6 May 2004
Some things you can do if you lose data
This has happened once too often. Someone comes to me in total NBD and says he/she has deleted some file and needs it, otherwise it will be the end of the world as we know it. So I am just documenting stuff which should be tried out in such cases.
Disclaimer: What follows are just some things which I know. There may be better ways of doing things. Also, don't trust me. Read the partition table story ;-)
OK, so you did something bad...
This technique (sometimes) works when you have deleted a file which you were editing just before you deleted it. The editor must have maintained a buffer containing the file contents in the memory. This stuff may still be around even after you exited the editor. The thing to do is don't run any other program (Don't start up your browser, for instance. This will almost surely wipe out the memory which we want to remain untouched).
Now, start up some terminal program (eg: xterm) or use one which is already running, and log in as root. Try to remember some unique phrase from the file you have just deleted. It should be pretty obscure so that it won't generally be found elsewhere in the memory. Now run
strings /proc/kcore | grep -A 100 -B 100 "unique phrase" > tmpfile
This will find the "unique phrase" and print lines surrounding it into tmpfile. (Look at man pages of strings and grep to understand more). Check tmpfile to see if you have recovered anything. You may try longer context lengths and different unique phrases to recover different parts of your file.
This method is extremely shaky and it might not work at all for you. Don't be too hopeful.
Unmount the filesystem and use debugfs to examine the deleted files on that partition. If it was an ext2 partition, you may be lucky. But on ext3 partitions, due to their journalling capability, its generally more difficult to get anything back. Search the web for newer releases of debugfs which may be able to do something with ext3 partitions.
Recovering from the filesystem
The general sequence of steps will be something like:
This is just the beginning, you will probably have to read the debugfs manual to get anywhere.
- # init s
- # umount /dev/hdaX
- # debugfs /dev/hdaX
- debugfs> lsdel
You can do the strings | grep funda on /dev/hdaX itself to try and recover your file contents. I have never tried it; Sameer has. He managed to recover his MTP files which he had accidentaly deleted.
Searching the disk itself
Prevention is much better than cure
- Backup often! Backup often!! BACKUP OFTEN!!!
- Alias "rm" to "rm -i"
- Better still, write some script which moves files to a "Recycle Bin" and use "rm" as an alias for that script
- Avoid using terminal programs which have tabbed windows (eg: konsole). You may be working with 3 tabs where you are in different directories and in the heat of the moment, run "rm *" in a tab you definetely did not want to. (I always use xterm or rxvt and keep them placed at different corners of the screen. I also use different foreground colors to differentiate between sessions with different machines.)
Back to personal home