GNU+Linux command memo

Recover suppressed files in ext filesystem

Récupérer un fichier supprimé dans un système de fichier ext3 / ext4

1. ExtUndelete

sudo extundelete --restore-file path/to/suppr/$file /dev/<device> (1)
1 Options exist : --restore-directory --restore-all --after date … refer to man
testdisk and photorec can also undelete files from FAT, NTFS, exFAT and ext2 filesystem.

2. Ext3Grep

sudo ext3grep --dump-names /backup/sda1 | grep "wanted name"  (1) (2)
sudo ext3grep --restore-file path/to/suppr/$file /backup/sda1 (3)
1 Find the path of your suppressed file
2 Options exist : --directory --group GID --after dtime --depth X --restore-all … refer to man
3 Restore a particular file. Path must have been listed via --dump-names.
  • Do not attempt to use ext3grep for recovery from a mounted filesystem. Created a backup copy via dd or reboot on a USB key to access the partition unmounted.

  • It is highly recommended that you run ext3grep in a 64-bit environment when dealing with large filesystems.

  • ext3grep cannot recover files if there are no remnants of them. Stop writing in your partition as soon as you discover you accidentally erased a file.