Desperate Undelete
Filed in archive by Michael Hammer on August 28, 2006
Here's a trick I've had to use a few times.
Desperate person's text file undelete.
If you accidentally remove a text file, for example, some email, or the results of a late night programming session, all may not be lost. If the file ever made it to disk, ie it was around for more than 30 seconds, its contents may still be in the disk partition.
You can use the grep command to search the raw disk partition for the contents of file.
For example, recently, I accidentally deleted a piece of email. So I immediately ceased any activity that could modify that partition: in this case I just refrained from saving any files or doing any compiles etc. On other occasions, I've actually gone to the trouble of bring the system down to single user mode, and unmounted the filesystem
.
I then used the egrep command on the disk partition: in my case the email message was in /usr/local/home/michael/, so from the output from df, I could see this was in /dev/hdb5
sputnik3:~ % df
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/hda3 18621 9759 7901 55% /
/dev/hdb3 308852 258443 34458 88% /usr
/dev/hdb5 466896 407062 35720 92% /usr/local
sputnik3:~ % su
Password:
[michael@sputnik3 michael]# egrep -50 'ftp.+COL' /dev/hdb5 > /tmp/x
Now I'm ultra careful when fooling around with disk partitions, so I paused to make sure I understood the command syntax BEFORE pressing return. In this case the email contained the word 'ftp' followed by some text followed by the word 'COL'. The message was about 20 lines long, so I used -50 to get all the lines around the phrase. In the past I've used -3000 to make sure I got all the lines of some source code. I directed the output from the egrep to a different disk partition - this prevented it from over writing the message I was looking for.
I then used strings to help me inspect the output
strings /tmp/x | less
Sure enough the email was in there.
This method can't be relied on, all, or some, of the disk space may have already been re-used.
This trick is probably only useful on single user systems. On multi-users systems with high disk activity, the space you free'ed up may have already been reused. And most of use can't just rip the box out from under our users when ever we need to recover a file.
On my home system this trick has come in handy on about three occasions in the past few years - usually when I accidentally trash some of the days work. If what I'm working survives to a point where I feel I made significant progress, it get's backed up onto floppy, so I haven't needed this trick very often.
Desperate person's text file undelete.
If you accidentally remove a text file, for example, some email, or the results of a late night programming session, all may not be lost. If the file ever made it to disk, ie it was around for more than 30 seconds, its contents may still be in the disk partition.
You can use the grep command to search the raw disk partition for the contents of file.
For example, recently, I accidentally deleted a piece of email. So I immediately ceased any activity that could modify that partition: in this case I just refrained from saving any files or doing any compiles etc. On other occasions, I've actually gone to the trouble of bring the system down to single user mode, and unmounted the filesystem
. I then used the egrep command on the disk partition: in my case the email message was in /usr/local/home/michael/, so from the output from df, I could see this was in /dev/hdb5
sputnik3:~ % df
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/hda3 18621 9759 7901 55% /
/dev/hdb3 308852 258443 34458 88% /usr
/dev/hdb5 466896 407062 35720 92% /usr/local
sputnik3:~ % su
Password:
[michael@sputnik3 michael]# egrep -50 'ftp.+COL' /dev/hdb5 > /tmp/x
Now I'm ultra careful when fooling around with disk partitions, so I paused to make sure I understood the command syntax BEFORE pressing return. In this case the email contained the word 'ftp' followed by some text followed by the word 'COL'. The message was about 20 lines long, so I used -50 to get all the lines around the phrase. In the past I've used -3000 to make sure I got all the lines of some source code. I directed the output from the egrep to a different disk partition - this prevented it from over writing the message I was looking for.
I then used strings to help me inspect the output
strings /tmp/x | less
Sure enough the email was in there.
This method can't be relied on, all, or some, of the disk space may have already been re-used.
This trick is probably only useful on single user systems. On multi-users systems with high disk activity, the space you free'ed up may have already been reused. And most of use can't just rip the box out from under our users when ever we need to recover a file.
On my home system this trick has come in handy on about three occasions in the past few years - usually when I accidentally trash some of the days work. If what I'm working survives to a point where I feel I made significant progress, it get's backed up onto floppy, so I haven't needed this trick very often.
Permalink: Desperate Undelete
Tags:
linux undelete tips blog tip help server operating system desperate desperate+undelete
Trackback: http://www.creative-weblogging.com/cgi-bin/mt-tb.pl/34628
