Is there a simple option on extundelete how I can try to undelete a file called /var/tmp/test.iso that I just deleted?
(it is not so important that I would start to remount the drive read-only or such things. I can also just re-download that file again)
I am looking for a simple command with that I could try if I manage to fast-recover it.
I know, it is possible with remounting the drive in read-only: (see How do I simply recover the only file on an empty disk just deleted?)
But is this also possible somehow on the still mounted disk?
For info:
if the deleted file is on an NTFS partition it is easy with ntfsundelete e.g. if you know the size was about 250MB use
sudo ntfsundelete -S 240m-260m -p 100 /dev/hda2
and then undelete the file by inode e.g. with
sudo ntfsundelete /dev/hda2 --undelete --inodes 8270
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Looking at the usage guide on extundelete it seems as though you’re limited to undeleting files to a few ways.
Restoring all
extundelete is designed to undelete files from an unmounted partition to a separate (mounted) partition. extundelete will restore any files it finds to a subdirectory of the current directory named “RECOVERED_FILES”. To run the program, type “extundelete –help” to see various options available to you.
Typical usage to restore all deleted files from a partition looks like this:
$ extundelete /dev/sda4 --restore-all
Restoring a single file
In addition to this method highlighted in the command line usage:
--restore-file path/to/deleted/file
Attemps to restore the file which was deleted at the given filename,
called as "--restore-file dirname/filename".
So you should be able to accomplish what you want doing this:
$ extundelete --restore-file /var/tmp/test.iso /dev/sda4
NOTE: In both cases you need to know the device, /dev/sda4 to perform this command. You’ll have to remount the filesystem as readonly. This is one of the conditions of using extundelete and there isn’t any way around this.
Method 2
Typical usage scenario when undeleting all files includes need to restore all files deleted from /dev/sdX1 during approximately last hour:
mount -o remount,ro /dev/sdX1 extundelete --restore-all --after $(date -d "-2 hours" +%s) /dev/sdX1 find RECOVERED_FILES/
If satisfied with recovered files:
mount -o remount,rw /dev/sdX1
Method 3
extundelete didn’t work for me but ext4magic did.
Method 4
extundelete core dumped for me but ext4magic is currently spewing out files:
- Unmount the filesystem immediately
- If that means shutting down your computer and attaching your disk to another machine or booting from a live CD, do it
- Find the partition name with
gpartedor similar - You don’t need to mount the partition
- Open a terminal &
sudo su - Install ext4magic:
apt install ext4magic - Create a directory to put the recovered files:
mkdir /mnt/recovered - This will recover all files deleted with a timestamp after 2 hours ago:
sudo ext4magic /dev/sdX# -m -a $(date -d "-2 hours" +%s) -d /mnt/recovered
NOTE: This may not mean deleted after 2 hours ago. If you have the time and space, it may be better to run the command without the-aoption andgrep -rfor the content of the file.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0