did you ever delete a file on ext3 and cried at the moon?

Don’t cry,
There’s a solution for this!
I accidentally deleted a very important file this morning, I lost one day of work on that script, I could not accept this loss.
So here how I recovered the file, hoping it will be useful also for you:

– first thing to do is to avoid any other process to claim the inodes you want to preserve since they have still your removed data

Mount -o remount,ro /partition-where-the-file-was (e.g. home)

Then once we are sure nobody will try to write on our deleted file we can run ext3grep

./ext3grep /dev/sdXY –search mydeletedfilename

We’ll get back a list of inodes that might be of interest for our recover action, so we check them all in one run to have a detailed report on each of them:

for block in 165022 (and many other blocks) ; do
./ext3grep /dev/sdXY –ls –block $block | tee -a output.txt Done

Now we got an output that can point us to the proper inode to be recovered:

A sample output of this output.txt

Number of groups: 16
Minimum / maximum journal block: 262658 / 279059 Loading journal descriptors… sorting… done The oldest inode block that is still in the journal, appears to be from 1347980126 = Tue Sep 18 15:55:26 2012 Journal transaction 436815 wraps around, some data blocks might have been lost of this transaction.
Number of descriptors in journal: 15386; min / max sequence numbers: 436198 / 436922
Group: 8

Block 263091 is a directory. The block is a Journal block

.– File type in dir_entry (r=regular file, d=directory, l=symlink)
| .– D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
1 2 d 122984 drwxr-xr-x ..
3 4 d 123156 D 1348049081 Wed Sep 19 11:04:41 2012 drwxr-xr-x office
4 5 d 123812 D 1348049106 Wed Sep 19 11:05:06 2012 drwxr-xr-x perform_archive

So we look for our filename and the latest date we can find in output.txt

To try and recover an inode we run this:
./ext3grep /dev/sda3 –restore-inode 123002

This way we get a file containing the contents of the inode that might be our original lost file.
And I found it after some tries.
Happy hacking!

the old unix way used to be
grep -i -a -B10 -A100 ‘myfilename’ /dev/sdXY > /var/tmp/recover.txt

but it might not work on a ext3 FS nowdays, I gave it a try and with some effords I think I could recover the file also this way, but ext3grep gave me the full file with no much pain, so I think it should be the preferred way.