Linux: Recover Deleted Files with Ext4 Journal

Gone is gone: Deleting a file on Linux is usually pretty permanent. Graphical file managers like Gnome’s Nautilus first move the files to the recycle bin – but once it’s emptied, things get complicated. The reason for this lies in how the standard Ext4 file system deletes files: instead of just marking the file as deleted and releasing the data blocks occupied by the file, as in the FAT file system, Ext4 overwrites the upper level of block allocation in the file’s management block, the inode, so that the data blocks belonging to the file can no longer be determined. However, this change is recorded in the file system’s journal, so there is a way back as long as the journal persists.

  1. Check the recycle bin: Graphical file managers usually do not delete the files directly.
  2. Mount RAM file system under /mnt to cache the journal on it without affecting the root file system: sudo mount -t tmpfs tmpfs /mnt
  3. List attached drives and their mount points to find out the device name of the affected file system: lsblk -fp
  4. Determine the size and inode number of the Ext4 journal (default: 1 GB, inode 8): sudo dumpe2fs /dev/sda3 | grep Journal You must enter the device name (/dev/sda3) according to the output of lsblk adjust from the previous step. For example, on encrypted Ubuntu installations, the device name of the root file system is /dev/mapper/vgubuntu-root.
  5. Allow pending file operations to complete and save the journal to the RAM file system: sync && debugfs -R "dump <8> /mnt/ext4.journal" /dev/sda3. The inode number (<8>) is standard, but may differ in individual cases – see the output of the previous step for the correct inode number.
  6. Journal copy /mnt/ext4.journal to an (external) disk, NAS or via scp copy to another computer.
  7. Switch off the computer and remove the hard disk or start with the live system until the data has been restored.

So it is important to act quickly to salvage the journal and prevent the deleted file’s freed data blocks from being overwritten. You should therefore keep this article safe or bookmark it in the browser or in the app so that you have the following “to-do list for deleted files” at hand in an emergency and can tick them off step by step. You then have time to think about how to get your data back.

To home page

Related Posts

Hot News


usefull links

robis robis robis