grefresh.blogg.se - Restore deleted partition ubuntu

DO NOT ATTEMPT RECOVERY FROM A LIVE FILE SYSTEM.

Recovery may be attempted safely on either the backup, or the raw device, as long as it is not mounted (or it is mounted read-only). In this case, you may attempt recovery using extundelete. Assuming a typical Ubuntu installation, you most likely have a ext3 or ext4 file system. The next steps now depend on the file system type. To play it safe, you might want to make a backup of the file system to perform the actual recovery on: $ dd bs=4M if=/dev/ of=/path/to/backup If the file system is the root file system or cannot be made read-only or unmounted for some other reason, it might be necessary to shutdown the system (if possible) and continue the recovery from a live environment where you can leave the target file system read-only.Īfter writes to the file system have been prevented, there is no immediate hurry to attempt the actual recovery. Ceasing any further writes to the file system is therefore time critical if any recovery is to be possible. The reason for this is that as soon as the file has been unlinked, and there are no remaining hard links to the file in question, the underlying file system may free the blocks previously allocated for the deleted file, at which point the blocks may be allocated to another file and their contents overwritten. Or unmount the file system altogether: $ umount /dev/ If you're not able to find the file with lsof, you should immediately remount the file system which housed the file read-only: $ mount -o remount,ro /dev/ Using this information you can recover the file by issuing the command: $ cp /proc/5383/fd/22 /path/to/restored/file Take note of the PID in the second column, and the file descriptor number in the fourth column.

If the above gives output of the form: progname 5383 user 22r REG 8,1 16791251 265368 /path/to/file To determine if this is the case, you can attempt the following: $ lsof | grep "/path/to/file" If a running program still has the deleted file open, you can recover the file through the open file descriptor in /proc//fd/.