Linux debugfs Hack: Undelete Files

Posted by Unknown Senin, 07 Mei 2012 0 komentar
http://www.cyberciti.biz/tips/linux-ext3-ext4-deleted-files-recovery-howto.html


Undeletion means restoring files which have been deleted from Linux ext3 file system using rm command. Deleted files can be recovered on ext3 file systems using the debugfs program. This quick tutorial describes how to recover a file that was recently deleted using nothing but standard Linux command line utilities.

Only sys administrators and root user can view and recover the deleted files using debugfs command. You need to immediately unmount the file system the deleted file was located on to minimizes the risk that the data of the deleted file are overwritten by other users or system process.

A step-by-step guide for recovering files using debugfs

Create a text file called data.txt, enter:
echo 'This is a test' > data.txt
Display the index number (inode) of data.txt, enter:
ls -li data.txt
Sample outputs:
7536648 -rw-r--r-- 1 root root 15 May  3 12:40 data.txt
Please note down inode # 7536648. To find out the contents of the ext3 journal (block of data) using debugfs command. The syntax is as follows:
 
debugfs -w /dev/device/name/here
debugfs /dev/sda1
debugfs /dev/mapper/SysVolGroup-LogVolRoot
 
If your file system is on /dev/sda2, enter:
# debugfs -w /dev/sda2
If your file system is on /dev/mapper/wks01-root, enter:
# debugfs -w /dev/mapper/wks01-root
After some time, you will be presented with debugfs: prompt as follows:
debugfs 1.41.12 (17-May-2010)
debugfs:
Type the following command at debugfs: prompt to get block of data:
debugfs:  logdump -i <7536648>
Sample outputs:
Inode 7536648 is at group 230, block 7536642, offset 896
Journal starts at block 10875, transaction 38398034
FS block 7536642 logged at sequence 38398245, journal block 12418
(inode block for inode 7536648):
Inode: 7536648 Type: regular Mode: 0600 Flags: 0x0 Generation: 1050194965
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4fa249ab -- Thu May 3 04:02:35 2012
atime: 0x4fa249ab -- Thu May 3 04:02:35 2012
mtime: 0x4fa249ab -- Thu May 3 04:02:35 2012
dtime: 0x4fa249ab -- Thu May 3 04:02:35 2012
Blocks:
FS block 7536642 logged at sequence 38398250, journal block 12537
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398253, journal block 12592
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398258, journal block 12711
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398261, journal block 12765
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398266, journal block 12855
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398270, journal block 12913
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398274, journal block 12981
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398276, journal block 13034
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398280, journal block 13190
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398285, journal block 13252
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398287, journal block 13302
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398290, journal block 13355
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398293, journal block 13409
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398298, journal block 13471
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398302, journal block 13604
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398307, journal block 13700
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398311, journal block 13756
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398314, journal block 13809
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398317, journal block 13864
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398320, journal block 13921
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38398325, journal block 13980
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38401277, journal block 23924
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38401314, journal block 24107
(inode block for inode 7536648):
Inode: 7536648 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Wed Dec 31 18:00:00 1969
atime: 0x00000000 -- Wed Dec 31 18:00:00 1969
mtime: 0x00000000 -- Wed Dec 31 18:00:00 1969
Blocks:
FS block 7536642 logged at sequence 38401325, journal block 24146
(inode block for inode 7536648):
Inode: 7536648 Type: regular Mode: 0644 Flags: 0x0 Generation: 1050269005
User: 0 Group: 0 Size: 15
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 8
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4fa2c307 -- Thu May 3 12:40:23 2012
atime: 0x4fa2c307 -- Thu May 3 12:40:23 2012
mtime: 0x4fa2c307 -- Thu May 3 12:40:23 2012
Blocks: (0+1): 7559168
Found sequence 38395723 (not 38401480) at block 24688: end of journal.
Please note down Blocks: (0+1): 7559168 line. Type the following command to remove data.txt file, enter:
rm data.txt
ls data.txt

Sample outputs:
ls: cannot access data.txt: No such file or directory
To recover file, enter:
# dd if=/dev/mapper/wks01-root of=data.txt bs=4096 count=1 skip=7559168
Sample outputs:
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.010884 seconds, 376 kB/s
Verify that data is recovered, enter:
cat data.txt
Sample outputs:
This is a test

Howto: Recover a file when you don't know inode number

Delete a file called 521.sh:
rm 521.sh
Type the following command:
# debugfs -w /dev/mapper/wks01-root
At debugfs: prompt type lsdel command:
debugfs: lsdel
Sample outputs:
 Inode  Owner  Mode    Size    Blocks   Time deleted
23601299 0 120777 3 1/ 1 Tue Mar 13 16:17:30 2012
7536655 0 120777 3 1/ 1 Tue May 1 06:21:22 2012
2 deleted inodes found.
Get block data, enter:
debugfs: logdump -i <7536655>
Sample outputs:
Inode 7536655 is at group 230, block 7536642, offset 1792
Journal starts at block 10875, transaction 38398034
FS block 7536642 logged at sequence 38398245, journal block 12418
(inode block for inode 7536655):
Inode: 7536655 Type: symlink Mode: 0777 Flags: 0x0 Generation: 3532221116
User: 0 Group: 0 Size: 3
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4f9fc732 -- Tue May 1 06:21:22 2012
atime: 0x4f9fc730 -- Tue May 1 06:21:20 2012
mtime: 0x4f9fc72f -- Tue May 1 06:21:19 2012
dtime: 0x4f9fc732 -- Tue May 1 06:21:22 2012
Fast_link_dest: bin
Blocks: (0+1): 7235938
FS block 7536642 logged at sequence 38398250, journal block 12537
(inode block for inode 7536655):
Inode: 7536655 Type: symlink Mode: 0777 Flags: 0x0 Generation: 3532221116
User: 0 Group: 0 Size: 3
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4f9fc732 -- Tue May 1 06:21:22 2012
atime: 0x4f9fc730 -- Tue May 1 06:21:20 2012
mtime: 0x4f9fc72f -- Tue May 1 06:21:19 2012
dtime: 0x4f9fc732 -- Tue May 1 06:21:22 2012
Fast_link_dest: bin
Blocks: (0+1): 7235938
FS block 7536642 logged at sequence 38398253, journal block 12592
(inode block for inode 7536655):
Inode: 7536655 Type: symlink Mode: 0777 Flags: 0x0 Generation: 3532221116
User: 0 Group: 0 Size: 3
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4f9fc732 -- Tue May 1 06:21:22 2012
atime: 0x4f9fc730 -- Tue May 1 06:21:20 2012
mtime: 0x4f9fc72f -- Tue May 1 06:21:19 2012
dtime: 0x4f9fc732 -- Tue May 1 06:21:22 2012
Fast_link_dest: bin
Blocks: (0+1): 7235938
...
...
....
output truncated
Fast_link_dest: bin
Blocks: (0+1): 7235938
FS block 7536642 logged at sequence 38402086, journal block 26711
(inode block for inode 7536655):
Inode: 7536655 Type: symlink Mode: 0777 Flags: 0x0 Generation: 3532221116
User: 0 Group: 0 Size: 3
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4f9fc732 -- Tue May 1 06:21:22 2012
atime: 0x4f9fc730 -- Tue May 1 06:21:20 2012
mtime: 0x4f9fc72f -- Tue May 1 06:21:19 2012
dtime: 0x4f9fc732 -- Tue May 1 06:21:22 2012
Fast_link_dest: bin
Blocks: (0+1): 7235938
No magic number at block 28053: end of journal.
Type the following command:
# dd if=/dev/mapper/wks01-root of=recovered.file.001 bs=4096 count=1 skip=7235938
# file recovered.file.001

Sample outputs:
file: ASCII text, with very long lines
View file, enter:
# more recovered.file.001

A note about easy to use tool called photorec

Now, you know basic hacks for recovering files under ext3 or ext4. However, I strongly recommend that you make backups. It cannot be stressed enough how important it is to make a backup. Another, option is PhotoRec software. It is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. PhotoRec is free - this open source multi-platform application is distributed under GNU General Public License (GPLV v2+). PhotoRec is a companion program to TestDisk, an app for recovering lost partitions on a wide variety of file systems and making non-bootable disks bootable again. You can download them from this link. You can install testdisk using the following apt-get command or yum command:
# yum install testdisk
OR
# apt-get install testdisk
To recover files simply type:
# photorec
Stay tuned, for more information on photorec and testdisk data recovery tools. I recommend that you view the manual page on debugfs using the following command for more information:
$ man debugfs
TERIMA KASIH ATAS KUNJUNGAN SAUDARA
Judul: Linux debugfs Hack: Undelete Files
Ditulis oleh Unknown
Rating Blog 5 dari 5
Semoga artikel ini bermanfaat bagi saudara. Jika ingin mengutip, baik itu sebagian atau keseluruhan dari isi artikel ini harap menyertakan link dofollow ke http://androidjapane.blogspot.com/2012/05/linux-debugfs-hack-undelete-files.html. Terima kasih sudah singgah membaca artikel ini.

0 komentar:

Posting Komentar

Trik SEO Terbaru support Online Shop Baju Wanita - Original design by Bamz | Copyright of android japan.