For those “oops” moments: ext3undel

The rm command can be a powerful tool for deleting data — until you delete the wrong files or directories. Thankfully, the ext3undel utility can recover accidently removed data on ext3 filesystems. Users can recover a specific file by name, or they can restore all files marked as deleted (though the filenames won’t be recovers, so they will have to look at the contents of the files to identify them).

Files on the ext3 filesystem have two parts. The file’s metadata — that is, the file name, size, and creation and access dates — is stored in a Unix data structure called an inode. The actual file data is stored in blocks on the hard drive. Deleting a file destroys the link between the metadata and the filesystem blocks, eliminating the association between the file’s information and content. Both the inodes and the data blocks are marked as free, and the operating system will use them to write new data when it needs to. But because the inodes and blocks are merely marked free and aren’t overwritten, users can rescue data as long as new data hasn’t been written there. That’s why it is important to recover data to a new partition: any changes to the filesystem risk overwriting data users wish to recover. Until then, an application can “save” deleted data by marking the blocks as in use, and reconnecting the inodes and the blocks symbolically.

This is actually a complicated process, and ext3undel doesn’t provide the core functionality for taking care of this. Instead, it is a wrapper for a few other applications that do the heavy lifting. ext3undel provides two different commands: gabi (get all back immediately), and ralf (recover a lost file).

Gabi relies on two recovery programs called Photorec and Foremost to get everything back. The advantage of using ext3undel over these programs is time: by using an automated process and avoiding configuration, you have a better chance of the file not being overwritten by new data. The gabi command asks you what partition you want to recover, what partition to use to store the recovered files, and what specific file types (or all file types) Photorec should focus on. Photorec will then scan the free blocks of your hard drive for “signatures” — proof that a file once lived in that block. This process could take a long time for a big hard drive. Because the inode data cannot be recovered, you must sort the recovered files by hand to find specifically what you are looking for.

The ralf command uses forensic software called SleuthKit to recover a specific file. Basically, ralf uses SleuthKit to find the inode you’re looking for. Then, it asks the filesystem for a list of the blocks that were once associated with the inode. Finally, SleuthKit stores the data to an image, which is then processed by Photorec (instead of the entire hard drive, as with gabi). This could recover more than just the file you specify. As with gabi, you need to sort through the recovered files to find the right one.

I tested the ext3undel wrapper in an updated version of Ubuntu 8.04 Server Edition in VMware by creating three different text files and a JPEG image file and deleting them with the rm command. I was able to recover the files without much hassle using both the gabi and ralf. Because this was a fresh install, I didn’t have too many files to sort through (though it was interesting to see what the maker of the virtual appliance deleted before it was released).

You can download the latest version of ext3undel from the developer Web site. It is distributed in a .tar file, as well as in prebuilt .deb and .rpm packages. You must also install the dependencies — Photorec, Sleuthkit, and Foremost. These are available in the repositories for most distributions.

ext3undel offers a great set of tools that recover data as efficiently as possible. But don’t be cocky when it comes to your data; it’s still necessary to make regular backups, because there are times when data can’t be saved, even if you use ext3undel right after the data is deleted. If the deleted file is fragmented, the tools will be able to find only the first fragment. ext3undel also can’t save data from corrupted or broken hard drives. But in the end, this tool is a great tool for emergency situations, and can minimize damage from accidents and mistakes.