rm -rf ext4+ecryptfs Undelete

or…

Recovering deleted files in ext4 filesystem with Ubuntu encrypted home

Prologue…

This post may be useful if  you realize the mistake right after running rm -rf foldername.

It uses tools that try to recover deleted ext4 files based on a recent copy of blockpointers in the filesystem journal.

The files I have deleted were inside my home folder, which was encrypted via ecryptfs, the Ubuntu standard home encryption scheme.

Even though the files were innocent standard jpg photos, they were actually written to the disk as horribly named files with meaningless contents (they can only have some meaning after the appropriate kernel module uses your password and does some magic with it… that’s what encryption is all about). So there are two steps in this solution:

  1. recovering deleted ext4 files that are still on the disk
  2. getting your true files from horribly named files with meaningless contents

The instructions below also work if the files were not inside an encrypted home (it’s even easier, just ignore the last part). In such case this is not the only (and probably not the best) way to recover your files. There are methods based on the presence of media files on the disk regardless of the filesystem, of which photorec is an impressively powerful tool.

I’m also curious about using the latter approach with encrypted home. However, one would need to understand deeply the ecryptfs file storage structure to develop a method/tool that would work in this case, since the encrypted files are totally invisible to existing tools. I am unaware of a successful recovery using this approach.

In any case, comments are welcome, whether you know about other recovery methods, whether you tried this and could or could not recover your files.

First thing

First thing one must do is nothing: close the desktop login session, power off normally, and not power on again. (I’m not sure here though… perhaps unplugging battery and power source could be more effective than logging out etc, as less stuff would reach the disk.)

Before applying the instructions below, it is recommended to read a little bit about ext3grep and extundelete.

Assuming:

  • Want to recover files deleted inside the home directory
  • It is encrypted via ecryptfs, Ubuntu’s default home encryption setting
  • The username is $USER
  • The homefolder is /home/$USER
  • The concerned partition is /dev/sda1
  • You already made a raw clone of /dev/sda1
    (If you don’t want to make a raw clone, and you need to mount this partition, make sure you mount with the ro,noload options.)
  • /media/disk/foo is a folder with a lot of free space

So, here we go…

  1. Boot a LiveCD and make sure you don’t mount /dev/sda1

  2. Download, install and compile:

    cd /media/disk/foo
    wget http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.0/extundelete-0.2.0.tar.bz2
    sudo apt-get install -y e2fsprogs e2fslibs e2fslibs-dev g++
    tar xfvj extundelete-0.2.0.tar.bz2
    cd extundelete-0.2.0/
    ./configure
    make
    cd ..
    

    Update: there are newer versions of extundelete, you may want to take a look.

  3. You can limit the search to the instant when you made this deletion:

    sudo extundelete-0.2.0/src/extundelete --after `date -d 'Aug 16 02:35' +%s`\
                 --before `date -d 'Aug 16 02:50' +%s` --restore-all /dev/sda1
  4. But if this is not enough, you can try recovering whatever extundelete can find:

    sudo extundelete-0.2.0/src/extundelete --restore-all /dev/sda1
  5. Check that the recovered data is located in paths like this:

    du /media/disk/foo/RECOVERED_FILES/ --max-depth=4
    :
    :
    :
    46776	/media/disk/foo/RECOVERED_FILES/.ecryptfs/$USER/.Private
    46780	/media/disk/foo/RECOVERED_FILES/.ecryptfs/$USER
    46784	/media/disk/foo/RECOVERED_FILES/.ecryptfs
    9180	/media/disk/foo/RECOVERED_FILES/lost+found
    94804	/media/disk/foo/RECOVERED_FILES/
  6. Reboot, log in as $USER (Remember, this is assuming you already made a raw clone of /dev/sda1 !)

    cd /home/$USER/.Private
    mkdir RECOVERED_FILES
    cd RECOVERED_FILES
    mkdir inodes
    mkdir files
    cp /media/disk/foo/RECOVERED_FILES/inode.* inodes/
    cp /media/disk/foo/RECOVERED_FILES/file.* files/
    cp /media/disk/foo/RECOVERED_FILES/lost+found/ . -r
    cp /media/disk/foo/RECOVERED_FILES/.ecryptfs/$USER/.Private home/ -r

Now see if some of your files may be found in RECOVERED_FILES inside  your home. Maybe with their full paths, maybe only the names, maybe just the files with strange names, maybe nothing at all… Hope this is helpful, though.

Credit

I learnt it mostly from gimi’s post. I found it through googlecache, I couldn’t reach the blog itself at that time, and I couldn’t comment there (I had a problem with bind-mounting the recovered folder inside the encrypted folder, ecryptfs didn’t seem to care about the presence of a folder being mounted there afterwards), so I started my own version of the mini-tutorial. Now gimi’s blog is available, but googlecache isn’t.

Epilogue

Next time just don’t delete. You are struggling against the whole filesystem conception here. From the ext3FAQ:

Q: How can I recover (undelete) deleted files from my ext3 partition?
A: Actually, you can’t! [...]
In order to ensure that ext3 can safely resume an unlink after a crash, it actually zeros out the block pointers in the inode, whereas ext2 just marks these blocks as unused in the block bitmaps and marks the inode as “deleted” and leaves the block pointers alone. [...]

Have backups, move to /tmp, move to the trash bin, but be careful with rm.

About these ads
This entry was posted in Uncategorized. Bookmark the permalink.

14 Responses to rm -rf ext4+ecryptfs Undelete

  1. Pingback: Undelete eCryptfs encrypted files : Snippets

  2. gimi says:

    Hello,

    I’m the one who just did the same as you did with “find -delete”. Tried to write you a mail but there’s no way for me to get your address. Would you contact me please?

    What errors did you get there?

    The link http://gimi.name/snippets/undelete-ecryptfs-encrypted-files/ shouldn’t be unavailable at all, but the google cache link you posted is. :)

    Regards, gimi

    • wikinewbie says:

      Hi! Sorry, indeed your post has been back online for quite a while and googlecache has not. I will fix it. Abot the erros, when I was searching for an undelete solution for ecryptfs files, I could only find the cache, the true link was broken.

      For the erros, I think there was no serious “error”, from what I remember it was: a newer extundelete release; the files not being exactly at that the right folder (I don’t have a home folder, but a partition whose root folder is mounted at /home); and mostly that bind-mounting the recovered folder into /home/.ecryptfs/username/.Private was not working, so I had to copy the files.

      Thanks for the comments and the link.

  3. Bob says:

    You lose me at step 5. Did you copy your RECOVERED_FILES directory into “/media/disk/foo/RECOVERED_FILES/” ?

    After I run extundelete in step 4 it puts RECOVERED_FILES directory into my current directory.

    • wikinewbie says:

      After Step 2 the current directory should be /media/disk/foo. Otherwise you can adapt Steps 5 and 6 with the correct path to RECOVERED_FILES. Tell me if you succeed in recovering some of your files.

      • Bob says:

        It is my understanding when trying to recover data with either extundelete or ext3grep that you should unmount the partition that you are trying to recover data from. Is that correct? Yes I was able to recover a very small portion of my data. Only 5 MB out of 3 GB :(. Unfortunately I was not able to decrypt the data. When I see you using the directory /media/disk/foo that makes me think that your partition is mounted. Is that correct? On my live cd I don’t have anything in my /media directory until I mount a partition with a program like Nautilus.

      • wikinewbie says:

        In the post you are advised never to mount the affected partition while undeleting. After making a raw clone of the disk and having saved the undeleted files on the external disk, copy them to ~/.Private/ as in step 6 and they should appear decrypted inside ~/RECOVERED_FILES

  4. Bob says:

    I don’t have ~/.Private/. The only ~/.Private/ directory I have is locate here:
    ~ $ sudo find / -type d -iname '.Private' 2>/dev/null
    /media/4fa4e92e-3532-48fd-a83d-6ea340a669b6/.ecryptfs/bob/.Private

    • wikinewbie says:

      So, in step 6, you will reboot and log in, it should ecryptfs-mount the folder you found at /home/$USER/ and there should be a .Private there linking to the folder you found. Otherwise just copy directly there instead.

  5. Pingback: Ext4 undelete utilities? Drija

  6. jlb says:

    Hello,

    You have save my life man !

    Thanks

    Jean-Louis

    From france

  7. ryje says:

    Recovered a bunch of screen captures from long distance Skype chats – lots of happy memories. Thanks so much!

  8. Pingback: Ext4 Undelete Utilities? | Click & Find Answer !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s