e2undel 0.82 review
Downloade2undel is an interactive console tool that recovers the data of deleted files on an ext2 file system under Linux. Included is a l
|
|
e2undel is an interactive console tool that recovers the data of deleted files on an ext2 file system under Linux.
Included is a library that allows to recover deleted files by name. It does not require any knowledge about the secrets of the ext2 file system and should be useable by everyone.
e2undel does not manipulate internal ext2 structures and requires only read access to the file system where the files to recover are located. It accesses the ext2 file system by way of Ted Ts'o's ext2fs library; so I think ist is safe to use.
The e2undel package contains a library that allows you to recover deleted files by their names. Usually, when a file is deleted, its name is lost; after installing this library, the names of deleted files are logged and accessible via the e2undel program.
e2undel searches all inodes marked as deleted on a file system and lists them assorted by owner and time of deletion. Additionally, it gives you the file size and tries to determine the file type in the way file(1) does.
If you did not just delete a whole bunch of files with a rm -r *, this information should be helpful to find out which of the deleted files you would like to recover. After selecting a deleted file, e2undel assembles its data by reading the data blocks (whose numbers are still stored in the inode), and writes the data to a new file.
Inluded in the package is the undel library. This library, loaded by the $LD_PRELOAD mechanism, hooks into the system calls unlink(2) and remove(3). libundel logs the device (like /dev/hdb7 etc.), the inode number, and the name of each file that is deleted by these system calls in a log file (/var/e2undel/e2undel by default).
With this information, it is possible to recover deleted files by name. Of course, e2undel also works without the undel library (as outlined in the deleted file recovery howto), but you lose the functionality to recover deleted files by name if you don't use libundel - maybe the best part of this tool.
e2undel does not actually undelete a file (i.e., does not manipulate ext2 internal structures like inode, block bitmap, and inode bitmap). Instead it recovers the data of a deleted file and saves it in a new file.
Requirements:
Linux with kernel 2.2 or 2.4 (2.0 should work, but is not tested)
ext2 filesystem (no ext3, ReiserFS, XFS, JFS; no RAID)
only tested on Intel architecture, other platforms may work
glibc 2.2 ist tested, other versions should work
the e2fsprogs packet (might be called ext2fs or something similar on your distribution); versions from 1.19 to 1.25 are tested, other (not too old) versions should work
the e2fsprogs-devel packet (Ted Ts'o's original e2fsprogs packet conatins everything necessary)
Installation
compile with make e2undel-file
install by copying the resulting e2undel binary to any directory within your $PATH (e.g., /usr/local/bin)
If you delete a file stored on an ext2 file system, its data is not instantly lost. What happens is:
* ext2 marks the file's data blocks as avalaible in its block bitmap
* ext2 marks the file's inode as available in its inode bitmap
* the number of hard links to this file is set to 0 in the file's inode
* the deletion time is set in the file's inode
* ext2 invalidates the file's name in the directory entry
So, the file's data is not actually deleted (but it might be overwritten in the future); and the crucial information in the inode (owner, access rights, size, data blocks occupied by the file and some more) is not touched. If you know the inode number, you simply can recover the file by using Ted Ts'o's debugfs tool.
What is lost however is the association between the file name and the inode: You can't restore the former file name from the inode information. To recover the data of a deleted file, you must completely rely on the information in the inode like file size, owner, deletion time, etc.
e2undel 0.82 search tags