How to recover data and deleted files from Ext3 partitions

jekil — Sat, 04 Aug 2007 19:51:00 +0000

A lot of times aroud the net i read posts like "help help! my cat walking over my keyboard delete some files and i must recover it" and a lot of times the answars is "you can’t undelete or recover files from ext3 partitions, i am sorry".
This is wrong.

Files from ext3 partitions can be recovered. Found evidence and recover files from file systems is a common task of a forenser.

Example : We see how try to recover data from a partition, like /dev/sda1.
First of all you need a dump, a copy of our partition where we can work:

dd if=/dev/sda1 of=dump.dd

Now install Sleuth Kit, and to view all of the deleted file names in an image use:

fls -rd dump.dd | less

This shows us the full path that the deleted files are located.
The number at the beginning of the line is the inode number.
The ‘*’ shows that it is deleted and the ‘d’ and ‘r’ show the type (directory and file).
The first letter identifies the directory entry type value (which does not exist in all file system types) and the second letter is the type according to the inode.
In most cases these should be the same, but it may not for deleted files if the inode has been reallocated to a file of a different type.
We can examine an inode using istat, here i examine inode number 123:

istat dump.dd 123

To identify the group where the file that we want to recover is in we get the list of file system groups:

fsstat dump.dd

Now we can identify tha inode range, like 45 – 67, that we want. To search
for the deleted file, we extract the unallocated space:

dls dump.dd 45-67 > files.dls

We can analyze files.dls with a data carving software like foremost or the great photorec and we get all recovereble files.

tanasi.it » recover

How to recover data and deleted files from Ext3 partitions