystem without remounting it read-only. If you try to do it without remounting r/o, then you get a warning which just seems to be telling you that your probability of success is lower if you do that. If it's really super vital to recover the file, then it sounds like you should do that. –  Aug 25 '14 at 23:53
  • Like @BenCrowell I've used without remount, but program adverts me about data corruption if I continue using hdd... was a recently erase so I just press Enter then get my files back ;) – m3nda Jan 11 '16 at 23:27
  • 2
    extundelete is now unmaintained and segfaults with recent ext4 systems. ext4magic is an alternarive – MappaM Sep 07 '21 at 09:48
27

Typical usage scenario when undeleting all files includes need to restore all files deleted from /dev/sdX1 during approximately last hour:

mount -o remount,ro /dev/sdX1
extundelete --restore-all --after $(date -d "-2 hours" +%s) /dev/sdX1
find RECOVERED_FILES/

If satisfied with recovered files:

mount -o remount,rw /dev/sdX1
sanmai
  • 1,426
  • mount: you must specify the filesystem type –  Jan 27 '16 at 13:19
  • remount expects mount point as argument not the device – 0xF1 Jul 21 '16 at 11:26
  • 1
    @Don'tYouWorryChild mount -o takes either dir or device, as per man mount – sanmai Jul 22 '16 at 12:28
  • Instead of subtracting 2 hours from date you can do $(date -d "-2 hours" +%s) and the output of lsblk -p may be useful to find where that LUKS encrypted LVM cached EXT4 volume is located. ;) – LiveWireBT Dec 25 '16 at 18:19
  • 2
    Note that the target directory will be relative to $PWD which I don't think is clearly stated in the manpages. – Sridhar Sarnobat Oct 20 '20 at 05:09
  • Please note that the console output will show only the files that not have been restored! I was able to restore two files I removed with rm. – bomben Jun 17 '22 at 14:31
10

extundelete core dumped for me but ext4magic is currently spewing out files:

  1. Unmount the filesystem immediately
    • If that means shutting down your computer and attaching your disk to another machine or booting from a live CD, do it
  2. Find the partition name with gparted or similar
  3. You don't need to mount the partition
  4. Open a terminal & sudo su
  5. Install ext4magic: apt install ext4magic
  6. Create a directory to put the recovered files: mkdir /mnt/recovered
  7. This will recover all files deleted with a timestamp after 2 hours ago:
    • sudo ext4magic /dev/sdX# -m -a $(date -d "-2 hours" +%s) -d /mnt/recovered NOTE: This may not mean deleted after 2 hours ago. If you have the time and space, it may be better to run the command without the -a option and grep -r for the content of the file.
racitup
  • 231
  • 1
    Also, see the gist linked in the other answer for a great description about how to use ext4magic. – Felix Sep 23 '21 at 15:50
7

extundelete didn't work for me but ext4magic did.

EDIT in 2022:

extundelete hasn't been updated in almost 10 years. If you have a Windows partition, you can try Piriform's Recuva. Just don't let Windows format your drive.

Arnaldo Montoya
  • 119