The Day I Wanted to Un-Delete a File in Linux

I think Carlo Wood’s introduction to the problem is about as eloquent as I could say it: “It happens to everyone sooner or later: a split second after you hit Enter you realize your mistake, but it’s too late; you just deleted a valuable file or directory for which no backup exists. Or maybe you have a backup, but it’s a month old… and in shock you see the past month flash before your eyes as you realize in pain what you’ll have to do all over again…”


So it happened to me. After ten years of using linux, and not once (that I can recall) accidentally deleting a critical file, it just suddenly happened. One moment I was editing a file, and the next moment I was staring at the screen, not believing I had just deleted that same file. I didn’t lose months of work, but I did lose a few hours of work. Yes, the file was on a disk that gets backed up each night, but I had only been working on this file that day.

I knew that everything I had read up to that moment said that the file was gone. “Long gone, and don’t even try to un-delete it, because it no longer exists in the universe” – that kind of gone. Frankly, I didn’t believe it. I was pretty sure that the file system manager had written some zeroes in the contents of the directory, erasing that entry. It may have also freed up the inode for future use. But it most certainly did not take the time to overwrite the contents of the file I just deleted.

So I googled for “linux file undelete”, “ext3 file rescue” and other such phrases. Eventually, I struck gold: someone who had been through the same situation as me, and who had already gone through a mountain of work. Carlo Wood. He had a lot more at stake than I did – the entire 3 GB contents of his home directory.

In my live gentoo linux system where I had deleted the file, I checked all of the mounted file systems with the “mount” command, and then changed directory over to a different file system, so that the utility I was about to download didn’t get written over top of the file I was trying to recover. I did not unmount the source file system, since it was the root and I didn’t feel like going through massive amounts of headache removing that drive and mounting it read-only in another computer.

I then used wget to pull a copy of his tool from Google Code at http://code.google.com/p/ext3grep/. I extracted the code and ran ./configure. So far so good. However, after trying to run “make”, it came up with an error about my kernal lacking support for the lutimes() function. Darn.

I looked at the source code, and found out that lutimes() was only used to restore the last-accessed date of the file after it is restored to the file system. Since I didn’t care about this date, I edited the source code and removed the four or five lines of code related to lutimes(). I then re-ran the “make” command, and was pleasantly surprised to have no more compilation errors.

I did not want to “install” this newly compiled binary, I just wanted to run it, so I changed directory to the “src” directory and then ran the tool like this from within my bash shell:

./ext3grep /dev/hda3 --restore-file var/www/path/to/file.php

I watched the output for a short while, but it became obvious this was going to take more than a couple of minutes to run through my entire ext3 filesystem, so I grabbed a coffee and went on to other things. When I came back to the terminal window, the command had completed its run. I looked in the RESTORED_FILES directory, and the tool had worked its magic! My file was indeed restored, right up to the very last edit I had made on it.

So there’s my first and hopefully last experience in restoring a file from ext3 on linux.

Thanks Carlo!