linux mint IT admin tips info

Cool Command #9 – extundelete

I recently messed up an rsync --delete command in crontab and wiped 2 external backup drives attached to the same PC - idiot! (ALWAYS --dry-run an rsync command before you implement it - duh...and double check it is correct on an expendable drive)

This is a pain because it is a legitimate file deletion operation, not a lost partition record which could be replaced by testdisk or gpart. Now what?

(I would be a hypocrite having no sympathy for anyone losing data in this day and age by NOT having multi back up sources, so - yes - in case you wondered, I ALWAYS have more of the same data on other disks, so didn't lose everything - I can always replace important data from somewhere - even if it's inconvenient at the time).

A bit of research found a new program for ext3 and ext4 file systems that I could run:

sudo apt-get install extundelete

First unmount the drive you wish to restore:

sudo umount /Quadra

Find the device IDs then start the recovery for it, in my case, using the other empty drive as the recovery space:

sudo blkid

sudo extundelete /dev/sdb1 --restore-all --output-dir /Storebird

Restored inode 44564665 to file/Storebird/RECOVERED_FILES/Photos/Jon/NewYear2008/img_3003.jpg
Restored inode 44564666 to file/Storebird/RECOVERED_FILES/Photos/Jon/NewYear2008/img_3004.jpg
Restored inode 44564667 to file/Storebird/RECOVERED_FILES/Photos/Jon/NewYear2008/img_3005.

Read the man page for info.

--output-dir path/to/dump/recovered/files
Restores files in the output dir 'path'.
By default the restored files are created under current directory

As stated above, I ALWAYS have multiple backups (2 external 1TB drives, and a 1.5TB internal on a separate PC total) and at least 2 PCs and a laptop to work with should a whole PC die, 2 external USB drives, old CDs/DVDs etc. so important file recovery is always possible, even in the worst case by recopying, but for this case - about 400GB of definitely wanted files, some collected over 15+ years - photos, video etc., it takes about 9 hours per drive.

The only downside is that undelete will recover files you recently deliberately deleted as part of normal housekeeping, so you may have to do all that again, but better to have that option than not get back files you DO want.

When finished, it should be a case of re-mounting the recovered (still empty) drive and rsyncing in the reverse direction from the RECOVERED_FILES folder of the 2nd drive (Storebird), once housekeeping is re-done for those recovered files.

Would it have been quicker to just recopy from my main source drive? Well, in my case no, as I have loads of files on that I don't need on these current drives - a difference of about 400GB definitely wanted, to well over 1TB on the main backup that I mostly don't need. It would have taken longer to choose specific folders to copy than do the whole drive in one copy operation. A copy time period of about 3 hrs to 9 hrs.

For specific file type recovery, check out scalpel:

Comments are closed.

Post Navigation