Sunday, 27 May 2012

Linux:Recover deleted file by its 'inode'

What are inodes?

'i'-node:
Inode store information about files and directories (folders), such as file ownership, access mode (read, write, execute permissions), and file type.

[root@server ~]# stat file_delete_recover
  File: `file_delete_recover'
  Size: 272             Blocks: 8          IO Block: 4096   regular file
Device: 801h/2049d      Inode: 1431938     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2012-05-27 11:16:09.000000000 +0530
Modify: 2012-05-27 11:16:07.000000000 +0530
Change: 2012-05-27 11:16:07.000000000 +0530

Created a file and found it's inode.

[root@server ~]# cat file_delete_recover

Only system administrators and root user can view and recover the deleted files using debugfs command.

In this case study, we are recovering the files through the inode numbers. Hence it is mandatory that we should know the inodes of the files using the command `ls -li`.

1. Note down the 'inode' number of the file.

[root@server ~]# ls -li file_delete_recover
1431938 -rw-r--r-- 1 root root 272 May 27 11:16 file_delete_recover
[root@server ~]#

2. Find, your file system?

[root@server ~]# fdisk -l

Disk /dev/sda: 43.1 GB, 43199234048 bytes
255 heads, 63 sectors/track, 5252 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1        1912    15358108+  83  Linux
/dev/sda2            1913        2173     2096482+  83  Linux
/dev/sda3            2174        2304     1052257+  82  Linux swap / Solaris
/dev/sda4            2305        5252    23679810    5  Extended
[root@server ~]#

3. File system debugger which should be opened in Read-Write mode.

[root@server ~]# debugfs -w /dev/sda1
debugfs 1.39 (29-May-2006)
debugfs:  logdump -i <1431938>
Inode 1431938 is at group 44, block 1441794, offset 128
Journal starts at block 1, transaction 46430
  FS block 1441794 logged at sequence 47033, journal block 4866
    (inode block for inode 1431938):
    Inode: 1431938   Type: regular        Mode:  0600   Flags: 0x0   Generation: 3837206388
    User:     0   Group:     0   Size: 5711
    File ACL: 0    Directory ACL: 0
    Links: 1   Blockcount: 16
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4fbdbcae -- Thu May 24 10:14:30 2012
    atime: 0x4fc1afa7 -- Sun May 27 10:07:59 2012
    mtime: 0x4fbdbcae -- Thu May 24 10:14:30 2012
    Blocks:  (0+2): 1466368
  FS block 1441794 logged at sequence 47034, journal block 4883
    (inode block for inode 1431938):
    Inode: 1431938   Type: regular        Mode:  0600   Flags: 0x0   Generation: 3837206388
    User:     0   Group:     0   Size: 5711
    File ACL: 0    Directory ACL: 0
    Links: 1   Blockcount: 16
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4fbdbcae -- Thu May 24 10:14:30 2012
    atime: 0x4fc1afa7 -- Sun May 27 10:07:59 2012
    mtime: 0x4fbdbcae -- Thu May 24 10:14:30 2012
    Blocks:  (0+2): 1466368
  FS block 1441794 logged at sequence 47035, journal block 4892
    (inode block for inode 1431938):
    Inode: 1431938   Type: regular        Mode:  0600   Flags: 0x0   Generation: 3837206388
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4fc1afaf -- Sun May 27 10:08:07 2012
    atime: 0x4fc1afaf -- Sun May 27 10:08:07 2012
    mtime: 0x4fc1afaf -- Sun May 27 10:08:07 2012
    dtime: 0x4fc1afaf -- Sun May 27 10:08:07 2012
    Blocks:
  FS block 1441794 logged at sequence 47039, journal block 4961
    (inode block for inode 1431938):
    Inode: 1431938   Type: regular        Mode:  0600   Flags: 0x0   Generation: 3837206388
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4fc1afaf -- Sun May 27 10:08:07 2012
    atime: 0x4fc1afaf -- Sun May 27 10:08:07 2012
    mtime: 0x4fc1afaf -- Sun May 27 10:08:07 2012
    dtime: 0x4fc1afaf -- Sun May 27 10:08:07 2012
    Blocks:
  FS block 1441794 logged at sequence 47137, journal block 5597
    (inode block for inode 1431938):
    Inode: 1431938   Type: regular        Mode:  0600   Flags: 0x0   Generation: 3837206388
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4fc1afaf -- Sun May 27 10:08:07 2012
    atime: 0x4fc1afaf -- Sun May 27 10:08:07 2012
    mtime: 0x4fc1afaf -- Sun May 27 10:08:07 2012
    dtime: 0x4fc1afaf -- Sun May 27 10:08:07 2012
    Blocks:
  FS block 1441794 logged at sequence 47147, journal block 5642
    (inode block for inode 1431938):
    Inode: 1431938   Type: regular        Mode:  0644   Flags: 0x0   Generation: 238435995
    User:     0   Group:     0   Size: 272
    File ACL: 0    Directory ACL: 0
    Links: 1   Blockcount: 8
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4fc1bf9f -- Sun May 27 11:16:07 2012
    atime: 0x4fc1bf9f -- Sun May 27 11:16:07 2012
    mtime: 0x4fc1bf9f -- Sun May 27 11:16:07 2012
    Blocks:  (0+1): 1454080
  FS block 1441794 logged at sequence 47148, journal block 5650
    (inode block for inode 1431938):
    Inode: 1431938   Type: regular        Mode:  0644   Flags: 0x0   Generation: 238435995
    User:     0   Group:     0   Size: 272
    File ACL: 0    Directory ACL: 0
    Links: 1   Blockcount: 8
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4fc1bf9f -- Sun May 27 11:16:07 2012
    atime: 0x4fc1bfa1 -- Sun May 27 11:16:09 2012
    mtime: 0x4fc1bf9f -- Sun May 27 11:16:07 2012
    Blocks:  (0+1): 1454080
  FS block 1441794 logged at sequence 47150, journal block 5696
    (inode block for inode 1431938):
    Inode: 1431938   Type: regular        Mode:  0644   Flags: 0x0   Generation: 238435995
    User:     0   Group:     0   Size: 272
    File ACL: 0    Directory ACL: 0
    Links: 1   Blockcount: 8
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4fc1bf9f -- Sun May 27 11:16:07 2012
    atime: 0x4fc1bfc2 -- Sun May 27 11:16:42 2012
    mtime: 0x4fc1bf9f -- Sun May 27 11:16:07 2012
    Blocks:  (0+1): 1454080
No magic number at block 5756: end of journal.
debugfs:

4. Note down the last blocks:(0+1)- 1454080.

5. Delete the file.

[root@server ~]# rm file_delete_recover
rm: remove regular file `file_delete_recover'? y

[root@server ~]# ls file_delete_recover
ls: file_delete_recover: No such file or directory

6. Recover the file.

[root@server ~]# dd if=/dev/sda1 of=file_delete_recover bs=4096 count=1 skip=1454080
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.000333325 seconds, 12.3 MB/s

7. Deleted file was recovered.

[root@server ~]# ls -li file_delete_recover
2798859 -rw-r--r-- 1 root root 4096 May 27 11:22 file_delete_recover

[root@server ~]# cat file_delete_recover

Only sys administrators and root user can view and recover the deleted files using debugfs command.

In this case study, we are recovering the files through the inode numbers. Hence it is mandatory that we should know the inodes of the files using the command `ls -li`.