Recovering deleted/truncated files on ext4

Due to a bit of stupidity I spent a lot of time looking into how to recover deleted files on ext3/4 and I thought it would be useful to other folks to pass on the following points after the break.

1) Old ext2-based tools/instructions are sub-optimal, and more to the point, only find deleted files not truncated ones. Absent the journal, as far as I can tell you are pretty much going to resort to grepping all the unallocated blocks if you truncate it. Maybe I’m wrong?

2) Unlike on ext2, if you truncate a file, you can probably still find out where the old copy of the file is from the journal. Go journaling!

3) The tool you want is called ext3grep and has directions here (for other Gentoo users this is in the portage tree)

4) You’ll need to find the inode number. For a deleted file, see the instructions. For a truncated file, this is easier: just remount the filesystem read-only (you’ll want to unmount or do this ASAP anyway to avoid the data being overwritten) and then “stat /path/file-i-truncated-oops”

5) While you really should read the instructions in #3 the punchline is to look at “ext3grep /dev/YOURDEV –show-journal-inodes INODE#” which was part of what you found in #4

6) Contrary to the description in #3, if you are using ext4 the direct-blocks will typically show extents now, and the relevant numbers will be the 5th/6th fields in in the form “small #” “big #”
Ie “Direct Blocks: 127754 4 0 0 14 144539840 0 0 0 0 0 0”
Which means you’ve got an extent starting at block 144539840 and running for 14 blocks.

7) The improved odds of contiguity with extents on ext4 is really, really nice.

This is mainly here to jog my own memory next time this happens, but if it’s useful for anyone else, cool. 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: