[HOWTO] ReiserFS undelete/data recovery

[zeky]

Hello!

This is a howto guide and a success story of how i managed to delete 54 movies of 150 on my 120Gb hdd, ReiserFS

I searched the whole net to find some good answers, and here it is:

----

ReiserFS undelete/data recovery HOWTO


1. Once you realize that you've lost data, don't do anything else on that partition - you may cause that data to be overwritten by new data.
2. Unmount that partition. e.g., umount /mnt/public2
3. Find out what actual device this partition refers to. You can usually get this information from the file /etc/fstab. We'll assume here that the device is /dev/hdb1.
4. Run the command:

Code: Select all

 reiserfsck --rebuild-tree -S -l /root/recovery.log /dev/hdb1

You need to be root to do this. Read the reiserfsck man page for what these options do and for more options. Some interesting options are '--rebuild-sb, --check'

After the command finishes, which might be a long time for a big partition, you can take a look at the logfile /root/recovery.log if you wish.
5. Mount your partition: mount /mnt/public2
6. Look for the lost+found directory in the root of the partition. Here, that would be: /mnt/public2/lost+found
7. This directory contains all the files that could be recovered. Unfortunately, the filenames are not preserved for a lot of files. You'll find some sub-directories - filenames withing those are preserved!
8. Look through the files and copy back what you need.

NOTE: I just found this thread which warns of possible corruption of existing files on the partition. Essentially, the recovery process may take older (deleted) versions of a current file and try and merge it with the new file resulting in data corruption. As a safety measure, make a backup of important undamaged files on another partition before you carry out the above steps.

-------

So this is it. Some of this text is ripped from some web site. It's VERY usefull and it worked in my case 100%.

Good luck!

The link to the original idea and it's author can be found here.

EDIT: added link to the original site.

[carneboy]

Pay attention to the part about potential data corruption, my gentoo doesn't start anymore

[graybeard]

Just to add extra emphasis: me too. The recovery worked partially but it hosed my files. Fortunately I had a recent backup of almost everything. Beware, the warning above is not a joke!

[drwook]

I'd advise taking an image of the partition & working on the image if you're going to try this... Loopback is a wonderful thing

[DocterD]

Pay attention to the part about potential data corruption, my gentoo doesn't start anymore

Happened to me too...

[johntramp]

Hi, is it possible to do this on just the /home/ folder, which is on the same partition as / ?
Or does it need to do a whole partition at once?

[XMyth]

Do you mean corruption could occur on files that you don't touch at all (i.e. the ones you DO NOT restore from lost+found ) or that the files in lost+found may be partially corrupt?

[graybeard]

I mean that lots of the files on the partition were corrupted. I could not tell which files were in lost+found because lost+found contained a long list of files that had lost their file names and so were assigned a numeric name. They had chucks of binary data in them that were useless. It appeared that there were lots more corrupted files than files in lost+found. Anyway I had hosed up my user files for no good reason. I ended up wiping the partition (it was /home) and restoring clean from backup.

[collar]

IHMO the most powerful data recovery tools are Active@ undelete and Uneraser (DOS). They worked really great for me and were always able to recover all of the lost data.

http://www.active-undelete.com/

http://www.uneraser.com/

[drwook]

Neither of which support reiserfs (or any other linux/unix FS as far as I can see)

Also neither of which run natively on linux, and I certainly wouldn't trust a data recovery program running under a virtualiser/emulator.

So not sure how that comment is related to anything?

[rada]

I'd advise taking an image of the partition & working on the image if you're going to try this... Loopback is a wonderful thing

How would I go about doing this?

[drwook]

something along the lines of

Code: Select all

dd if=/dev/hdXY of=/tmp/image

should work. Obviously substituting the right /dev/ entry for your partition. You'll need enough free space to hold the image though, which will be the size of the partition

I have some vague recollection about using sparse files to save space when making an image, but probably not ideal if you want to use it for this anyway so stick with the above if I were you.

[searcher]

I tried this one my home-dir once, but the --rebuild-tree completely hosed everything filename-wise, which made it a complete pain in the ass. Luckily i make a complete back-up every night of my homedir using rsnapshot. So this might seem a bit redundant, but the best undelete is probably a recent back-up. Either that or a RAID-1 mirror .

[rada]

I tried making an image and it seems it imaged the free space as well (thought it only needed to image the used space)... Theres only 62gb used and 131gb free on my /home partition. Any way I can easily resize it? Thanks!

EDIT: I just realized... the dir i wanted to recover is located on /home but this file wrote all of the free space... is it still recoverable?

[slycordinator]

I tried making an image and it seems it imaged the free space as well (thought it only needed to image the used space)... Theres only 62gb used and 131gb free on my /home partition. Any way I can easily resize it? Thanks!

EDIT: I just realized... the dir i wanted to recover is located on /home but this file wrote all of the free space... is it still recoverable?

Not really. "dd" copies EVERYTHING, including free space.

Before running "dd" like that what you should do is:

Code: Select all

dd if=/dev/zero of=filler
rm filler

So now all of the free space will be written to with data of 0's and when you do the original "dd" command mentioned before, the free space that's read and written will contain 0's and will be marked as free space.

[drwook]

You sure about that Sly? I'm sure dd creates a literal copy, so I don't think there's any need to zero out the destination or anything.

Of course I have been wrong once or twice though

[slycordinator]

You sure about that Sly? I'm sure dd creates a literal copy, so I don't think there's any need to zero out the destination or anything.

The problem is with the fact that dd does a literal copy.

Empty space isn't empty on disk. When you do "rm filename" nothing happens to the data. The data still exists on disk (it just isn't accessible through the file system anymore).

So when you use dd it copies every byte of the disk, including data residing in empty space. So if I didn't do the trick I mentioned earlier, using dd on a 100 gig HD (irrespective to how much data on it is valid) would create a cloned file of exactly 100 gigs.

Here's a short explanation of it:
http://www.feyrer.de/g4u/#shrinkimg

[Bob P]

ReiserFS undelete/data recovery HOWTO


1. Once you realize that you've lost data, don't do anything else on that partition - you may cause that data to be overwritten by new data.
2. Unmount that partition. e.g., umount /mnt/public2
3. Find out what actual device this partition refers to. You can usually get this information from the file /etc/fstab. We'll assume here that the device is /dev/hdb1.
4. Run the command:

Code: Select all

 reiserfsck --rebuild-tree -S -l /root/recovery.log /dev/hdb1

I have to admit, I made a major mistake today and did an rm -fvr on the /var/www on my webserver. as soon as i realized what had happened, i flipped the Big Red Switch, booted to a Live CD and ran the reiserfsck command on my reiser 3.6 partition. what luck! when the command finished, all of my missing directories were right back where i was hoping they'd be!

[Bob P]

Before running "dd" like that what you should do is:

Code: Select all

dd if=/dev/zero of=filler
rm filler

So now all of the free space will be written to with data of 0's and when you do the original "dd" command mentioned before, the free space that's read and written will contain 0's and will be marked as free space.

i suppose that doing that would also prevent alot of crap from being deposited in /lost+found.

[slycordinator]

Before running "dd" like that what you should do is:

Code: Select all

dd if=/dev/zero of=filler
rm filler

So now all of the free space will be written to with data of 0's and when you do the original "dd" command mentioned before, the free space that's read and written will contain 0's and will be marked as free space.

i suppose that doing that would also prevent alot of crap from being deposited in /lost+found.

Probably.

Hadn't thought of that. Seems obvious now (since some of the files in /lost+found are just old versions of the same file and/or deleted stuff).

[drwook]

I might be starting to wade out of my depth here... But if you're using the image for forensic purposes, surely the 'non-blank empty space' is generally the data you're actually after?

[slycordinator]

I might be starting to wade out of my depth here... But if you're using the image for forensic purposes, surely the 'non-blank empty space' is generally the data you're actually after?

What I was suggesting is doing that at some point BEFORE trying to do the data recovery.

So before you need to do the data recovery, you do what I mentioned. Then when you create an image for forensic purposes, it'll be smaller than if you hadn't done that trick.

[drwook]

Heh, and before getting in to the situation of wanting to. Makes sense now, thanks

[zurd]

zeky :

This is a howto guide and a success story of how i managed to delete 54 movies of 150 on my 120Gb hdd, ReiserFS

An howto for deleting files? You might want to click EDIT on that one

So here's my story, I accidentally deleted just one small file of text, it's not a very important file, but still I would like to get it back again, so here's what I've done, first I found this on google :

Code: Select all

from http://recover.sourceforge.net/unix/
Recovering files in Unix

If you really need to undelete a file, that's the way to do it:

grep -a -B[size before] -A[size after] 'text' /dev/[your_partition]

Replace [size before], [size after] and [your_partition] with something meaningfull. Don't know what your partition is? Read the Linux undelete manual!

e.g.: If you want to undelete a letter (+- 200 lines) starting with "Hi mum" which was stored on /dev/hda1 you can try:

grep -a -B2 -A200 "Hi mum" /dev/hda1

Make sure you do this as root (System administrator)

Read the grep manual page for more information!

Read your unix's manual. Perhaps it contains an own undeletion program.

Then from this post : http://forums.gentoo.org/viewtopic.php? ... ser#824980
The guy is using the same strategy as this howto here, but you don't have to lose/corrupt your partition, you're making a backup first then you mount it, very nice!

Code: Select all

dd if=/dev/hda1 of=/tmp/backup.dsk
losetup /dev/loop5 /tmp/backup.dsk

reiserfsck --rebuild-tree --scan-whole-partition /dev/loop5
mount /dev/loop5 /mnt/tmp

Unfortunately, the first method was unsuccesful, then the second method it created 11,000 files in lost+found and searching through them is really time consuming. But with the 3rd method I got an old copy of my file, which is fine!

Code: Select all

cat /dev/hdaX | strings > /here/some_large_dumpfile

Then just "cat -n some_large_dumpfile" and grep the text you're searching for, then following the line just cat it again with head and then tail to get a small file to look through. Very convenient!

And now I'm doing this on my partitions : dd if=/dev/zero of=filler
Just to get rid of everything that was still on my hard disk, it's incredible the old stuff I found on it

[skybaba]

Then just "cat -n some_large_dumpfile" and grep the text you're searching for, then following the line just cat it again with head and then tail to get a small file to look through.

[post=]I have successfully followed your third method to 'cat' the partition, and grep. Now i have a huge dumpfile and can see the files I need - gnucash accounts registers and reports. Could you please explain how to extract them? I do not yet understand what the headers and tails look like, or what I should be looking for. Excuse my ignorance. I want to select a group of about 50-100 ifles and send them to another folder.[/post]