Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] ReiserFS undelete/data recovery
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
zeky
Guru
Guru


Joined: 24 Feb 2003
Posts: 470
Location: Vukojebina, Europe

PostPosted: Sun Jan 30, 2005 10:41 am    Post subject: [HOWTO] ReiserFS undelete/data recovery Reply with quote

Hello!

This is a howto guide and a success story of how i managed to delete 54 movies of 150 on my 120Gb hdd, ReiserFS :D

I searched the whole net to find some good answers, and here it is:

----

ReiserFS undelete/data recovery HOWTO


1. Once you realize that you've lost data, don't do anything else on that partition - you may cause that data to be overwritten by new data.
2. Unmount that partition. e.g., umount /mnt/public2
3. Find out what actual device this partition refers to. You can usually get this information from the file /etc/fstab. We'll assume here that the device is /dev/hdb1.
4. Run the command:

Code:
 reiserfsck --rebuild-tree -S -l /root/recovery.log /dev/hdb1


You need to be root to do this. Read the reiserfsck man page for what these options do and for more options. Some interesting options are '--rebuild-sb, --check'

After the command finishes, which might be a long time for a big partition, you can take a look at the logfile /root/recovery.log if you wish.
5. Mount your partition: mount /mnt/public2
6. Look for the lost+found directory in the root of the partition. Here, that would be: /mnt/public2/lost+found
7. This directory contains all the files that could be recovered. Unfortunately, the filenames are not preserved for a lot of files. You'll find some sub-directories - filenames withing those are preserved!
8. Look through the files and copy back what you need.

NOTE: I just found this thread which warns of possible corruption of existing files on the partition. Essentially, the recovery process may take older (deleted) versions of a current file and try and merge it with the new file resulting in data corruption. As a safety measure, make a backup of important undamaged files on another partition before you carry out the above steps.

-------

So this is it. Some of this text is ripped from some web site. It's VERY usefull and it worked in my case 100%.

Good luck! :D

The link to the original idea and it's author can be found here.

EDIT: added link to the original site.
_________________
Beat your dick like it owes you money


Last edited by zeky on Mon Jun 04, 2007 6:19 am; edited 1 time in total
Back to top
View user's profile Send private message
carneboy
n00b
n00b


Joined: 11 May 2004
Posts: 63
Location: Riverside, CA

PostPosted: Sun Jun 05, 2005 5:26 am    Post subject: Reply with quote

Pay attention to the part about potential data corruption, my gentoo doesn't start anymore
Back to top
View user's profile Send private message
graybeard
Tux's lil' helper
Tux's lil' helper


Joined: 16 Mar 2003
Posts: 118
Location: a blue state

PostPosted: Sun Jun 12, 2005 5:19 am    Post subject: Reply with quote

Just to add extra emphasis: me too. The recovery worked partially but it hosed my files. Fortunately I had a recent backup of almost everything. Beware, the warning above is not a joke!
Back to top
View user's profile Send private message
drwook
Veteran
Veteran


Joined: 30 Mar 2005
Posts: 1322
Location: London

PostPosted: Wed Jun 15, 2005 3:20 pm    Post subject: Reply with quote

I'd advise taking an image of the partition & working on the image if you're going to try this... Loopback is a wonderful thing ;)
Back to top
View user's profile Send private message
DocterD
Tux's lil' helper
Tux's lil' helper


Joined: 15 May 2004
Posts: 129

PostPosted: Wed Jun 15, 2005 4:37 pm    Post subject: Reply with quote

carneboy wrote:
Pay attention to the part about potential data corruption, my gentoo doesn't start anymore


Happened to me too...
Back to top
View user's profile Send private message
johntramp
Guru
Guru


Joined: 03 Feb 2004
Posts: 457
Location: New Zealand

PostPosted: Wed Jun 22, 2005 5:03 am    Post subject: Reply with quote

Hi, is it possible to do this on just the /home/ folder, which is on the same partition as / ?
Or does it need to do a whole partition at once?
Back to top
View user's profile Send private message
XMyth
n00b
n00b


Joined: 27 Mar 2005
Posts: 28

PostPosted: Fri Jul 22, 2005 10:04 pm    Post subject: Reply with quote

Do you mean corruption could occur on files that you don't touch at all (i.e. the ones you DO NOT restore from lost+found ) or that the files in lost+found may be partially corrupt?
Back to top
View user's profile Send private message
graybeard
Tux's lil' helper
Tux's lil' helper


Joined: 16 Mar 2003
Posts: 118
Location: a blue state

PostPosted: Sun Jul 24, 2005 2:35 am    Post subject: Reply with quote

I mean that lots of the files on the partition were corrupted. I could not tell which files were in lost+found because lost+found contained a long list of files that had lost their file names and so were assigned a numeric name. They had chucks of binary data in them that were useless. It appeared that there were lots more corrupted files than files in lost+found. Anyway I had hosed up my user files for no good reason. I ended up wiping the partition (it was /home) and restoring clean from backup.
Back to top
View user's profile Send private message
collar
n00b
n00b


Joined: 29 Nov 2005
Posts: 3

PostPosted: Wed Nov 30, 2005 11:39 pm    Post subject: Reply with quote

IHMO the most powerful data recovery tools are Active@ undelete and Uneraser (DOS). They worked really great for me and were always able to recover all of the lost data.

http://www.active-undelete.com/

http://www.uneraser.com/
Back to top
View user's profile Send private message
drwook
Veteran
Veteran


Joined: 30 Mar 2005
Posts: 1322
Location: London

PostPosted: Thu Dec 01, 2005 4:08 pm    Post subject: Reply with quote

Neither of which support reiserfs (or any other linux/unix FS as far as I can see)

Also neither of which run natively on linux, and I certainly wouldn't trust a data recovery program running under a virtualiser/emulator.

So not sure how that comment is related to anything?
Back to top
View user's profile Send private message
rada
Apprentice
Apprentice


Joined: 21 Oct 2005
Posts: 202
Location: Ottawa, Canada

PostPosted: Wed Dec 21, 2005 5:15 pm    Post subject: Reply with quote

drwook wrote:
I'd advise taking an image of the partition & working on the image if you're going to try this... Loopback is a wonderful thing ;)


How would I go about doing this?
Back to top
View user's profile Send private message
drwook
Veteran
Veteran


Joined: 30 Mar 2005
Posts: 1322
Location: London

PostPosted: Wed Dec 21, 2005 6:21 pm    Post subject: Reply with quote

something along the lines of
Code:
dd if=/dev/hdXY of=/tmp/image
should work. Obviously substituting the right /dev/ entry for your partition. You'll need enough free space to hold the image though, which will be the size of the partition :)

I have some vague recollection about using sparse files to save space when making an image, but probably not ideal if you want to use it for this anyway so stick with the above if I were you.
Back to top
View user's profile Send private message
searcher
Apprentice
Apprentice


Joined: 13 Mar 2003
Posts: 175
Location: NL

PostPosted: Wed Dec 21, 2005 10:29 pm    Post subject: Reply with quote

I tried this one my home-dir once, but the --rebuild-tree completely hosed everything filename-wise, which made it a complete pain in the ass. Luckily i make a complete back-up every night of my homedir using rsnapshot. So this might seem a bit redundant, but the best undelete is probably a recent back-up. Either that or a RAID-1 mirror :-).
_________________
You are unique ... just like everyone else.
Back to top
View user's profile Send private message
rada
Apprentice
Apprentice


Joined: 21 Oct 2005
Posts: 202
Location: Ottawa, Canada

PostPosted: Wed Dec 21, 2005 10:48 pm    Post subject: Reply with quote

I tried making an image and it seems it imaged the free space as well (thought it only needed to image the used space)... Theres only 62gb used and 131gb free on my /home partition. Any way I can easily resize it? Thanks!

EDIT: I just realized... the dir i wanted to recover is located on /home but this file wrote all of the free space... is it still recoverable?
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3057
Location: Redmond, WA

PostPosted: Thu Dec 22, 2005 7:48 am    Post subject: Reply with quote

rada wrote:
I tried making an image and it seems it imaged the free space as well (thought it only needed to image the used space)... Theres only 62gb used and 131gb free on my /home partition. Any way I can easily resize it? Thanks!

EDIT: I just realized... the dir i wanted to recover is located on /home but this file wrote all of the free space... is it still recoverable?


Not really. "dd" copies EVERYTHING, including free space.

Before running "dd" like that what you should do is:
Code:
dd if=/dev/zero of=filler
rm filler


So now all of the free space will be written to with data of 0's and when you do the original "dd" command mentioned before, the free space that's read and written will contain 0's and will be marked as free space.
Back to top
View user's profile Send private message
drwook
Veteran
Veteran


Joined: 30 Mar 2005
Posts: 1322
Location: London

PostPosted: Thu Dec 22, 2005 11:05 pm    Post subject: Reply with quote

You sure about that Sly? I'm sure dd creates a literal copy, so I don't think there's any need to zero out the destination or anything.

Of course I have been wrong once or twice though :)
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3057
Location: Redmond, WA

PostPosted: Fri Dec 23, 2005 12:13 am    Post subject: Reply with quote

drwook wrote:
You sure about that Sly? I'm sure dd creates a literal copy, so I don't think there's any need to zero out the destination or anything.


The problem is with the fact that dd does a literal copy.

Empty space isn't empty on disk. When you do "rm filename" nothing happens to the data. The data still exists on disk (it just isn't accessible through the file system anymore).

So when you use dd it copies every byte of the disk, including data residing in empty space. So if I didn't do the trick I mentioned earlier, using dd on a 100 gig HD (irrespective to how much data on it is valid) would create a cloned file of exactly 100 gigs.

Here's a short explanation of it:
http://www.feyrer.de/g4u/#shrinkimg
Back to top
View user's profile Send private message
Bob P
Advocate
Advocate


Joined: 20 Oct 2004
Posts: 3355
Location: Jackass! Development Labs

PostPosted: Fri Dec 23, 2005 4:18 am    Post subject: Re: [HOWTO] ReiserFS undelete/data recovery Reply with quote

zeky wrote:
ReiserFS undelete/data recovery HOWTO


1. Once you realize that you've lost data, don't do anything else on that partition - you may cause that data to be overwritten by new data.
2. Unmount that partition. e.g., umount /mnt/public2
3. Find out what actual device this partition refers to. You can usually get this information from the file /etc/fstab. We'll assume here that the device is /dev/hdb1.
4. Run the command:

Code:
 reiserfsck --rebuild-tree -S -l /root/recovery.log /dev/hdb1



I have to admit, I made a major mistake today and did an rm -fvr on the /var/www on my webserver. :oops: as soon as i realized what had happened, i flipped the Big Red Switch, booted to a Live CD and ran the reiserfsck command on my reiser 3.6 partition. what luck! when the command finished, all of my missing directories were right back where i was hoping they'd be! :D
_________________
.
Stage 1/3 | Jackass! | Rockhopper! | Thanks | Google Sucks
Back to top
View user's profile Send private message
Bob P
Advocate
Advocate


Joined: 20 Oct 2004
Posts: 3355
Location: Jackass! Development Labs

PostPosted: Fri Dec 23, 2005 4:19 am    Post subject: Reply with quote

slycordinator wrote:
Before running "dd" like that what you should do is:
Code:
dd if=/dev/zero of=filler
rm filler


So now all of the free space will be written to with data of 0's and when you do the original "dd" command mentioned before, the free space that's read and written will contain 0's and will be marked as free space.


i suppose that doing that would also prevent alot of crap from being deposited in /lost+found. :idea:
_________________
.
Stage 1/3 | Jackass! | Rockhopper! | Thanks | Google Sucks
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3057
Location: Redmond, WA

PostPosted: Fri Dec 23, 2005 7:23 pm    Post subject: Reply with quote

Bob P wrote:
slycordinator wrote:
Before running "dd" like that what you should do is:
Code:
dd if=/dev/zero of=filler
rm filler


So now all of the free space will be written to with data of 0's and when you do the original "dd" command mentioned before, the free space that's read and written will contain 0's and will be marked as free space.


i suppose that doing that would also prevent alot of crap from being deposited in /lost+found. :idea:


Probably.

Hadn't thought of that. Seems obvious now (since some of the files in /lost+found are just old versions of the same file and/or deleted stuff).
Back to top
View user's profile Send private message
drwook
Veteran
Veteran


Joined: 30 Mar 2005
Posts: 1322
Location: London

PostPosted: Sat Dec 24, 2005 12:52 pm    Post subject: Reply with quote

I might be starting to wade out of my depth here... But if you're using the image for forensic purposes, surely the 'non-blank empty space' is generally the data you're actually after?
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3057
Location: Redmond, WA

PostPosted: Sun Dec 25, 2005 8:14 pm    Post subject: Reply with quote

drwook wrote:
I might be starting to wade out of my depth here... But if you're using the image for forensic purposes, surely the 'non-blank empty space' is generally the data you're actually after?


What I was suggesting is doing that at some point BEFORE trying to do the data recovery.

So before you need to do the data recovery, you do what I mentioned. Then when you create an image for forensic purposes, it'll be smaller than if you hadn't done that trick.
Back to top
View user's profile Send private message
drwook
Veteran
Veteran


Joined: 30 Mar 2005
Posts: 1322
Location: London

PostPosted: Mon Dec 26, 2005 9:34 am    Post subject: Reply with quote

Heh, and before getting in to the situation of wanting to. Makes sense now, thanks :)
Back to top
View user's profile Send private message
zurd
Apprentice
Apprentice


Joined: 17 Dec 2003
Posts: 228
Location: Canada, Montreal

PostPosted: Sun Jun 11, 2006 1:48 am    Post subject: Reply with quote

zeky :
Quote:
This is a howto guide and a success story of how i managed to delete 54 movies of 150 on my 120Gb hdd, ReiserFS

An howto for deleting files? You might want to click EDIT on that one ;)

So here's my story, I accidentally deleted just one small file of text, it's not a very important file, but still I would like to get it back again, so here's what I've done, first I found this on google :

Code:
from http://recover.sourceforge.net/unix/
Recovering files in Unix

If you really need to undelete a file, that's the way to do it:

grep -a -B[size before] -A[size after] 'text' /dev/[your_partition]

Replace [size before], [size after] and [your_partition] with something meaningfull. Don't know what your partition is? Read the Linux undelete manual!

e.g.: If you want to undelete a letter (+- 200 lines) starting with "Hi mum" which was stored on /dev/hda1 you can try:

grep -a -B2 -A200 "Hi mum" /dev/hda1

Make sure you do this as root (System administrator)

Read the grep manual page for more information!

Read your unix's manual. Perhaps it contains an own undeletion program.


Then from this post : http://forums.gentoo.org/viewtopic.php?t=130859&highlight=reiser#824980
The guy is using the same strategy as this howto here, but you don't have to lose/corrupt your partition, you're making a backup first then you mount it, very nice!

Code:
dd if=/dev/hda1 of=/tmp/backup.dsk
losetup /dev/loop5 /tmp/backup.dsk

reiserfsck --rebuild-tree --scan-whole-partition /dev/loop5
mount /dev/loop5 /mnt/tmp


Unfortunately, the first method was unsuccesful, then the second method it created 11,000 files in lost+found and searching through them is really time consuming. But with the 3rd method I got an old copy of my file, which is fine!

Code:
cat /dev/hdaX | strings > /here/some_large_dumpfile


Then just "cat -n some_large_dumpfile" and grep the text you're searching for, then following the line just cat it again with head and then tail to get a small file to look through. Very convenient! :)

And now I'm doing this on my partitions : dd if=/dev/zero of=filler
Just to get rid of everything that was still on my hard disk, it's incredible the old stuff I found on it ;)
Back to top
View user's profile Send private message
skybaba
n00b
n00b


Joined: 03 Nov 2006
Posts: 3
Location: London

PostPosted: Fri Nov 03, 2006 10:20 am    Post subject: zurd's third undelete solution Reply with quote

[quote]Then just "cat -n some_large_dumpfile" and grep the text you're searching for, then following the line just cat it again with head and then tail to get a small file to look through.

I have successfully followed your third method to 'cat' the partition, and grep. Now i have a huge dumpfile and can see the files I need - gnucash accounts registers and reports. Could you please explain how to extract them? I do not yet understand what the headers and tails look like, or what I should be looking for. Excuse my ignorance. I want to select a group of about 50-100 ifles and send them to another folder.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum