Practical computer tips, with a smattering of digital philosophy

Monthly Archives: July 2009

ext3grep: Ext3 file recovery utility (for accidentally deleted files)

As any of you who have come to this page via frantic Googling will probably have figured out, the conventional wisdom about journaling file systems  (the family of file systems to which ext3 belongs) holds quite unequivocally that once a file has been deleted, the chances of being able to get it back again are effectively nil.  Depending on your perspective, this characteristic either constitutes a nice security feature (arguable making multi-pass disk-wiping less critical) or a disaster waiting to happen.  Thanks to the persistence (and, arguably, genius) of one Carlo Wood, however, those of us who find ourselves suddenly confronted by latter, nastier set of implications* aren’t necessarily up a tree at all.  For this intrepid coder has written an application that purports to be able to recover any kind of file from an ext3 partition – and according to my informal testing, the robust, well-documented utility works exactly as promised.  The standard caveats about file recovery still apply, of course: only files that were deleted recently are likely to be recoverable; the fewer disk writes that take place on the partition in question between deletion and recovery, the better (so make sure to do the recovery from an entirely seperate partition), etc.  Though you can run the utility directly on the compromised partition, it would probably be most prudent to make an image of the partition first, which you can then use either as a pre-recovery backup or as your recovery source (you’d do this by using the dd command, in a manner similar to the following: dd if=/dev/<my partition> of=<image file>)

Carlo’s utility, and his stunningly detailed overview of the nuts and bolts of how ext3 works (highly worth reading) can be found here.  The source code itself is available from Google Code.

*ie, those of us who, due to lack of sleep, overzealous use of automated scripting, supreme carelessness, or all of the above, may or may not have accidently issued a command similar to “rm -r /home/.  Not that I would know anything about that.