13 December 2009

How to recover lost data on an ext3/4 partition


I recently had a late-night oopsie with tar, overwriting the file I wanted to package (source code I had worked on for a week). After a few seconds of creepy feelings, I remembered that I use a journaling filesystem and thus, there would be a good chance that there would be several copies of the data still physically lying around on the storage medium.

So, what to do when you lost a file? For your first action, you have two options.

First option: Power off the system without shutting it down, then boot from a live CD. The foolproof option.

Second option: If you can ensure that no new files will be created on the filesystem where the loss occured while you are trying to recover the data, you can work from the running system and avoid further potential data loss from uncleanly powering down the system.

Next, become root and grep the filesystem where the data loss took place.

grep -a -B300 -A300 "searchString" /dev/sdb1 > dumpfile

searchString is a piece of text that preferably only occurs in your lost file. Try to be as specific as possible so you ideally only get results from the file's contents. The -B and -A options specify the number of context lines to output before and after each match. Choose values large enough to include the entire lost file, if possible. Replace /dev/sdb1 with the device node of the filesystem where the lost data is. You can find out the node by just running mount without parameters. dumpfile is the target file containing the found text. Of course the dump file should not be saved on the partition where you lost the data! Save it on another filesystem or a tmpfs if you have one set up. Mounting a USB stick or something for the dump file may be risky because a device node will be created on the root partition, which stinks if your lost data sits exactly there.

After grep is done, examine the dump file with a text editor. If you are certain that it contains your entire lost file in a usable or recoverable state, you can start copying and pasting into empty files, restoring various versions of your file of which a few will probably be current.

2 comments:

  1. That was a cool explanation on the extraction of a lost data from a dead hard drive. I think you are a genius and need respect from me. You have done a great job.

    ReplyDelete
  2. Thanks, necessity is the mother of invention :-) In that situation, I was really very glad to use a *nix system.

    ReplyDelete