I was working on my Debian machine few days ago when accidentally I pressed "rm -rf *" in a wrong directory(my main working directory). Well, I lost all the data. And after hunting net for hours, find out that there is no traditional method available for recovering files in ext3 file system.
In Ext2 file system, OS marks the blocks, inode and directory entry associated with the deleted file as unused. It did not use to delete the links, so that other files could still use them. And because of this, recovery of lost files were possible using certain tools like debufs, e2undel, recover, Midnight Commander etc. Giis-gET iT i sAY also claims to recover files from both ext2 and ext3 file system but I don't know it works or not.
In Ext3 file system, when the file is deleted, file size and block addresses in inodes are also deleted. Therefore, its not possible to find out where the file was originally located or more specifically it becomes difficult to track back the inode of the file using debugfs.
But, if you are lucky, file could still be there in your hard drive, though in chunks. Steps you must follow -
- Do not save any file in the same partition in which your deleted files were. This might result in overwriting of occupied blocks of deleted files.
- Mount another drive to the system(if not mounted) to save the dump.
- Find the Partition in which deleted files was there using `mount -t`
- If you know certain lines from the file, which are more or less unique to the file you deleted, then it might be useful. In my case, my Perl code began with "package rankSentences;", so I used that as the identifying text.
- Try the command =>
here,
- -a is for treating text file as if it is binary file.
- -A Number of lines of the dump that you want to extract after the "indentifyingText" (which was "package rankSentences" in my case.
- -B Number of lines before "identifyingText" you want to extract.
If you don't specify "identifyingText" this might result in dump.txt to be very large in size as it will start dumping the data of complete partition to that file.
And ya, be patient, it might take some time depending upon the size of your partition. After running that command you can look for chunks of your deleted file in dump.txt. And if you are lucky, you might find the complete file at one place. :)
--compiled from various sources on net.