Ext4 Data Recovery
Recover Data from an EXT4 File System
What is an EXT4 file system?
Linux’s Operating System offers over 100 distinct file systems for disk storage. Among these, the Extended file system version 4, or more commonly referred to as EXT4, stands out as a top choice. In fact, it has become the default file system standard in all major Linux distributions. Given its importance, mastering Ext4 Data Recovery proves invaluable.
Can you recover data from an EXT4 partition?
Recovering data from an EXT4 partition can pose challenges. This complexity arises from the way the Operating System segments data within an EXT4 file system. To enhance performance, EXT4 organizes data meticulously into a series of block groups.
Specifically, a block consists of sectors ranging from 1KiB (1024 kb) to 64KiB (65536 kb). Moreover, the block group layout divides into multiple blocks. To facilitate the file system’s structure, several blocks play a crucial role. These comprise the EXT4 superblock, Group descriptors, Inode tables, Inode bitmaps, and the core data blocks.
How does the EXT4 file system safeguard data?
Designed with flexibility and durability in mind, EXT4 serves as a backwards-compatible file system. It builds upon its predecessors (EXT2, EXT3) while embracing features that cater to modern OS needs. These attributes ensure that EXT4 scales efficiently and remains dependable, even for extensive file systems.
Key components include:
Inode Tables
At the heart of the file system lies the Inode table, which acts as a cornerstone. This table holds metadata about a file or data block within an EXT4 system. When an application needs to access specific metadata, it can do so by referencing the known Inode ID. Notably, each Inode represents a file within the file table. By employing this file system approach, servers experience enhanced performance and diminished fragmentation.
Inodes contain pertinent information such as:
- File’s creation (birth) timestamp (btime)
- Last modification timestamp (mtime)
- Last status change timestamp (ctime)
- Size of the file
- Device id
- User id (UID)
- Group Id (GID)
- Plus, a pointer to the actual data
However, it’s worth noting that Inodes don’t retain the file name. Instead, the file table holds this piece of information. While each file name links to a unique Inode number, a single file Inode number can correspond to multiple names. Thankfully, querying Inode data remains straightforward on any EXT.
df –i
To get detailed Inode information on a file, run the stat command.
stat testfile
Journaling
Journaling is a feature of ext4 designed to prevent data corruption. Essentially a journaling log tracks writes to disk and ensure any partially written jobs are completed next. The file system uses the journal if there is an unexpected reboot and data has not finished writing to disk.
You can check the status of your journaling by executing the following
$ cat /proc/fs/jbd2/your partition/info
EXT4 Data Recovery
Grasping the concepts discussed earlier is crucial for diving into EXT4 Data Recovery. Despite the robustness of hardware, data loss can occur due to hardware mishaps, software glitches, or simply human error. More often than not, accidental deletions or malicious intents lead to missing data. If you find your server lacking a current backup, you might face challenges in restoring vital information.
Contrary to the advice from many Linux distributors, recovering EXT4 data files straight out of the box isn’t typically feasible. Yet, this doesn’t mean you’re out of options. Several innovative tools strive to reclaim lost data, either by searching through the file system journal or by attempting to undelete vanished Inodes. Success rates, however, can vary.
For those hesitant about diving into data recovery on their own or for instances where initial efforts don’t bear fruit, seeking out a third-party data recovery specialist becomes a viable option.
A Word of Caution: Backup Before You Dive In
Before undertaking any recovery steps, always ensure you’ve backed up your disk. Avoid working directly on the file system from which you’re trying to retrieve data. Doing so risks overwriting Inodes, potentially dashing any hopes of data recovery. Tools like ddrescue stand ready to help you clone EXT4 file systems to safer locations.
Step 1 – Install DDRescue
Sudo apt install gddrescueSudo ddrescue –f –r3 /dev/sdb /tmp/server.img server.log
Step 2 – Use Testdisk to recover files.
Once you have a backup of our EXT4 file system, we can safely use a tool called testdisk to attempt to recover data.
To demonstrate this, I have created 3 data files called data1.img, data2.img and data3.img
Next, for this demonstration, I have deleted the files 3 files using
sudo rm /tmp/data*
Next, execute the testdisk application. Simply type testdisk
testdisk
Select Create and choose Intel partition (the program should auto-detect your disk)
Next, Select Analyze
Choose your partition to recover data and hit enter, then press P to list all the files found.
Press: to select files marked in red they will turn green once selected
Press C to copy selected files and choose a location to save the files
After you have chosen the file system. Press C again to copy
Step 3 – Use a Hex Editor to Examine the Data
If you encounter any issues recovering data or can only partially restore a file, you can take your investigation one step further and interrogate the data with a hex editor. The hex editor will determine if the data blocks are available and if it is worthwhile attempting to recover. A tool such as wxhexeditor is great at interrogating data. You can even mount your backup image taken previously on ddrescue to determine if the data is available.
To install WxHexEditor on Ubuntu:
$ sudo apt-get update
$ sudo apt-get install wxhexeditorTo install WxHexEditor on a Debian variant via the archive repo using:
$ wget -q -O - http://archive.getdeb.net/getdeb-archive.key | sudo apt-key add -
$ sudo sh -c 'echo "deb http://archive.getdeb.net/ubuntu $(lsb_release -cs)-getdeb apps" >> /etc/apt/sources.list.d/getdeb.list'
$ sudo apt-get update
$ sudo apt-get install wxhexeditorTo install WxHexEditor on an RHEL, CentOS, Rocky or Fedora variant via the archive repo, use:
$ sudo yum install libtool gcc-c++ wxGTK-devel
$ git clone https://github.com/EUA/wxHexEditor.git
$ cd wxHexEditor
$ make OPTFLAGS="-fopenmp"
Summary
We’ve only begun to explore data recovery on the EXT4 file system. We’ve presented two methods to protect and recover your data. Each recovery scenario varies, and you must consider the volume of data you want to restore, whether the data is encrypted, or if there’s a hardware issue, like a failed raid controller.
There are plenty of Linux applications that can attempt to recover the data. Also, consider looking into:
- Ext4magic
- Extundelete
- The Sleuth Kit
- Photorec (ideal for recovering photos from USB)
1 Response
[…] Need help with Linux File System recovery? Check out our popular article on EXT recovery. […]