How to Use the Command 'extundelete' (with examples)

How to Use the Command 'extundelete' (with examples)

The extundelete command is a powerful utility designed to recover files that have been mistakenly deleted from ext3 or ext4 file systems. Particularly beneficial for those using Linux systems, this command leverages the file system’s journal to restore data. The tool can be indispensable when accidental deletions occur, providing options to restore individual files, entire directories, or even all files within a specific time frame.

Use case 1: Restore all deleted files inside partition N on device X

Code:

sudo extundelete /dev/sdXN --restore-all

Motivation: This command is ideal if you need to recover all files that were deleted from a specific partition. This scenario commonly arises after an accidental mass deletion or a system crash that led to undesired file removal. This utility provides a bulk recovery option, saving time and minimizing the risk of missing important files.

Explanation:

  • sudo elevates the command to superuser privileges, which is necessary because accessing disk partitions directly requires administrative rights.
  • extundelete is the command executable used to initiate the file recovery process.
  • /dev/sdXN specifies the partition from which deleted files are to be recovered. The X represents the letter assigned to the device (e.g., ‘a’ for the first hard drive), and N denotes the partition number.
  • --restore-all is an option that instructs extundelete to search for and attempt to restore every deleted file it finds within the specified partition.

Example Output:

Loading filesystem...
Loading journal descriptors...
Deleted inode 2 will be recovered, it was found in file system.
Loading additional information...
Restoring files...
Restored: inode 2, dirname: /RECOVERED_FILES/...

Use case 2: Restore a file from a path relative to root

Code:

extundelete /dev/sdXN --restore-file path/to/file

Motivation: This use case is pertinent if you only need to recover a specific file rather than all deleted files. It is efficient when you know exactly which file is crucial—a scenario typical after realizing an important document or media file has been accidentally deleted.

Explanation:

  • extundelete is executed without sudo assuming superuser privileges are already active or not needed for file access.
  • /dev/sdXN indicates the specific partition where the deleted file resided.
  • --restore-file enables targeting of a specific file path.
  • path/to/file is a relative path from the root (do not begin with a ‘/’) pinpointing the location of the file to restore.

Example Output:

Loading filesystem...
Loading journal descriptors...
Restoring file "path/to/file"...
File restored from inode 123456: /RECOVERED_FILES/path/to/file

Use case 3: Restore a directory from a path relative to root

Code:

extundelete /dev/sdXN --restore-directory path/to/directory

Motivation: Use this command when an entire directory, including all files and subdirectories, needs to be recovered. It’s especially useful after accidental deletion of entire folders that might contain numerous important files, such as project files or essential documents organized in folders.

Explanation:

  • extundelete is the command executable.
  • /dev/sdXN specifies which partition contains the deleted directory.
  • --restore-directory designates that the path pertains to a directory rather than a single file.
  • path/to/directory is the root-relative path to the location of the deleted directory.

Example Output:

Loading filesystem...
Loading journal descriptors...
Restoring directory "path/to/directory"...
Directory restored from inode 789012: /RECOVERED_FILES/path/to/directory

Use case 4: Restore all files deleted after January 1st, 2020 (in Unix time)

Code:

extundelete /dev/sdXN --restore-all --after 1577840400

Motivation: There are instances when you need to distinguish between files deleted at different times, particularly when older deletions aren’t of interest. This command recovers files based on their deletion time, which is indispensable after recent deletions during a specific period, allowing for more precise recovery operations.

Explanation:

  • extundelete is used to initiate the restore operation.
  • /dev/sdXN symbolizes the target partition.
  • --restore-all initiates recovery of all files matching subsequent criteria.
  • --after 1577840400 specifies a Unix timestamp, representing January 1st, 2020. This parameter filters recovered files, limiting results to those deleted after the given time.

Example Output:

Loading filesystem...
Loading journal descriptors...
Files deleted after 1577840400 will be restored...
Restored 5 files

Conclusion:

The extundelete command is a crucial tool for retrieving deleted files from ext3 or ext4 file systems. Whether the requirement is for specific file recovery, the restoration of directories, or the retrieval of files based on deletion time, extundelete provides flexible and powerful options to efficiently address various data recovery needs with precision and speed. These utilities significantly reduce data loss risks, enhancing data management disciplines within Linux systems.

Related Posts

How to Use the Command 'btrfs check' (with Examples)

How to Use the Command 'btrfs check' (with Examples)

The btrfs check command is a powerful utility for managing Btrfs (B-tree File System) filesystems.

Read More
How to Use the Command 'yadm-transcrypt' (with examples)

How to Use the Command 'yadm-transcrypt' (with examples)

In today’s world, data security is of paramount importance. With the proliferation of sensitive material in digital formats, it becomes crucial to handle data with the utmost care, especially when it is stored in version-controlled environments like Git.

Read More
How to use the command 'ostree' (with examples)

How to use the command 'ostree' (with examples)

OSTree is a version control system designed for managing and deploying binary files and is optimized for operating system root filesystems.

Read More