Thursday, September 24, 2009

Undelete files from an ext3 drive with ext3grep

Wow... that site could use a wiki. Here's my version of the documentation:

Once you discover that you've deleted files that you actually wanted:
  • take out a permanent marker to write on your hand:
    • buy an external disk
    • take 10 minutes and learn how to use rsync
  • Boot an Ubuntu LiveCD
  • Set the date and time
  • Grab and install the latest binary of ext3grep as a deb

Now depending on what you need done use one of the following commands to restore your file.
(NOT to the disk they were deleted from!)

Assuming the files are on /dev/sda4 and you want them all

Dry run:

ext3grep /dev/sda4 --dump-names | less


Full restore:

ext3grep /dev/sda4 --restore-all


Assuming you deleted them last night
(Set the date and time correctly if you're on a LiveCD)

ext3grep /dev/sda4 --restore-all --after `date -d 'Sept 23 2009 7:00pm' '+%s'` --before `date -d 'Sept 24 2009 10:00am' '+%s'`


Assuming you want a very particular file

ext3grep /dev/sda4 --restore-file home/coolaj86/Downloads/song_i_bought.mp3


Home: http://code.google.com/p/ext3grep/
Documentation: http://www.xs4all.nl/~carlo17/howto/undelete_ext3.html
Debian Packages: http://ftp.debian.org/pool/main/e/ext3grep/