View previous topic :: View next topic |
Author |
Message |
zeky Guru
Joined: 24 Feb 2003 Posts: 470 Location: Vukojebina, Europe
|
Posted: Sun Jan 30, 2005 10:41 am Post subject: [HOWTO] ReiserFS undelete/data recovery |
|
|
Hello!
This is a howto guide and a success story of how i managed to delete 54 movies of 150 on my 120Gb hdd, ReiserFS
I searched the whole net to find some good answers, and here it is:
----
ReiserFS undelete/data recovery HOWTO
1. Once you realize that you've lost data, don't do anything else on that partition - you may cause that data to be overwritten by new data.
2. Unmount that partition. e.g., umount /mnt/public2
3. Find out what actual device this partition refers to. You can usually get this information from the file /etc/fstab. We'll assume here that the device is /dev/hdb1.
4. Run the command:
Code: | reiserfsck --rebuild-tree -S -l /root/recovery.log /dev/hdb1 |
You need to be root to do this. Read the reiserfsck man page for what these options do and for more options. Some interesting options are '--rebuild-sb, --check'
After the command finishes, which might be a long time for a big partition, you can take a look at the logfile /root/recovery.log if you wish.
5. Mount your partition: mount /mnt/public2
6. Look for the lost+found directory in the root of the partition. Here, that would be: /mnt/public2/lost+found
7. This directory contains all the files that could be recovered. Unfortunately, the filenames are not preserved for a lot of files. You'll find some sub-directories - filenames withing those are preserved!
8. Look through the files and copy back what you need.
NOTE: I just found this thread which warns of possible corruption of existing files on the partition. Essentially, the recovery process may take older (deleted) versions of a current file and try and merge it with the new file resulting in data corruption. As a safety measure, make a backup of important undamaged files on another partition before you carry out the above steps.
-------
So this is it. Some of this text is ripped from some web site. It's VERY usefull and it worked in my case 100%.
Good luck!
The link to the original idea and it's author can be found here.
EDIT: added link to the original site. _________________ Beat your dick like it owes you money
Last edited by zeky on Mon Jun 04, 2007 6:19 am; edited 1 time in total |
|
Back to top |
|
|
carneboy n00b
Joined: 11 May 2004 Posts: 63 Location: Riverside, CA
|
Posted: Sun Jun 05, 2005 5:26 am Post subject: |
|
|
Pay attention to the part about potential data corruption, my gentoo doesn't start anymore |
|
Back to top |
|
|
graybeard Tux's lil' helper
Joined: 16 Mar 2003 Posts: 118 Location: a blue state
|
Posted: Sun Jun 12, 2005 5:19 am Post subject: |
|
|
Just to add extra emphasis: me too. The recovery worked partially but it hosed my files. Fortunately I had a recent backup of almost everything. Beware, the warning above is not a joke! |
|
Back to top |
|
|
drwook Veteran
Joined: 30 Mar 2005 Posts: 1324 Location: London
|
Posted: Wed Jun 15, 2005 3:20 pm Post subject: |
|
|
I'd advise taking an image of the partition & working on the image if you're going to try this... Loopback is a wonderful thing |
|
Back to top |
|
|
DocterD Tux's lil' helper
Joined: 15 May 2004 Posts: 129
|
Posted: Wed Jun 15, 2005 4:37 pm Post subject: |
|
|
carneboy wrote: | Pay attention to the part about potential data corruption, my gentoo doesn't start anymore |
Happened to me too... |
|
Back to top |
|
|
johntramp Guru
Joined: 03 Feb 2004 Posts: 457 Location: New Zealand
|
Posted: Wed Jun 22, 2005 5:03 am Post subject: |
|
|
Hi, is it possible to do this on just the /home/ folder, which is on the same partition as / ?
Or does it need to do a whole partition at once? |
|
Back to top |
|
|
XMyth n00b
Joined: 27 Mar 2005 Posts: 28
|
Posted: Fri Jul 22, 2005 10:04 pm Post subject: |
|
|
Do you mean corruption could occur on files that you don't touch at all (i.e. the ones you DO NOT restore from lost+found ) or that the files in lost+found may be partially corrupt? |
|
Back to top |
|
|
graybeard Tux's lil' helper
Joined: 16 Mar 2003 Posts: 118 Location: a blue state
|
Posted: Sun Jul 24, 2005 2:35 am Post subject: |
|
|
I mean that lots of the files on the partition were corrupted. I could not tell which files were in lost+found because lost+found contained a long list of files that had lost their file names and so were assigned a numeric name. They had chucks of binary data in them that were useless. It appeared that there were lots more corrupted files than files in lost+found. Anyway I had hosed up my user files for no good reason. I ended up wiping the partition (it was /home) and restoring clean from backup. |
|
Back to top |
|
|
collar n00b
Joined: 29 Nov 2005 Posts: 3
|
|
Back to top |
|
|
drwook Veteran
Joined: 30 Mar 2005 Posts: 1324 Location: London
|
Posted: Thu Dec 01, 2005 4:08 pm Post subject: |
|
|
Neither of which support reiserfs (or any other linux/unix FS as far as I can see)
Also neither of which run natively on linux, and I certainly wouldn't trust a data recovery program running under a virtualiser/emulator.
So not sure how that comment is related to anything? |
|
Back to top |
|
|
rada Apprentice
Joined: 21 Oct 2005 Posts: 202 Location: Ottawa, Canada
|
Posted: Wed Dec 21, 2005 5:15 pm Post subject: |
|
|
drwook wrote: | I'd advise taking an image of the partition & working on the image if you're going to try this... Loopback is a wonderful thing |
How would I go about doing this? |
|
Back to top |
|
|
drwook Veteran
Joined: 30 Mar 2005 Posts: 1324 Location: London
|
Posted: Wed Dec 21, 2005 6:21 pm Post subject: |
|
|
something along the lines of Code: | dd if=/dev/hdXY of=/tmp/image | should work. Obviously substituting the right /dev/ entry for your partition. You'll need enough free space to hold the image though, which will be the size of the partition
I have some vague recollection about using sparse files to save space when making an image, but probably not ideal if you want to use it for this anyway so stick with the above if I were you. |
|
Back to top |
|
|
searcher Apprentice
Joined: 13 Mar 2003 Posts: 175 Location: NL
|
Posted: Wed Dec 21, 2005 10:29 pm Post subject: |
|
|
I tried this one my home-dir once, but the --rebuild-tree completely hosed everything filename-wise, which made it a complete pain in the ass. Luckily i make a complete back-up every night of my homedir using rsnapshot. So this might seem a bit redundant, but the best undelete is probably a recent back-up. Either that or a RAID-1 mirror . _________________ You are unique ... just like everyone else. |
|
Back to top |
|
|
rada Apprentice
Joined: 21 Oct 2005 Posts: 202 Location: Ottawa, Canada
|
Posted: Wed Dec 21, 2005 10:48 pm Post subject: |
|
|
I tried making an image and it seems it imaged the free space as well (thought it only needed to image the used space)... Theres only 62gb used and 131gb free on my /home partition. Any way I can easily resize it? Thanks!
EDIT: I just realized... the dir i wanted to recover is located on /home but this file wrote all of the free space... is it still recoverable? |
|
Back to top |
|
|
slycordinator Advocate
Joined: 31 Jan 2004 Posts: 3065 Location: Korea
|
Posted: Thu Dec 22, 2005 7:48 am Post subject: |
|
|
rada wrote: | I tried making an image and it seems it imaged the free space as well (thought it only needed to image the used space)... Theres only 62gb used and 131gb free on my /home partition. Any way I can easily resize it? Thanks!
EDIT: I just realized... the dir i wanted to recover is located on /home but this file wrote all of the free space... is it still recoverable? |
Not really. "dd" copies EVERYTHING, including free space.
Before running "dd" like that what you should do is:
Code: | dd if=/dev/zero of=filler
rm filler |
So now all of the free space will be written to with data of 0's and when you do the original "dd" command mentioned before, the free space that's read and written will contain 0's and will be marked as free space. |
|
Back to top |
|
|
drwook Veteran
Joined: 30 Mar 2005 Posts: 1324 Location: London
|
Posted: Thu Dec 22, 2005 11:05 pm Post subject: |
|
|
You sure about that Sly? I'm sure dd creates a literal copy, so I don't think there's any need to zero out the destination or anything.
Of course I have been wrong once or twice though |
|
Back to top |
|
|
slycordinator Advocate
Joined: 31 Jan 2004 Posts: 3065 Location: Korea
|
Posted: Fri Dec 23, 2005 12:13 am Post subject: |
|
|
drwook wrote: | You sure about that Sly? I'm sure dd creates a literal copy, so I don't think there's any need to zero out the destination or anything. |
The problem is with the fact that dd does a literal copy.
Empty space isn't empty on disk. When you do "rm filename" nothing happens to the data. The data still exists on disk (it just isn't accessible through the file system anymore).
So when you use dd it copies every byte of the disk, including data residing in empty space. So if I didn't do the trick I mentioned earlier, using dd on a 100 gig HD (irrespective to how much data on it is valid) would create a cloned file of exactly 100 gigs.
Here's a short explanation of it:
http://www.feyrer.de/g4u/#shrinkimg |
|
Back to top |
|
|
Bob P Advocate
Joined: 20 Oct 2004 Posts: 3355 Location: Jackass! Development Labs
|
Posted: Fri Dec 23, 2005 4:18 am Post subject: Re: [HOWTO] ReiserFS undelete/data recovery |
|
|
zeky wrote: | ReiserFS undelete/data recovery HOWTO
1. Once you realize that you've lost data, don't do anything else on that partition - you may cause that data to be overwritten by new data.
2. Unmount that partition. e.g., umount /mnt/public2
3. Find out what actual device this partition refers to. You can usually get this information from the file /etc/fstab. We'll assume here that the device is /dev/hdb1.
4. Run the command:
Code: | reiserfsck --rebuild-tree -S -l /root/recovery.log /dev/hdb1 |
|
I have to admit, I made a major mistake today and did an rm -fvr on the /var/www on my webserver. as soon as i realized what had happened, i flipped the Big Red Switch, booted to a Live CD and ran the reiserfsck command on my reiser 3.6 partition. what luck! when the command finished, all of my missing directories were right back where i was hoping they'd be! _________________ .
Stage 1/3 | Jackass! | Rockhopper! | Thanks | Google Sucks |
|
Back to top |
|
|
Bob P Advocate
Joined: 20 Oct 2004 Posts: 3355 Location: Jackass! Development Labs
|
Posted: Fri Dec 23, 2005 4:19 am Post subject: |
|
|
slycordinator wrote: | Before running "dd" like that what you should do is:
Code: | dd if=/dev/zero of=filler
rm filler |
So now all of the free space will be written to with data of 0's and when you do the original "dd" command mentioned before, the free space that's read and written will contain 0's and will be marked as free space. |
i suppose that doing that would also prevent alot of crap from being deposited in /lost+found. _________________ .
Stage 1/3 | Jackass! | Rockhopper! | Thanks | Google Sucks |
|
Back to top |
|
|
slycordinator Advocate
Joined: 31 Jan 2004 Posts: 3065 Location: Korea
|
Posted: Fri Dec 23, 2005 7:23 pm Post subject: |
|
|
Bob P wrote: | slycordinator wrote: | Before running "dd" like that what you should do is:
Code: | dd if=/dev/zero of=filler
rm filler |
So now all of the free space will be written to with data of 0's and when you do the original "dd" command mentioned before, the free space that's read and written will contain 0's and will be marked as free space. |
i suppose that doing that would also prevent alot of crap from being deposited in /lost+found. |
Probably.
Hadn't thought of that. Seems obvious now (since some of the files in /lost+found are just old versions of the same file and/or deleted stuff). |
|
Back to top |
|
|
drwook Veteran
Joined: 30 Mar 2005 Posts: 1324 Location: London
|
Posted: Sat Dec 24, 2005 12:52 pm Post subject: |
|
|
I might be starting to wade out of my depth here... But if you're using the image for forensic purposes, surely the 'non-blank empty space' is generally the data you're actually after? |
|
Back to top |
|
|
slycordinator Advocate
Joined: 31 Jan 2004 Posts: 3065 Location: Korea
|
Posted: Sun Dec 25, 2005 8:14 pm Post subject: |
|
|
drwook wrote: | I might be starting to wade out of my depth here... But if you're using the image for forensic purposes, surely the 'non-blank empty space' is generally the data you're actually after? |
What I was suggesting is doing that at some point BEFORE trying to do the data recovery.
So before you need to do the data recovery, you do what I mentioned. Then when you create an image for forensic purposes, it'll be smaller than if you hadn't done that trick. |
|
Back to top |
|
|
drwook Veteran
Joined: 30 Mar 2005 Posts: 1324 Location: London
|
Posted: Mon Dec 26, 2005 9:34 am Post subject: |
|
|
Heh, and before getting in to the situation of wanting to. Makes sense now, thanks |
|
Back to top |
|
|
zurd Apprentice
Joined: 17 Dec 2003 Posts: 228 Location: Canada, Montreal
|
Posted: Sun Jun 11, 2006 1:48 am Post subject: |
|
|
zeky :
Quote: | This is a howto guide and a success story of how i managed to delete 54 movies of 150 on my 120Gb hdd, ReiserFS |
An howto for deleting files? You might want to click EDIT on that one
So here's my story, I accidentally deleted just one small file of text, it's not a very important file, but still I would like to get it back again, so here's what I've done, first I found this on google :
Code: | from http://recover.sourceforge.net/unix/
Recovering files in Unix
If you really need to undelete a file, that's the way to do it:
grep -a -B[size before] -A[size after] 'text' /dev/[your_partition]
Replace [size before], [size after] and [your_partition] with something meaningfull. Don't know what your partition is? Read the Linux undelete manual!
e.g.: If you want to undelete a letter (+- 200 lines) starting with "Hi mum" which was stored on /dev/hda1 you can try:
grep -a -B2 -A200 "Hi mum" /dev/hda1
Make sure you do this as root (System administrator)
Read the grep manual page for more information!
Read your unix's manual. Perhaps it contains an own undeletion program. |
Then from this post : https://forums.gentoo.org/viewtopic.php?t=130859&highlight=reiser#824980
The guy is using the same strategy as this howto here, but you don't have to lose/corrupt your partition, you're making a backup first then you mount it, very nice!
Code: | dd if=/dev/hda1 of=/tmp/backup.dsk
losetup /dev/loop5 /tmp/backup.dsk
reiserfsck --rebuild-tree --scan-whole-partition /dev/loop5
mount /dev/loop5 /mnt/tmp |
Unfortunately, the first method was unsuccesful, then the second method it created 11,000 files in lost+found and searching through them is really time consuming. But with the 3rd method I got an old copy of my file, which is fine!
Code: | cat /dev/hdaX | strings > /here/some_large_dumpfile |
Then just "cat -n some_large_dumpfile" and grep the text you're searching for, then following the line just cat it again with head and then tail to get a small file to look through. Very convenient!
And now I'm doing this on my partitions : dd if=/dev/zero of=filler
Just to get rid of everything that was still on my hard disk, it's incredible the old stuff I found on it |
|
Back to top |
|
|
skybaba n00b
Joined: 03 Nov 2006 Posts: 3 Location: London
|
|
Back to top |
|
|
|