Aug 152008
 

Last week I learnt a very important lesson: a “backup” is not actually a backup if it is the only copy you have, it is at most an archive. In the process of tidying up the files on my external “backup” hard disk I deleted a few directories of photos from the beginning of this year. As I pressed the Enter key I was sure that I had a copy of those photos still on my laptop; but fractions of a second later I experienced a piercing wave of doubt. It was already too late.

After checking my laptop and finding that the doubt was justified, I remembered with relief that before heading over to Europe I had copied all my photos onto DVDs and left them in my office at uni (just in case something our house burnt down or something). I went to sleep mostly certain that I my accidentally deleted files were safe on discs at uni.

As you probably suspect, I did not have a copy of the photos on DVD. My DVD backups only went to the end of 2007, and I had deleted files from the first 2 months of 2008.

It is not a tragedy, as the main photos of consequence were from ASA Convention and I do have the best of my photos on the official DVD. However, it provided me with significant incentive to learn about data recovery on ext3 formatted partitions. I’ve included some of my discoveries below.

The first thing that I came across was not encouraging; the official ext3 FAQ says that it is impossible to un-delete files. However, a number of people have defied this statement and I quickly found a tool called ext3grep.

I have my external hard disk divided into 2 partitions and so I was able to use the empty half as a playground to store any recovered files. This turned out to be very useful, because running the command ext3grep /dev/sdb1 --restore-all --after=1218027000 did not “only process entries deleted on or after” Wed Aug 6 22:50:00 EST 2008, but seemed to “recover” every file on the partition. It took all night.

Happily, the full directory structure of my deleted “2008” folder was recovered. Unfortunately, not all of the jpeg files were found, but it was nice to have some of them back again.

Looking a little bit further I found an article on Linux.com about a tool called ext3undel, which apparently uses Foremost and PhotoRec to do the work.  This article also explained fairly clearly why data recovery on ext3 partitions is difficult. I also stumbled across a guide to using foremost, and so decided to skip straight to this command-line utility.

I installed Foremost and gave it a try, and the results seemed impressive.

52661: 388052408.jpg 1 MB 198682832896
Foremost version 1.5.3 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Fri Aug 8 18:23:52 2008
Invocation: foremost -t jpeg -i /dev/sdb1
Output directory: /mnt/tmp/output
Configuration file: /etc/foremost.conf
------------------------------------------------------------------
File: /dev/sdb1
Start: Fri Aug 8 18:23:52 2008
Length: 186 GB (200005876224 bytes)

Num Name (bs=512) Size File Offset Comment

0: 00690176.jpg 1 MB 353370112
1: 00692792.jpg 1 MB 354709504
2: 00695328.jpg 1 MB 356007936
.
.
.
52662: 388055280.jpg 1 MB 198684303360
52663: 388058248.jpg 1 MB 198685822976
52664: 388061320.jpg 536 KB 198687395840
Finish: Fri Aug 8 20:36:15 2008

52665 FILES EXTRACTED

jpg:= 52665
------------------------------------------------------------------

Foremost finished at Fri Aug 8 20:36:16 2008

I’ve left out a lot of lines in the middle, but you can see the important details: about 2 and a quarter hours with a total of 52665 jpg files extracted (a total of 23 GB)!  Sadly, almost all of these files were not complete recoveries of the images.  The data corruption and partial recovery, however, did give rise to some very intriguing artistic effects, and I’ve included some samples here.  I couldn’t help thinking it was rather analogous to accidental light-damage back in the film era of photography.

I also gave PhotoRec a go, and it can also be told to only look for jpg files. It found a lot of images, but most of them were merely thumbnails from what appeared to be web-caches hidden in my backed up directories.

So of the three I found ext3grep to give me the best results as far as un-deleting my jpg files, however it also took the longest and produced the most storage-consuming recovery output. Its a bit disappointing that I have not yet been able to recover all the images I foolishly deleted, but I’ve certainly learnt about the value of true backups – storing files in at least 2 different places.

  One Response to “Un-deleting files on my ext3 “backup” partition”

  1. […] gparted saved by MovieMan20112009-03-19 – Securing /tmp /var/tmp /dev/shm saved by kida2009-03-17 – Un-deleting files on my ext3 “backup” partition saved by EugeniaT2009-02-24 – ReiserFS vs. ext3 saved by mwhres2009-02-23 – How to Mount mount […]

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)