Slashdot Mirror
Recovering Deleted Files on ReiserFS3?
DarkSarin asks: "I have a rather serious problem: I managed to accidentally delete some files (rather important ones at that!) while trying to back them up to cd (I was using a GUI burning software that will remain nameless for now). How do you recover accidentally deleted files in Reiserfs? This thread (started by me) indicates that you can't recover them. Note that I had found a way to rebuild the tree, but that didn't work. It seems odd to me that you wouldn't be able to recover accidental deletions, but that really does seem to be the case. Help? Please?"
Didn't find a way to recover my files either. :(
A filesystem has never (AFAIK) implemented a trash / recycle bin folder -- not on Windows or OS X, and not on any UNIX that I know of.
The reason for this is that a recycle bin is to save you from accidental deletions. If you delete a file from the nice, big, friendly GUI, it usually asks you at least once whether you want to delete it, then instead moves it to the trash. When it's time to empty the trash, it asks you again to make sure you're not screwing yourself over.
However, many programs create temporary files and then promptly delete them -- so many times that it would be ridiculously inefficient (both in space and fragmentation levels) to put them into the trash. Furthermore, can you imagine looking for your files in the middle of all sorts of files with names like 11025u012348512i51253.tmp?
As someone said on the other forum, there's the hard way -- grep for it on the raw partition. This may not even work with ReiserFS, I'm not sure. The usual way to protect yourself from this is to back up in the first place (yeah, I know) and to only run programs you trust as a user that can delete files that you need.
I would suggest that you try the grep method, and if that doesn't work, learn from it. The safest way to do this is (ironically) the command line. If you type "cp", you know for sure it will copy the file. If you type "mkisofs" or something similar, it is very unlikely that it will delete the files. And these tools (along with mv, which does delete the old copy after the new one is successful) have been around for so long and are so simple that the only way you could screw this up is through a very stupid mistake (like rm instead of cp) or using an experimental filesystem, which despite the opinion at Gentoo, ReiserFS is not.
Don't thank God, thank a doctor!
Take the filesystem offline. NOW!
Then use dd to copy the partition to another partion/disk. Then mess with the copy.
A lot of silesystems do a good job at keeping files and their blocks in order. I've had luck with *BSD file-system by grepping for somthing at the begining of the file and grabbing a big chunk of data afterwords. This works great for MS Office Documents, JPEG or anthing that begins with a known preamble.
This may not work for your filesystem.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
This may help..
TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in. The software was presented first in a Computer Forensics Analysis class in August 1999 Examples of using TCT can also be found on-line in a series of columns in the Doctor Dobb's Journal. Notable TCT components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the findkey tool that recovers cryptographic keys from a running process or from files.
Site here
First off, I have several questions. Do you have an original copy of the partition before you started running recovery tools (after you deleted the file, but before you created new ones)? If not, make an image immediately. You want the most original image you can find. Now, the second question, is how much data am I a looking for, and how large is the partition? (How large is the needle, and how large is the haystack?). What type of data am I looking for? Is it a word document? A text file? A gif? A jpg? Some html? A PDF? The smaller the file, the more likely that if it got overwritten, it all got overwritten. However, the more likely you are to recover all of it. If it was a very large file, it's possible that you can recover pieces and parts, but not all of it. Now, it's my understanding that you can recover anything written to a harddrive, even if you have overwritten it several times. However, it's very, very expensive to do so. So now the question is how much money is it worth to you? The guys as ReiserFS probably have the best shot at helping you. They probably don't want to however. The more you know about the order of the files in the directory, the more you know about how the files were constructed, and the order files got put on disk the better. They you can make better educated guesses about the sequence in which the pages got allocated to know where to go look for the file. Do you have anything on the drive you are worried about posting? Can you post an image of the drive? I'm not an expert in this area, but I've seen people recover mail spools at an ISP using dd. People leave ISP's over losing all their mail, so they worked really hard at it (however, that was an ext2 filesystem). Kirby
If you had this problem then I or anyone will have this problem too, so please let us know what program you are talking about. Was a user error? Was it a bug? Is the bug being worked on?
Useless sig.
...every Windows user looks at that Recycle Bin shortcut on their desktop and smiles.
(No, that's not really a troll. Human error happens.)
I really don't understand how this was done. None the less you CAN recover from this. Here's a little tutorial I found. I Highly suggest doing the backup first!!! :
::-)
:3 18421306&w=2.
If you're really really desperate, you can do what I did a few weeks ago. In my \
case, fsck didn't recover the partition either, indeed it crashed. So here's what's \
I did from the beginning of what I think fixed it:
1) reiserfsck --rebuild-tree
2) mount
3) reiserfsck -S
4) debugreiserfs to get metadata for Vitaly
5) mount
6) mount again
I'm not sure why this happened, but after the second mount, the partition was not \
recognizeable as ReiserFS anymore. I suspect it had to do with a few really huge \
files that were originally on the partition that reisefsck -S tried to recover. In \
doing so it probably hosed lots of stuff. Now, it was as simple as
7) reiserfsck --rebuild-tree
And I had most of my data linked under lost+found! Took me a few hours to sort \
through it all but I got back most of what I cared about. Maybe if you use the new \
pre8 fsck you won't need to jump through these hoops. Since the potential for data \
destruction is high here, I wouldn't blame you for not trying. And yes, this all \
happened by trial and error
This might help too
http://marc.theaimsgroup.com/?l=reiserfs&m=104861
Good luck!
Pay Namesys $25. They wrote ReiserFS so they should know. You'll be getting really great support and helping those who wrote your file system. Look here:
http://www.namesys.com/support.html
http://thread.gmane.org/gmane.linux.gentoo.user/55 649
Deals with the ReiserFS specifically.
I beleive i used the --rebuild-tree option. You should follow the steps in the manpage under Example.
so in short, man reiserfsck before asking slashdot
-- botsex is {grep;touch;strip;unzip;head;mount}
A filesystem has never (AFAIK) implemented a trash / recycle bin folder -- not on Windows or OS X, and not on any UNIX that I know of.
NetWare has had a very sophisticated file undeletion capability since time immemorial.
If Novell ports it to SuSE, you Linux clowns might just find yourselves in possession of a mission-critical operating system after all [not that you deserve it].
KDE has a trash bin too.
But in the context menu it asks you if you want to delete or move to trash. Not the same thing! In DOS, delete, or del usually just write a lowercase delta IIRC over the first character of the file name marking the space as free to be used.
Right now, his enemy is the "relatively" obscure file system, and how much writing he's done to the harddrive since the "incident".
That should teach you!
Real users never make backups!
-K
But it can be helpful in the future to dedicate, say 10% of your drive to an LVM snapshot space....
:)
I haven't done this yet (I'm lucky! I have a real tape drive to backup my stuff.....) but I plan to make my system take a snapshot every hour and every day (total of two) so that at most I lose an hour's worth of work.
Also, I've always wondered if it was possible to make an operating system that would take as long to destroy something as it did to create it. For example, your term paper took ten days to write, so the rm termpaper.tex command would take ten days to run
Fellowship 9/11
"Nope, you're outta luck. Thanks for the cash!"
Since ext3 is just ext2 with added features, you can undelete the file the way you would do so on ext2. There's actually an undelete howto for ext2. The basic gist of it is that you immediately unmount and remount the partition read only. Then you grab a list of last delete blocks and use that to recontruct the file. I've done it once or twice but I've been fortunate enough to have a tape backup solution that has been able to alleviate the need for this for a while now.
"When you sit with a nice girl for two hours, it seems like two minutes. When you sit on a hot stove for two minutes, it
Not like Novell just bought SuSE or anything...
Be careful! Bears shouldn't consume large furry dogs.
a real company bought a fake one to play lip service to linux to make them ripe for IBM to buy them.
whats worth more? SuSE's shit hack of Lin-sux? or NDS? I know what I think is better.
SuSE should be dead.
I coulda sworn that real users run an FTP server and know lots of people..
-- 'The' Lord and Master Bitman On High, Master Of All
Because of windows recycle bin, I never hit "delete" without holding "shift". Recycle bin? There is no recycle bin!
-- 'The' Lord and Master Bitman On High, Master Of All
You know you can turn that off, right?
Uncheck the "Display delete confirmation dialog" option in the Recycle Bin properties page.
First thing I do on a new Windows install... followed by deleting all the worthless crap on the FS that Windows thinks I need ("Online Services" and such).
More often than not, I do the same.
Ok, I've been caught out a few times...
1) Shift
2) Delete
3) Notice WHICH file got deleted...
4) Panic/swear
Tiggs
Tiggs
"120 chars should be enough for everyone..."
I like the confirmation dialog, just not the recycle bin.
-- 'The' Lord and Master Bitman On High, Master Of All
Simple alias rm to move the files to a recycle bin folder somewhere in your home dir. If you want it to be fancy, add a timestamp to the filename so the same original filename won't get overwritten. That several GUIs have a recycle bin has already been mentioned.
:) While this method is neither foolproofed nor perfect it should help at least a bit to prevent future accidents.
To clear the trash, you have to use 'rm' unaliased. Normally, you can't do such a thing by accident
My cats ate my karma. They also wrote this comment.
Comment removed based on user account deletion
I had to use data recovery software a few years back after I accidentally started a NTFS format on a drive I was using as a temporary storage dump while the main drives were being upgraded... got back only 70% after a 3% format :( took hours too.
/mnt/snafu
.avi .mpg and .mp3, the rest are programs, docs, etc. all of which easily fit elsewhere (the actual "mission critical" files can fit on a single CD, and therefore anywhere on my LAN) even with RAID, there's no excuse for a good backup, RAID does mechanical failures, but an errant rm -rf very mportantdir/veryimportantfile
Best advice here is to keep active backups (Tape/CD is good for archival), if the files are small (docs/text/logs/source code), HD space is dirt cheap, get another drive (or partition)
mount as something like
and set rsync/cron/whatever to copy the files from the open (shared) partition to the snafu drive (something thats only writable (and therefore screwable by root and not your backup op or your regular user type) I'm sure there are more advanced way to do it, like say on the fly, but setting a cron script to run every 5 minutes and unless you go straight into doing CD backups 5 within 5 minutes of copying data to the drive, you're OK.
I have a shitload of files, most of them size-wise are
is hard to recover from, if doing backups to media, MAKE SURE that they're duped on the HD first, in case something like this happens to you, a quick tar -czvf stufftobackup.tgz [your files here] before you run your backup will save your ass, better yet, make the tar, then just back that up, don't screw around with the originals where possible.
Logistical Chaos Officer http://www.slagg.org - LAN Gaming in Sarasota FL,USA
"I was using a GUI burning software that will remain nameless for now"
_Either_
- you fucked up, be a man and admit it's your fault;
- the software fucked up, in which case let others know what it was and how it fucked up so that they can avoid risking the same bug.
YAW.
Your head of state is a corrupt weasel, I hope you're happy.
well, shit happens. move on and learn from it not to use fancy clickety-clack guis on your important data. while you're at it, man (cp|mv|rm|tar). Ok, maybe not rm.
AC, sitting on several hundred gigs of "important" data (come on, you know what i mean) without a backup since years.
How do you recover accidentally deleted files in Reiserfs?
It's really easy. You just restore from backup.
Then in that same properties page check the "Do not move files to the Recycle Bin." option (and the "Use one setting for all drives" if desired).
"From my cold, dead hands you damn, dirty apes!" - CH
tr </dev/hda '\n' '~' | tr '\0-\37\200-\377' '\n' | grep "while (mungeCount < superMungeCount) {" | tr '~' '\n' >foo-recovered.c
This does have its problems. If the file spanned multiple blocks it may not get all of it, but you'd be surprised how often it does get all of it. You might get multiple versions of the file concatenated together, and you'll have to text edit to pull out the one you want. Also, of course, it only works on text files. But the two times that I needed this, it worked, so it might help you out too. Note that you should run it immediately after deleting the file - ever disk access means that much more chance that the block will be recycled. :-(
Just FYI. Netware's file system does have a trashcan built in and will keep the files that you've deleted. Even multiple versions of them until ther is no room on the storage device, then it will start to actually delete the oldest deleted files at that point. It's quite useful! you can disable the function globally or just on a directory/tree also. It has been doing this since version 2 for sure. Possible even before that.
It seems odd to me that you wouldn't be able to recover accidental deletions
Why would this seem odd? None of the most widely used file systems allow for undelete. If you think the recycle bin is undelete try del *.* and then see what you can recover. The only one that really supports undelete, and does it really well, is Netware's Salvage utility.
There are kludgy solutions for FAT and NTFS but there really isn't a true deleted file recovery system in any of the mainstream file systems. That includes ext2/3, Reiser, and more.
If your lost files were text then strings and grep can probably get back a fair bit of your data but, it won't be an undeleted file. If the files weren't text then they are gone. Grieve and move on because unless you were storing the numbers to your swiss bank accounts in those files, you'll see that their loss isn't really the end of the world.
Or diskdoctor on the Amiga? It's a shame that modern file systems don't seem to be able to do something that was fairly universal 15 years ago.
/tmp and /var/tmp aren't used by all programs, and I can't guarentee that any one filesystem will be used for a single purpose exclusively. In fact, many programs will just throw things in my home dir.
For that matter, I think you should consider the fragmentation issues, among other things. Look at Reiser4. Look at it objectively, please -- even without the "paradigm shifting crap", it's got plenty of logical improvements, like making it as efficient or more so to have Squid store its cache in a single directory, or making it almost as efficient to store configuration in lots of tiny files as it is to store it in one big file.
If I create a file on Reiser4 and delete it five minutes later, if I'm not doing much and I have a decent amount of RAM, it's very likely that the file will never reach the disk. This reduces fragmentation and disk access time on laptops.
This procrastination, borrowed from XFS, does more than that. Data isn't even allocated until it needs to be, and can thus be allocated more efficiently.
If I am wasting 5% of my disk space, I would much rather waste it on free space -- air holes.
And finally, the truth is, most people I know don't even delete files, because they never see a reason to (they are blissfully ignorant of how big their hard drive is, and assume "it's huge"). And when those people finally do get around to deleting files, they do it with the GUI, which manages the trash. Beyond that, rm or the kernel could be modified, but I don't see a significant demand -- by the time you're enough of a guru to use the commandline, you're enough of a guru to know that 'rm' is not recoverable and you'd be better off 'mv'ing it to your own custom trash folder.
Don't thank God, thank a doctor!
Unless I'm wrong, tail-packing has been replaced in v4. The idea now is that the tree itself should be kept as clean as possible -- no BLOBs or anything like that. Instead, there's procrastination a la XFS, where when memory is low (or a sync is asked for) all the data to be written is shoved as far to the left as it will go (packing blocks together in the head and tail regions of the file), probably at the same time as allocating, then it's flushed to disk.
Don't thank God, thank a doctor!
Perhaps also you don't understand that I /like/ holding shift. Delete is a powerful word, you must use it with care.
-- 'The' Lord and Master Bitman On High, Master Of All
5) ...
6) Profit!
I didn't spend a ton of time picking through your thread, but did you take an image of the filesystem and work off that instead of the original? If you did, and you still have the image around, you may be interested in The Sleuth Kit... it claims to support ext3. I haven't tried it myself but plan to throw together a junk box and give it a try. It looks useful. If it makes you feel any better about your choice of filesystem, recovering deleted files is *damned hard* on NTFS as well... it's only the old FAT?? systems that really have a leg up on Linux anymore :-)
.sig: file not found
apt-get install -u gtkrecover recover
IT's even a GUI for the CLI adverse. It's for recovering ext2/ext3 filesystems via a node grab by date method. I've used it many times to recover deleted files quickly. Also there is the lazrus toolkit, but I haven't personally used it.
I've personally written some simple tools to recover MS Office and RTF files, which is just a little more advanced than grepping a raw device. However, it also handles partial partition recovery this way -- like if you're recovering from damaged zip/floppy. =)
I once had a trashed ReiserFS partition on a dual boot machine. No idea what happened, but the result was that Linux refused even to recognise the disk, even though Win98 still booted and worked perfectly.
Anyway, after all other attempts failed, including booting into Linux rescue mode from the CD-ROM and using the tools available from there, I thought to myself "what the hell", and decided to try a Windows data recovery package, Easy Restore. This doesn't even support ext2, let alone ReiserFS but, guess what, it managed to retrieve virtaully everything. Surprised? I was!
I didn't have the option but, if you can, I strongly recommend working from a copy of the drive image, whatever you try.
Good luck,
M.
It would be pretty straightforward to alias rm to a script that could understand rm, rm -f, rm -rf (all I ever use) and do a mv to ~/.trash instead. Then a simple emptytrash alias and you're good to go.
Once upon a time Norton even sold undelete for Unix, ULTRIX maybe. Before Norton was part of Symantec, of course and Peter Norton did more than pose for pictures. (yeah, I'm just envious)
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)