\jeff{krimmel}

Recovering a Deleted File on Linux

I am basically the system administrator for the computational lab in which I work. As such, I’ve had to deal with a few mini-crises now and again. The latest one reared its ugly head on Sunday evening, around 8:30pm, when I received an email from one of the guys saying he had accidentally performed an rm * inside a subdirectory of his home directory. All of his source codes were gone. A lot of work had just gone down the toilet.

He asked if there was an undelete for Linux like there is for Windows. I told him if there was, we don’t use it in our lab. If you delete the files they’re likely gone. I sent him that response, basically, and then searched around the web to find out if there was any chance at a recovery. To my surprise, it turns out there was.

I pieced together a few tips and tricks to come up with this method that worked on an ext3 filesystem. It’s a Fedora Core 6 machine, and it uses LVM for partitioning. The files were in this guy’s home directory, which was attached to the root partition. I then did an old trusty df -h:

[root@localhost ~]$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
36G 11G 23G 32% /
/dev/hda1 99M 16M 79M 17% /boot
tmpfs 760M 0 760M 0% /dev/shm
/dev/hdb1 187G 175G 3.1G 99% /storage


So it was on the root partition, which was mapped from /dev/mapper/VolGroup00-LogVol00. From what I had read, it was clear that remounting the affected partition as read only was my safest bet. That way the filesystem would remain static during my recovery efforts. I did a

mount -n -o ro,remount /

as root. Now I was working with a read only filesystem. I had a separate partition, /storage, that was still read/write, so I could use that for what is to follow. It’s important to have an extra partition to work with here, even if it’s just a USB drive of some sort.

Through my web surfing, I found out about the strings command. According to its man page, the description of the strings command is print the strings of printable characters in files. As root, I then did a cd /storage followed by

strings /dev/mapper/VolGroup00-LogVol00 > bigfile.txt

And this was a big file indeed, approximately 6.5 GB in size. All the trickery is over at this point. Now it’s just a matter of grepping through this file to hopefully find what you need. All of the lost files were Fortran 90 modules. One of them was called setup. So, as root, I did

grep -200 "MODULE setup" bigfile.txt > recover000.txt

Then it was a matter of using vi to open both this file and the target file that I wanted to recreate:

vi recover000.txt setup.f90

I perused through recover000.txt until I found what I wanted. I yanked the lines I wanted to copy, gave vi a quick :n to edit the second of the two files I listed, and pasted the results into that file. I could then write out that file and quit, and the recovery was completed.

It certainly helped that these were text files and that I knew strings that were somewhat unique that could be found in these files. That made the grepping easier. I haven’t tried recovering a binary file or photos, but I found a couple of interesting things online about that. I’m hoping I never have to look into any of this again.