Recovering deleted files in ext4 filesystem with Ubuntu encrypted home
This post may be useful if you realize the mistake right after running
rm -rf foldername.
It uses tools that try to recover deleted
ext4 files based on a recent copy of blockpointers in the filesystem journal.
The files I have deleted were inside my home folder, which was encrypted via
ecryptfs, the Ubuntu standard home encryption scheme.
Even though the files were innocent standard jpg photos, they were actually written to the disk as horribly named files with meaningless contents (they can only have some meaning after the appropriate kernel module uses your password and does some magic with it… that’s what encryption is all about). So there are two steps in this solution:
- recovering deleted ext4 files that are still on the disk
- getting your true files from horribly named files with meaningless contents
The instructions below also work if the files were not inside an encrypted home (it’s even easier, just ignore the last part). In such case this is not the only (and probably not the best) way to recover your files. There are methods based on the presence of media files on the disk regardless of the filesystem, of which photorec is an impressively powerful tool.
I’m also curious about using the latter approach with encrypted home. However, one would need to understand deeply the
ecryptfs file storage structure to develop a method/tool that would work in this case, since the encrypted files are totally invisible to existing tools. I am unaware of a successful recovery using this approach.
In any case, comments are welcome, whether you know about other recovery methods, whether you tried this and could or could not recover your files.
First thing one must do is nothing: close the desktop login session, power off normally, and not power on again. (I’m not sure here though… perhaps unplugging battery and power source could be more effective than logging out etc, as less stuff would reach the disk.)
- Want to recover files deleted inside the home directory
- It is encrypted via
ecryptfs, Ubuntu’s default home encryption setting
- The username is
- The homefolder is
- The concerned partition is
- You already made a raw clone of
(If you don’t want to make a raw clone, and you need to mount this partition, make sure you mount with the
/media/disk/foois a folder with a lot of free space
So, here we go…
Boot a LiveCD and make sure you don’t mount
Download, install and compile:
cd /media/disk/foo wget http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.0/extundelete-0.2.0.tar.bz2 sudo apt-get install -y e2fsprogs e2fslibs e2fslibs-dev g++ tar xfvj extundelete-0.2.0.tar.bz2 cd extundelete-0.2.0/ ./configure make cd ..
Update: there are newer versions of extundelete, you may want to take a look.
You can limit the search to the instant when you made this deletion:
sudo extundelete-0.2.0/src/extundelete --after `date -d 'Aug 16 02:35' +%s`\ --before `date -d 'Aug 16 02:50' +%s` --restore-all /dev/sda1
But if this is not enough, you can try recovering whatever
sudo extundelete-0.2.0/src/extundelete --restore-all /dev/sda1
Check that the recovered data is located in paths like this:
du /media/disk/foo/RECOVERED_FILES/ --max-depth=4 : : : 46776 /media/disk/foo/RECOVERED_FILES/.ecryptfs/$USER/.Private 46780 /media/disk/foo/RECOVERED_FILES/.ecryptfs/$USER 46784 /media/disk/foo/RECOVERED_FILES/.ecryptfs 9180 /media/disk/foo/RECOVERED_FILES/lost+found 94804 /media/disk/foo/RECOVERED_FILES/
Reboot, log in as
$USER(Remember, this is assuming you already made a raw clone of
cd /home/$USER/.Private mkdir RECOVERED_FILES cd RECOVERED_FILES mkdir inodes mkdir files cp /media/disk/foo/RECOVERED_FILES/inode.* inodes/ cp /media/disk/foo/RECOVERED_FILES/file.* files/ cp /media/disk/foo/RECOVERED_FILES/lost+found/ . -r cp /media/disk/foo/RECOVERED_FILES/.ecryptfs/$USER/.Private home/ -r
Now see if some of your files may be found in
RECOVERED_FILES inside your home. Maybe with their full paths, maybe only the names, maybe just the files with strange names, maybe nothing at all… Hope this is helpful, though.
I learnt it mostly from gimi’s post. I found it through googlecache, I couldn’t reach the blog itself at that time, and I couldn’t comment there (I had a problem with bind-mounting the recovered folder inside the encrypted folder, ecryptfs didn’t seem to care about the presence of a folder being mounted there afterwards), so I started my own version of the mini-tutorial. Now gimi’s blog is available, but googlecache isn’t.
Next time just don’t delete. You are struggling against the whole filesystem conception here. From the ext3FAQ:
Q: How can I recover (undelete) deleted files from my ext3 partition?
A: Actually, you can’t! [...]
In order to ensure that ext3 can safely resume an unlink after a crash, it actually zeros out the block pointers in the inode, whereas ext2 just marks these blocks as unused in the block bitmaps and marks the inode as “deleted” and leaves the block pointers alone. [...]
Have backups, move to
/tmp, move to the trash bin, but be careful with