Other Probably not the best forum to ask on - undeleting a file from an ext4 partition

[colemakker]

I had a 44GB file that was a disk image for an encrypted bhyve VM, I had misnamed it at some point (actually I know when I misnamed it, March 14th, because that was the last date modified, and when I logged in to it it said last logintime was March 14) and was looking at disk usage and deleting cruft and I came across the file and deleted it, then immediately tried to start a virtual machine with my normal script and it complained that it could not find the image file, so I looked in my script and realised I'd just deleted the file I was using currently rather than the month old backup. I haven't done anything really vital with it in the last month so I can probably live with having to lose a month of work/changes (even worse... because the file was misnamed my backup scheme had been repeatedly backing up this file from March 14th instead of the file I was really using day to day, so although my latest backup is dated April 3rd it's still a backup of the image from March 14th).

So, I immediately shut down the computer and made a dd image of the SSD and started looking at undelete options. I tried an ext4 undelete program and it complained that it could not undelete from a filesystem that doesn't use journaling, and ext4 on FreeBSD doesn't use journaling. I'm willing to pay someone to recover the file, just probably not as much as data recovery companies would probably charge.

Anyone got any clues or pointers with this? I have tried the ext4 recovery tool that complained about a lack of journaling, so then I was looking at ext2 recovery tools, except I'm not sure if they "knew what to do" with an ext4 partition that had been mounted on FreeBSD.

Thanks for any tips

 

[YYY__]

We didn't need the why, too long. I don't know if it works on encrypted disks, testdisk is the best tool I know. Use testdisk file.img. Select the Intel/PC partition [1], then Analyse [2], and P - List files [3], navigate through the file tree and copy with "C "or "c" [4]. The red files are the deleted ones, check if it has bytes.
I don't know which editor you use for your script, some save backup in .cache or ~/.file.

[1]

[2]

[3]

[4]

 

[hardworkingnewbie]

To quote the man page from ext4magic:

"The deletion of files in ext3/4 filesystems can not be easily reversed. Zero out of the
block references in the Inodes makes that impossible. Experience with other programs have
proved, it is often possible, to restore sufficient information for a recover of many data
files, directly from the filesystem Journal. ext4magic can extract the information from
the Journal, and can restore files in entire directory trees, provided that the
information in the Journal are sufficient. This tool can recover the most file types, can
recover large and sparse files, recovered files with original filename, with the original
owner an group, the original file mode bits, and also the old atime/mtime stamp."

So in other words: no journal -> forget it.

Also keep on mind that the ext file systems are only compatible downwards, meaning using ext2 undelete strategies will not work with ext4 well, if not at all!

And for future usage: when running VMs under FreeBSD, you should use native FreeBSD file systems to store these images.