Undelete ext4 files ---- "easy"

This situation befell me unexpectedly so I thought I should share it.

The case:
My wife had unintentionally copied a directory into itself and wanted to undo that. So she 'deleted' (read: move to trash) the copied directory, she thought.
After checking everything was apparently OK, she emptied 'Trash' , only to discover she'd also permanently deleted a plethora of important other directories inside that directory i.e they weren't 'copied' but 'cut'. :shocked:

Here's the remedy I used:

First and foremost, Log Out ASAP by going to into single user mode (you'll be asked for your sudo password):

Sudo telinit 1

But not before installing 'ext4magic' as single-user-mode doesn't have a network connection.

api ext4magic

Then (this crucial for ext4magic and stop deleted files being overwritten) umount the /home partition in single-user-mode. Where we'll assume it was in '/dev/sda3' which was my case, using LVM as scheme.

umount /home


umount /dev/sda3 (in my case)

.... and create a directory where you'll want to temporarily save the recovered files.

mkdir /tmp/recover

And run (to recover deleted files from the last hour, or longer at wish)

ext4magic /dev/sda3 -m -a $(date -d "-1 hours" +%s) -d /mnt/recover

Be patient as the tool will require some time to finish it's 3 pass scan and you'll be able to find the deleted files in the the sub directory with the users name in '/mnt/recover'.

  • Be aware that you created these files as 'root' so you will have to give the recovered files the right user ownership to access them using the 'chown' command.

There is a caveat for this way and that is: You require enough space in your '/' partition to accommodate those deleted files (and a bit more).

  • If your '/' is low on free space, like < 5Gb: Do the above and save to a mounted USB disk or booting a live-version of Elive (with, in both cases a large enough USB disk)..... and enlarge your '/' partition before it freezes your machine unexpectedly in the near future. :scream_cat:
  • On top, when using a live distro: If you have an encrypted LVM setup like me, you'll be required to 'decrypt' with your password so as to be able to access it in your running live session.

Another thingy that tripped me up in the afore mentioned use case, was that I had to look in the 'Trash' for the removed files there. Those files will reside in the $USER home directory under '~/.local/share/Trash' and not in the directories (like '~/Documents') they originally were in.

1 Like

Nice One. Thanks for sharing!