How extundelete saved my day

2014-05-15

While setting up a remote backup storage I did a fatal mistake. I needed some seconds to understand what I had done wrong, but after hitting arrow-up a few times to see my command history I got it: I removed all of my images. Damn. I already had a backup of most of my images on an external drive, but there were lately added some new images, so not everything was backed up.

TL;DR

  • I accidentialy deleted my images folder
  • extundelete could not restore my deleted files with the --restore-directory option
  • I guessed the full folder paths and used them with --restore-directory - SUCCESS
$ extundelete /dev/xyz --restore-direcotry /home/full/path/to/folder # use this
$ extundelete /dev/xyz --restore-direcotry /home/full/path # not this

So what happened?

$ cd ~/BackupFolder/
$ ln -s /home/robin/Pictures Pictures

This was not exactly how I wanted to structure my backup folder, so I decided to remove the symlink.

$ rm -rf Pictures/

I'm using fish shell, so the appending slash is added when tab-completing.. Also - why did I use -rf here? It was too late to undo, so the only thing I could do was shutting down my whole box (unmounting was not an option because this happened on my root partition) and booting from a livecd. I immediately did a whole backup of my partition with dd.

extundelete, ext3magic, PhotoRec and Co.

I'm using a SSD drive with an ext4 partition, so my first try was to use extundelete:

$ extundelete sda_backup --restore-directory /home/robin/Pictures

Sadly only just about 1% of all files could be restored.

Also ext3magic did not find what I was expecting. PhotoRec did found a lot of stuff, but a lot of my over 10k images where corrupted.

Playing with extundelete

I returned using extundelete and tried using the option --restore-all to restore all deleted files. After a few minutes I was happy to see that all photos could be found, but distributed over a lot of different and wrong paths. Some images for example were located under /home/robin/Development/test/.git/

I read a lot on the web and found a user telling that --restore-directory did not find a lot of stuff, but using the full folder path of a subfolder in this path did work.

I tried different folders like /home/robin/Pictures/Birthday 2014/ which indeed did work! Awesome. I cant explain why this works and using --restore-all or --restore-directory did not, but this was enough for me to restore all of my files. I had to guess all folders I had under Pictures/, but after digging through some logfiles of tools I had used on this folder I finally restored most of my files.