User Tools

Site Tools


Sidebar

js#vista.png msort nsort

filesystems:ext3grep

Recovering files with ext3grep

Just so you know. File recovery on a live partition with ext3grep is possible. Depending upon the amount of activity on the system will of course have a major impact on the feasibility of such an attempt.

Getting Started..

We need a place to work. Create a directory from where you will work. IMPORTANT!!!! DO NOT WORK ON THE DRIVE YOU WANT TO RECOVER FROM!!!

Here we are attempting to recover mail from an IMAP account using Maildir on a live system.

# mkdir recovery && cd recovery

if you want to ensure the best possible recovery conditions then unmount the drive to be recovered from (in our example we will be using /dev/mapper/vg-home which is mounted under /home). You skip this step to do a live recovery.

# umount /home

When the filename is Unknown

ext3grep –dump-names /dev/mapper/vg-home > dumped.txt

an excerpt of the blocks returned:

240017 242352 242355 242356 (allocated) 242357
(allocated) 242358 (allocated) 242359 255079 (allocated) 336393 336518 336526 395434 395435
395457 (allocated) 737282 (allocated) 984250 1346129 1868670 (allocated) 1869273 (allocated)
1950436 3915933 3915935 4069411 4087953 4216611 4292193 4292196 4292275 4530219 4538370
4538371 4538372 4538376 4538378 4538382 4538385 4543743 4543750 4543752 4544514 4544517
4544528 4544539 4550683 4550707 4655509 4655533 4670417 4670423 4689385 4689746 4785120
5046823 6525842 (allocated) 7370457 7805912

remove all (allocated) strings to get the blocks you need to use in the next step.

Getting a list of files

to make things easier I used the following script to get a listing of the files with inodes that were deleted:

#!/bin/sh

blocks="1476132 1486054 1486055 1486056 1575210 1602995 5512071 6938624 10500100 10500101 10504196 10504197 10586245 10586246 10586247 10586316 10586317 10592273 10592275 10592303 10592304 10592305 10594373 10594374 10594381 10594382 10594383 10594384 10594385 10594394 10594395 10594396 10594435 10594436 10594437 10594438 10594439 10599192 10599193 10599194 10599196 10599197 10599202 10599203 10599207 10599208 10599209 10599210 10599211 10599212 10599213 10599214 10599215 10599222 10599223 10599224 10599225 10602518 10602519 10602521 10602525 10602527 10602529 10602530 10602534 10602535 10602536 10602538 10602539 10602541 10602542 10602543 10602544 10602640 10602641 10602642 10602643 10602644 10602661 10602668 10602669 10602670 10602671 10602672 10604552 10604557 10604655 10604656 10604657 10606750 10606751 10606752 10606764 10606765 10606766 10606772 10606773 10606785 10606786 10606787 10606788 10606789 10606807 10606808 10606809 10606810 10606811 10607210 10607211 10607212 10607213 10607214 10607215 10607216 10607217 10607218 10609052 10609053 10610691 10610695 10610698 10610700 10610750 10610751 10610752 10610755 10610759 10610760 10610761 10610762 10610763 10610764 10610766 10610768 10610769 10610770 10610771 10613653 10613654 10613655 10613656 10613659 10613660 10613661 10613662 10613663 10613664 10613668 10613669 10613670 10613671 10613676 10613677 10613678 10613770 10613771 10613772 10613773 10613774 10613779 10613780 10613781 10613782 10613783 10613784 10613785 10614800 14911370 14911411 14911412 14911415 14914156 14914160 14915268 14915898 14915951 14915953 14915955 14915957 14915963 14917615 14917617 14920914 14921805 14922112 14922113 14922124 14922125 14922126 14922127 14922128 14922129 14922130 14922131 14922132 14922133 14922134 14922135 14922136 14922137 14922572 14922575 14922589 14922627 14922629 14923519 14923829 14924948 14924950 14924952 14924961 14926311 14926313 14926346 14926359 14926360 14926361 14926362 14926363 14926364 14926365 14926366 14926381 14927207 14927449 14929455 14929462 14929490 14929491 14929524 14929526 14929579 14929580 14929581 14929582 14929583 14929585 14931103 14931439 14931440 14931441 14933066 14933091 14933092 14935528 14935998 14936262 14936928 14936930 14936931 14936932 14936933 14936934 14936935 14936936 14936937 14936947 14936949 14936982 14936984 14937404 14937494 14937495 14940540 14940676 14940743 14940744 14940747 14940761 14940763 14940800 14940802 14940803 14940804 14940805 14940826 14940828 14940829 14940830 14940831 14940832 14940833 14940834 14940835 14940836 14940838 14940839 14940840 14940841 14940842 14940843 14940844 14940845 14940847 14940848 14940849 14940850 14940851 14940854 14940856 14941079 14941083 14941084 14941085 14941086 14941087 14941089 14941090 14941091 14941092 14941093 14941094 14941096 14941098 14941099 14941100 14941102 14941104 14941105 14941107 14941108 14941109 14941111 14941113 14941114 23506973 23540561 23540562 23540563 23540564 23540565 23540566 23540567 23540568 23540569 23540570 23540571 23540580 23552968 23552975 23552976 23552977 23552978 23552979 23552980 23552981 23552993 23552994 23552995 23552996 23552997 23552998 23566138 23572497 24531224 24531225 24531228 24531231 24531235 24531237 24531241 26396604 26396608 26396612 26396615 26396616 26396622 26410648 26410654 26410658 26410659 26410665 26410668 26410669 26410670 26410671 26410672 26410673 26410674 26410905 26410906 26412710 26412711 26412891 26412892 26447942 26447943 26447944 26447945 26447946 26447947 26447948 26447949 26447950 26447951 26447952 26447953 26447954 26447955 26447956 26447958 26447959 26450303 26450304 26450305 26450306 26450307 26450308 26450309 26450310 26450311 26450312 26450313 26450315 26450316 26450317 26450318 26450327 26450365 26450366 26450367 26450376 26450377 26450378 26450380 26450383 26450384 26450386 26450387 26450411 26451540 26451550 26451561 26453030 26453052 26453053 26453079 26453149 26453150 26453167 26453170 26453173 26453178 26453416 26453423 26453428 26453433 26453434 26453435 26453436 26453437 26453438 26453439 26453440 26453441 26453442 26453443 26453444 26453445 26453446 26453447 26453448 26453449 26453450 26453455 26453456 26453458 26453459 26453460 26453462 26453463 26453469 26453470 26453471 26453472 26454546 26454688 26454816 26454917 26455331 26457829 26464864 26468267 26468268 26468269 26468270 26468273 26468274 26468275 26468276 26468277 26468278 26468279 26468280 26468281 26468282 26468283 26468296 26468297 26468298 26468299 26468300 26468301 26468302 26468303 26468304 26468305 26468306 26468307 26468308 26468309 26468310 26468311 26468312 26468313 26468314 26468315 26468316 26468317 26468318 26468319 26468320 26468321 26468322 26468323 26468324 26468325 26468326 26468327 26468328 26468329 26468330 26468331 26468332 26468333 26468334 26468335 26468336 26468337 26468338 26468339 26468340 26468341 26468342 26468343 26468344 26468345 26468346 26468347 26468348 26468349 26468350 26468351 26468352 26468353 26468354 26468355 26468356 26468357 26468358 26468359 26468360 26468361 26468362 26468363 26468364 26468365 26468366 26468367 26468368 26468369 26468370 26468371 26468372 26468373 26468374 26468375 26468376 26468377 26468378 26468379 26468380 26468381 26468382 26468383 26468384 26468385 26468386 26468387 26468388 26468389 26468390 26468391 26468392 26468393 26468394 26468395 26468396 26468397 26468398 26468399 26468400 26468401 26468402 26468403 26468404 26468405 26468406 26468407 26468408 26468409 26468410 26468411"

for block in $blocks; do
	ext3grep /dev/mapper/vg-home --ls --block $block | tee --append recovery.txt
done

an excerpt from recovery.txt

   0  end r 2646027                                         rrw-------  1294237031.H574515P26455.lucia.p4.net:2,ST
   2    5 r 2629917  D 1294231598 Wed Jan  5 13:46:38 2011  rrw-------  1279883505.H601918P27881.etch.p4.net:2,ST
   3    4 r 2629972  D 1294231598 Wed Jan  5 13:46:38 2011  rrw-------  1279783748.H505789P3481.etch.p4.net:2,S
   5    6 r 2646192  D 1294231599 Wed Jan  5 13:46:39 2011  rrw-------  1294226928.H111190P24242.lucia.p4.net:2,ST
   6  end r 2646201  D 1294231599 Wed Jan  5 13:46:39 2011  rrw-------  1294229845.H919394P24918.lucia.p4.net:2,ST
   8    9 r 2646246  D 1294231598 Wed Jan  5 13:46:38 2011  rrw-------  1291045615.H703915P25788.lucia.p4.net:2,ST
   9   15 r 2646275  D 1294231599 Wed Jan  5 13:46:39 2011  rrw-------  1293567331.H556578P21435.lucia.p4.net:2,ST
  10   11 r 2646228  D 1294231599 Wed Jan  5 13:46:39 2011  rrw-------  1291750879.H791731P27478.lucia.p4.net:2,ST
  11   12 r 2646294  D 1294231599 Wed Jan  5 13:46:39 2011  rrw-------  1291812109.H426682P26701.lucia.p4.net:2,ST
  12   13 r 2646326  D 1294231599 Wed Jan  5 13:46:39 2011  rrw-------  1291822515.H596462P29087.lucia.p4.net:2,ST
  13   14 r 2646108  D 1294231599 Wed Jan  5 13:46:39 2011  rrw-------  1292450449.H511955P4277.lucia.p4.net:2,ST
  15  end r 2646077  D 1294231599 Wed Jan  5 13:46:39 2011  rrw-------  1294044967.H835932P27530.lucia.p4.net:2,ST
  16   32 r 2646230  D 1294231598 Wed Jan  5 13:46:38 2011  rrw-------  1291040235.H62697P24816.lucia.p4.net:2,S
  17   18 r 2646388  D 1294080726 Mon Jan  3 19:52:06 2011  rrw-------  1294055396.H390821P6138.lucia.p4.net:2,ST
  18   20 r 2646389  D 1294080726 Mon Jan  3 19:52:06 2011  rrw-------  1294055576.H927143P6173.lucia.p4.net:2,ST
  19   20 r 2646604  D 1293063682 Thu Dec 23 01:21:22 2010  rrw-------  1293062200.H11623P8012.lucia.p4.net:2,ST
  20   25 r 2629934  D 1294231598 Wed Jan  5 13:46:38 2011  rrw-------  1280714058.H801916P9702.etch.p4.net:2,S
  21   22 r 2646391  D 1294080726 Mon Jan  3 19:52:06 2011  rrw-------  1294056969.H380151P6864.lucia.p4.net:2,ST
  22   25 r 2646443  D 1294080726 Mon Jan  3 19:52:06 2011  rrw-------  1294066011.H957457P8830.lucia.p4.net:2,ST
  24   25 r 2646078  D 1294231599 Wed Jan  5 13:46:39 2011  rrw-------  1293017063.H102133P9963.lucia.p4.net:2,ST
  26   27 r 2646797  D 1293063682 Thu Dec 23 01:21:22 2010  rrw-------  1293062214.H622095P9112.lucia.p4.net:2,ST
  27   29 r 2646880  D 1293063682 Thu Dec 23 01:21:22 2010  rrw-------  1293062221.H372536P9582.lucia.p4.net:2,ST
  28   29 r 2646384  D 1294231599 Wed Jan  5 13:46:39 2011  rrw-------  1293062185.H998926P7386.lucia.p4.net:2,
  29   32 r 2647037  D 1293063682 Thu Dec 23 01:21:22 2010  rrw-------  1293062232.H876806P10272.lucia.p4.net:2,ST
  30   31 r 2646620  D 1293063682 Thu Dec 23 01:21:22 2010  rrw-------  1293062202.H37938P8142.lucia.p4.net:2,ST
  31   32 r 2646994  D 1293063682 Thu Dec 23 01:21:22 2010  rrw-------  1293062229.H948916P10052.lucia.p4.net:2,ST
  32  end r 2646243  D 1294231599 Wed Jan  5 13:46:39 2011  rrw-------  1291635973.H499898P22679.lucia.p4.net:2,S
  33  end r 2646861  D 1293063682 Thu Dec 23 01:21:22 2010  rrw-------  1293062220.H94670P9506.lucia.p4.net:2,ST
  34  end r 2646404  D 1294080726 Mon Jan  3 19:52:06 2011  rrw-------  1293062187.H815204P7498.lucia.p4.net:2,ST
   5    6 r 5894606  D 1293573206 Tue Dec 28 22:53:26 2010  rrw-r--r--  1291830773.H585041P31338.lucia.p4.net:2,ST
   6    7 r 5894622  D 1293532457 Tue Dec 28 11:34:17 2010  rrw-r--r--  1291869756.H835352P5412.lucia.p4.net:2,ST
  12   13 r 5894991  D 1291896650 Thu Dec  9 13:10:50 2010  rrw-------  1290681338.H834738P21905.lucia.p4.net:2,ST
  13   15 r 5894619  D 1293547374 Tue Dec 28 15:42:54 2010  rrw-r--r--  1290881412.H894054P26369.lucia.p4.net:2,ST
  14   15 r 5894670  D 1293320016 Sun Dec 26 00:33:36 2010  rrw-r--r--  1290749533.H411730P21060.lucia.p4.net:2,ST
  15  end r 5894624  D 1293547374 Tue Dec 28 15:42:54 2010  rrw-r--r--  1291886061.H66667P26653.lucia.p4.net:2,
  19   20 r 5894618  D 1293573206 Tue Dec 28 22:53:26 2010  rrw-r--r--  1290884983.H948882P26799.lucia.p4.net:2,ST
  21   22 r 5894962  D 1291896650 Thu Dec  9 13:10:50 2010  rrw-------  1291279983.H495841P22202.lucia.p4.net:2,ST
  25   27 r 5894606  D 1293573206 Tue Dec 28 22:53:26 2010  rrw-r--r--  1291830773.H585041P31338.lucia.p4.net:2,
  27   28 r 5894620  D 1293547374 Tue Dec 28 15:42:54 2010  rrw-r--r--  1291867468.H997752P5080.lucia.p4.net:2,
  28  end r 5894622  D 1293532457 Tue Dec 28 11:34:17 2010  rrw-r--r--  1291869756.H835352P5412.lucia.p4.net:2,

The 4th field is the inode where the file is located and the last field is, of course, the filename.

Recover the files

lets get a list of inodes for all mail that was deleted and then attempt to recover it:

grep p4.net: recovery.txt | awk -F " " '{print $4}' - | xargs -n1 -I{} ext3grep /dev/mapper/vg-home –restore-inode {} 

Renaming the recovered files

When you are done you will have a directory name RECOVERED_FILES. There you will find the files you recovered. The problem is the are named inode.#######. Which is not exactly what we want so we need to rename them to the correct filenames. I used the recovery.txt file and the following script to do just that.

#!/bin/bash

files=`ls RESTORED_FILES`

cd RESTORED_FILES

for file in *; do
	node=${file#i*.}
	filename=`grep $node ../recovery.txt | grep p4.net | tail -1 | awk '{print substr($_, 73)}'`
	filename=${filename%S*}

	cp $file $filename
	
done
filesystems/ext3grep.txt · Last modified: 2020/02/24 11:16 (external edit)