When you delete a file under Linux, it is usually permanent. However, there is a way to recover deleted files with the Ext4 file system. Unlike the FAT file system, which marks the file as deleted and releases the data blocks occupied by the file, the Ext4 file system overwrites the upper level of block allocation in the file’s management block, the inode. This makes it difficult to recover the data blocks belonging to the file. However, the Ext4 file system records this change in the file system’s journal, creating a way back as long as the journal persists.
Graphical file managers like Gnome’s Nautilus typically move deleted files to the recycle bin. However, once the recycle bin is emptied, things get complicated. But, there is still a way to recover deleted files.
To do so, mount the RAM file system under /mnt in order to cache the journal on it without affecting the root file system. Then, list connected drives and their mount points to find out the device name of the affected file system. This can be done using the lsblk -fp command. The next step is to determine the size and inode number of the Ext4 journal (default: 1 GB, inode 8). To do this, use the sudo dumpe2fs /dev/sda3 | grep journal command, but adjust the device name according to the lsblk output from the previous step.
Let pending file operations complete and save the journal to the RAM filesystem. The sync && debugfs -R “dump <8> /mnt/ext4 .journal” /dev/sda3 command should be used for this step. The inode number (<8>) is standard, but may differ in individual cases – the correct inode number can be found in the output of the previous step.
Next, copy the journal to an (external) data medium, NAS or via scp copy to another computer. Finally, switch off the computer and remove the hard disk or start with the live system until the data has been restored. It is important to act quickly to salvage the journal and prevent the deleted file’s freed data blocks from being overwritten.
To ensure that you are prepared in case of an emergency, keep this article or bookmark it in your browser or app. This way, you can reference the “to-do list for deleted files” easily and quickly check off each step.
