http://extundelete.sourceforge.net/

About extundelete

extundelete is a utility that can recover deleted files from an ext3 or ext4 partition. The ext3 file system is the most common file system when using Linux, and ext4 is its successor. extundelete uses the information stored in the partition’s journal to attempt to recover a file that has been deleted from the partition. There is no guarantee that any particular file will be able to be undeleted, so always try to have a good backup system in place, or at least put one in place after recovering your files!

Download the latest version

The latest version of extundelete is 0.2.0, which was released in May 2010. Click the link to download extundelete. For information about old versions of extundelete, or to download the previous version, see the old extundelete information page. For brief descriptions of the various options the program understands, see the extundelete command-line options summary. Binary packages are available for some distributions, but may not have the latest version. To take advantage of the latest features and bug fixes, read the notes on compiling and using the program below. The first version of extundelete was released in April 2009.

Why use extundelete?

If you have deleted files from an ext4 file system, the choice is easy: extundelete is the first and only program able to restore both the contents and the file name of a deleted file. If the partition you have deleted files from is an ext3 file system, extundelete still has several advantages over ext3grep. extundelete is able to restore a file immediately after parsing the journal file. ext3grep parses the entire hard drive before it begins to restore files from the hard disk. The ext3grep method is efficient for restoring many files from a small partition. extundelete is designed to be faster if you need to restore files from a large partition. Also, because extundelete uses the ext2fs library, many features of the ext3 or ext4 filesystems will be automatically supported by extundelete if it is compiled and run with a version of the ext2fs library that supports those features.

Documentation

How to compile and install extundelete

To compile and install this program, you must first install the binary and development packages for e2fsprogs and e2fslibs. You must also have installed a C++ compiler and a make utility to be able to compile extundelete. If any of the above conditions are not met, the configure step (below) will not complete successfully. For ext4 support, ensure you have e2fsprogs version 1.41 or newer (which may be found by running the command ‘dumpe2fs’ and noting the version it outputs).

To compile extundelete, extract the contents of the downloaded file, which creates a directory with the program name and version. From that directory, execute the configure script by typing “./configure” in the terminal window. If the configuration step does not end in error, continue by entering the command “make” and waiting for compilation to complete. When make successfully completes, an executable file called “extundelete” resides in the “src” directory, which you can use directly, or you can enter the command “make install” to install extundelete where the terminal can easily find it.

How to use extundelete

extundelete is designed to undelete files from an unmounted partition to a separate (mounted) partition. extundelete will restore any files it finds to a subdirectory of the current directory named “RECOVERED_FILES”. To run the program, type “extundelete –help” to see various options available to you.

Typical usage to restore all deleted files from a partition looks like this:
$ extundelete /dev/sda4 --restore-all

It is normal for extundelete to appear to pause (while reading from the disk) for a minute or longer; during this time, the program is reading the directory structure and looking for a recoverable file within it. To restore important files quickly, you may use the –restore-file, –restore-files, or –restore-directory options.

If you have questions or comments about using extundelete or how to recover your lost files, or to report a success/failure of your recovery efforts with this utility, send a note to the extundelete mailing list.

What to do if you’ve deleted a file (or multiple files)

Do not save any more data to the partition with the deleted file for any reason! Doing so may overwrite your deleted data and sabotage any recovery effort. Typically, background processes will periodically write to disk, so work quickly until the partition is unmounted.

If you think the file may be still open by some program (for example, if it is a movie file currently being played by a movie player), and you know the filename, then first follow this procedure:
$ lsof|grep "/path/to/file"
progname 5559 user 22r REG 8,5 1282410 1294349 /path/to/file
Notice the number in the second column is 5559 and the number in the fourth column is 22. The command to restore that file is:
$ cp /proc/5559/fd/22 restored.file

If lsof doesn’t find your file, then immediately remount the partition read-only:
$ mount -o remount,ro /dev/partition
or unmount the partition:
$ umount /dev/partition
Typically, you would replace “partition” in the above examples by a device name like “sda4” or “hdb7”. When either of those commands successfully completes, you can now take the next steps leisurely – you will no longer make anything worse by waiting. If you would like to make a backup of your partition, you may do so by a command such as:
$ dd bs=4M if=/dev/partition of=partition.backup

Now is the time to run extundelete, which you may safely run on either the backup you may have made above or the raw device, as long as it is not mounted (or mounted read-only). See the section above for details on how to use this program. If extundelete was unable to recover your files, and you are using an ext3 partition, then you may try to recover your files with debugfs, a tool included with the e2fsprogs distribution. If you unmounted the partition before the file system got a chance to fully delete the files you are interested in, running debugfs may allow you to recover the files before the file system deletes them (which it may do the next time the partition is mounted). The ‘dump’ and ‘rdump’ commands in debugfs may be useful to you for these purposes. If you were unable to recover your files using extundelete or debugfs, and you are using an ext3 partition, then you may try to recover your files with ext3grep. The generation of ext3grep’s stage2 cache file depends on the size and speed of your hard drive’s partition, with typical speeds close to one minute for every 2 GB (30 s per GB, or 8 hours per TB).

If the above options didn’t recover your files, then you may try a program that searches for identifying patterns throughout the entire partition, like foremost, scalpel, or Photorec. ext3grep’s –search options may also be used for this purpose.

Understanding the ext3 filesystem

This section lists resources about the extended filesystem families (ext2/3/4), which will be useful for those wanting to understand more about how the filesystem functions and how extundelete is able to undelete a file.

• Information about the ext2 filesystem
• e2fsprogs: the standard utilities for ext2/3/4 filesystems
• Carlo Wood’s explanation of the ext3 filesystem and ext3grep
• Why recovering a deleted ext3 file is difficult

How extundelete works

extundelete uses some concepts and code first shown to be successful by the ext3grep program. extundelete is able to recover the contents of an inode by searching the file system’s journal for an old copy of that inode. It then uses that information to determine the file’s location within the file system. Then, extundelete reads the corresponding blocks and copies them to a file in the recovery directory.

extundelete is able to match the inode number of a file to a file name by searching the deleted entries in a directory, which are often left behind after deleting the file. If the deleted entry does not exist in the directory in the file system, extundelete will look for a match in older copies which are still in the journal.

Current abilities of extundelete

• It is able to undelete a file from an ext3 filesystem or an ext4 file system, as long as the ext4 filesystem has a journal.
• extundelete will not restore hardlinks or softlinks, but will restore the file a link points to.
• extundelete will not restore extended attributes.
• The program is currently fairly fragile. If you run in to a problem that results in the program not working properly, please send a note to the mailing list, and it will likely be fixed in the next version.

Other extundelete links

• extundelete SourceForge project page
• extundelete mailing list – Send a message here to report your experience with extundelete, or for any other questions or comments about extundelete.
• extundelete command-line options summary