Restoring files with debugfs

Under the Linux filesystem, files are associated to inodes. By attempting to restore these inodes we can subsequently restore the associated files. This howto does not serve as a complete (and technical) reference, but merely as a non-technical description of a scenario and the restoration process. You should however be able to restore just about any deleted file(s) using the examples below. In this howto I will be using debugfs, which should be included in most distributions as part of the e2fsprogs package.

A brief introduction

Under the Linux filesystem, files are associated to inodes. By attempting to restore these inodes we can subsequently restore the associated files. This howto does not serve as a complete (and technical) reference, but merely as a non-technical description of a scenario and the restoration process. You should however be able to restore just about any deleted file(s) using the examples below. In this howto I will be using debugfs, which should be included in most distributions as part of the e2fsprogs package.

A Scenario

Upon browsing part of my Deftones MP3 collection, I deleted one (Note to the RIAA - Recording Industry Association of America: I do own the CD's!). Lucky for me, I did an ls -lh 09 - Headup.mp3 right before the deletion, which gave me some information which will come in handy later on! (see image #1) Note, the more information you have on the files you want to restore, the easier the process.
Here's what I know about my hardware:

The MP3's are stored on an external SCSI drive (/dev/sda1),

/dev/sda1 34G 6.8G  25G 21% /mp3 

The first thing to do is to unmount the drive so no more data can be written to that drive. The more data that gets written to that drive, the harder it becomes to restore the files completely, if at all. You might want to su to root also. Now that the drive is unmounted, let's take a look at the process of restoring my favorite MP3 using debugfs.

Restoring with debugfs.

From the second image you can see were I started debugfs. Once at the prompt, I'll type lsdel which gives me a very long listing of files I have deleted over the past couple of months, by inode, userID, size and date. Since I know when I deleted this file and also the size, it's pretty easy to spot the file I want to restore, which appears to be the very last entry (see image 4):

3031096 500 100644 5011876 1227/1227 Wed Aug 22 22:23:17 2001 

Again, the first column is the inode, the second is my userid. The fourth column is the size in bytes, which matches the original file size.
Now at the prompt again, I ran the following command to restore my favority MP3:

debugfs:  dump <3031096> /home/wlad/head.mp3 

The syntax used here is: dump /path/to/restore/file/to/filename. All that's left to do now is to exit by using quit at the prompt and testing my restored MP3.

Conclusion

Restoring files can be a pretty straightforward process as long as you take the necessary precautions. Always unmount the drive the file was on or shut your computer down if it was a file on in the root file system. Files that have been intentionally "schredded" or encrypted are harder to restore and require different tools and a lot of time and patience! Eventhough I used debugfs in this howto due to it's availability, there are other programs and methods that make life a little easier. I have found that the best way to restore lost files is by having a reliable and current back-up system. If you don't have the resources to implement one, take a look at the large selection backup/restore programs, listed on IceWalkers.com!

That's it! Now my MP3 is restored and I can('t) hear my neighbours scream of joy!