or…
Recovering deleted files in ext4 filesystem with Ubuntu encrypted home
Prologue…
This post may be useful if you realize the mistake right after running rm -rf foldername.
It uses tools that try to recover deleted ext4 files based on a recent copy of blockpointers in the filesystem journal.
The files I have deleted were inside my home folder, which was encrypted via ecryptfs, the Ubuntu standard home encryption scheme.
Even though the files were innocent standard jpg photos, they were actually written to the disk as horribly named files with meaningless contents (they can only have some meaning after the appropriate kernel module uses your password and does some magic with it… that’s what encryption is all about). So there are two steps in this solution:
- recovering deleted ext4 files that are still on the disk
- getting your true files from horribly named files with meaningless contents
The instructions below also work if the files were not inside an encrypted home (it’s even easier, just ignore the last part). In such case this is not the only (and probably not the best) way to recover your files. There are methods based on the presence of media files on the disk regardless of the filesystem, of which photorec is an impressively powerful tool.
I’m also curious about using the latter approach with encrypted home. However, one would need to understand deeply the ecryptfs file storage structure to develop a method/tool that would work in this case, since the encrypted files are totally invisible to existing tools. I am unaware of a successful recovery using this approach.
In any case, comments are welcome, whether you know about other recovery methods, whether you tried this and could or could not recover your files.
First thing
First thing one must do is nothing: close the desktop login session, power off normally, and not power on again. (I’m not sure here though… perhaps unplugging battery and power source could be more effective than logging out etc, as less stuff would reach the disk.)
Before applying the instructions below, it is recommended to read a little bit about ext3grep and extundelete.
Assuming:
- Want to recover files deleted inside the home directory
- It is encrypted via
ecryptfs, Ubuntu’s default home encryption setting - The username is
$USER - The homefolder is
/home/$USER - The concerned partition is
/dev/sda1 - You already made a raw clone of
/dev/sda1
(If you don’t want to make a raw clone, and you need to mount this partition, make sure you mount with thero,noloadoptions.) /media/disk/foois a folder with a lot of free space
So, here we go…
-
Boot a LiveCD and make sure you don’t mount
/dev/sda1 -
Download, install and compile:
cd /media/disk/foo wget http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.0/extundelete-0.2.0.tar.bz2 sudo apt-get install -y e2fsprogs e2fslibs e2fslibs-dev g++ tar xfvj extundelete-0.2.0.tar.bz2 cd extundelete-0.2.0/ ./configure make cd ..Update: there are newer versions of extundelete, you may want to take a look.
-
You can limit the search to the instant when you made this deletion:
sudo extundelete-0.2.0/src/extundelete --after `date -d 'Aug 16 02:35' +%s`\ --before `date -d 'Aug 16 02:50' +%s` --restore-all /dev/sda1 -
But if this is not enough, you can try recovering whatever
extundeletecan find:sudo extundelete-0.2.0/src/extundelete --restore-all /dev/sda1 -
Check that the recovered data is located in paths like this:
du /media/disk/foo/RECOVERED_FILES/ --max-depth=4 : : : 46776 /media/disk/foo/RECOVERED_FILES/.ecryptfs/$USER/.Private 46780 /media/disk/foo/RECOVERED_FILES/.ecryptfs/$USER 46784 /media/disk/foo/RECOVERED_FILES/.ecryptfs 9180 /media/disk/foo/RECOVERED_FILES/lost+found 94804 /media/disk/foo/RECOVERED_FILES/ -
Reboot, log in as
$USER(Remember, this is assuming you already made a raw clone of/dev/sda1!)cd /home/$USER/.Private mkdir RECOVERED_FILES cd RECOVERED_FILES mkdir inodes mkdir files cp /media/disk/foo/RECOVERED_FILES/inode.* inodes/ cp /media/disk/foo/RECOVERED_FILES/file.* files/ cp /media/disk/foo/RECOVERED_FILES/lost+found/ . -r cp /media/disk/foo/RECOVERED_FILES/.ecryptfs/$USER/.Private home/ -r
Now see if some of your files may be found in RECOVERED_FILES inside your home. Maybe with their full paths, maybe only the names, maybe just the files with strange names, maybe nothing at all… Hope this is helpful, though.
Credit
I learnt it mostly from gimi’s post. I found it through googlecache, I couldn’t reach the blog itself at that time, and I couldn’t comment there (I had a problem with bind-mounting the recovered folder inside the encrypted folder, ecryptfs didn’t seem to care about the presence of a folder being mounted there afterwards), so I started my own version of the mini-tutorial. Now gimi’s blog is available, but googlecache isn’t.
Epilogue
Next time just don’t delete. You are struggling against the whole filesystem conception here. From the ext3FAQ:
Q: How can I recover (undelete) deleted files from my ext3 partition?
A: Actually, you can’t! […]
In order to ensure that ext3 can safely resume an unlink after a crash, it actually zeros out the block pointers in the inode, whereas ext2 just marks these blocks as unused in the block bitmaps and marks the inode as “deleted” and leaves the block pointers alone. […]
Have backups, move to /tmp, move to the trash bin, but be careful with rm.
Wikinewbie's Blog 
Pingback: Undelete eCryptfs encrypted files : Snippets
Hello,
I’m the one who just did the same as you did with “find -delete”. Tried to write you a mail but there’s no way for me to get your address. Would you contact me please?
What errors did you get there?
The link http://gimi.name/snippets/undelete-ecryptfs-encrypted-files/ shouldn’t be unavailable at all, but the google cache link you posted is. 🙂
Regards, gimi
Hi! Sorry, indeed your post has been back online for quite a while and googlecache has not. I will fix it. Abot the erros, when I was searching for an undelete solution for ecryptfs files, I could only find the cache, the true link was broken.
For the erros, I think there was no serious “error”, from what I remember it was: a newer extundelete release; the files not being exactly at that the right folder (I don’t have a home folder, but a partition whose root folder is mounted at /home); and mostly that bind-mounting the recovered folder into /home/.ecryptfs/username/.Private was not working, so I had to copy the files.
Thanks for the comments and the link.
You lose me at step 5. Did you copy your RECOVERED_FILES directory into “/media/disk/foo/RECOVERED_FILES/” ?
After I run extundelete in step 4 it puts RECOVERED_FILES directory into my current directory.
After Step 2 the current directory should be
/media/disk/foo. Otherwise you can adapt Steps 5 and 6 with the correct path toRECOVERED_FILES. Tell me if you succeed in recovering some of your files.It is my understanding when trying to recover data with either extundelete or ext3grep that you should unmount the partition that you are trying to recover data from. Is that correct? Yes I was able to recover a very small portion of my data. Only 5 MB out of 3 GB :(. Unfortunately I was not able to decrypt the data. When I see you using the directory /media/disk/foo that makes me think that your partition is mounted. Is that correct? On my live cd I don’t have anything in my /media directory until I mount a partition with a program like Nautilus.
In the post you are advised never to mount the affected partition while undeleting. After making a raw clone of the disk and having saved the undeleted files on the external disk, copy them to ~/.Private/ as in step 6 and they should appear decrypted inside ~/RECOVERED_FILES
I don’t have ~/.Private/. The only ~/.Private/ directory I have is locate here:
~ $ sudo find / -type d -iname '.Private' 2>/dev/null/media/4fa4e92e-3532-48fd-a83d-6ea340a669b6/.ecryptfs/bob/.Private
So, in step 6, you will reboot and log in, it should ecryptfs-mount the folder you found at /home/$USER/ and there should be a .Private there linking to the folder you found. Otherwise just copy directly there instead.
Pingback: Ext4 undelete utilities? Drija
Hello,
You have save my life man !
Thanks
Jean-Louis
From france
Good to know it worked for you. I quite didn’t for myself…
Recovered a bunch of screen captures from long distance Skype chats – lots of happy memories. Thanks so much!
Pingback: Ext4 Undelete Utilities? | Click & Find Answer !