How files are stored in Linux operating system. File systems are located inside of a disk partition. The partition is usually organized into 512-byte sectors. When the partition is formatted as Ext3, successive sectors will be grouped into blocks, whose size can range from 1 to 4 Kb. The blocks are grouped together into block groups, whose size will be tens of thousands of blocks. Files stored in three major locations: blocks, inodes, and directories. The file content is stored in blocks, which are allocated for the exclusive use of the file. A file is allocated as many blocks as it needs. Generally the file will be allocated consecutive blocks, but this is not always possible.
Many things occur when an Ext3 file is deleted from Linux. Keep in mind that the OS gets to choose exactly what occurs when a file is deleted .At a minimum, the OS must mark each of the blocks, the inode, and the directory entry as unallocated so that later files can use them. This nominal approach is what occurred several years ago with the Ext2 file system. In this case, the recovery process was relatively simple because the inode still contained the block addresses for the file content and tools such as debugfs and e2undel could easily re-create the file. This worked as long as the blocks had not been allocated to a new file and the original content was not overwritten.
With Ext3, there is an additional step that makes recovery much more difficult. When the blocks are unallocated, the file size and block addresses in the inode are cleared; therefore we can no longer determine where the file content was located. We can see the relationship between the directory entry, the inode, and the blocks of an unallocated file.
Recovery Solutions
Components involved with files and which ones are cleared during deletion, we can examine two approaches to file recovery. The first approach uses the application type of the deleted file and the second approach uses data in the journal. Regardless of the approach, you should stop using the file system because you could create a file that overwrites the data you are trying to recover. You can power the system off and put the drive in another Linux computer as a slave drive or boot from a Linux CD.
The first step for both techniques is to determine the deleted file's inode address. This can be determined from debugfs .I'll give the debugfs method here. debugfs comes with most Linux distributions and is a file system debugger. To start debugfs, you'll need to know the device name for the partition that contains the deleted file. In my example, I have booted from a CD and the file is located on /dev/hda5:
# debugfs /dev/hda5
debugfs 1.37 (21-Mar-2005)
debugfs:
We can then use the cd command to change to the directory of the deleted file:
debugfs: cd /home/carrier/
The ls -d command will list the allocated and deleted files in the directory. Remember that the directory entry structure stores the name and the inode of the file and this listing will give us both values because neither is cleared during the deletion process. The deleted files have their inode address surrounded by "<" and ">":
debugfs: ls -d
415848 (12) . 376097 (12) .. 415864 (16) .bashrc
If anyhow you are not able to recover your data you can try Linux data recovery software. Stellar Phoenix Linux data recovery software is very easy to use and provides complete Ext3 recovery solution. This software uses powerful scanning algorithms to search the complete drive thoroughly to locate all the lost files and folders. This data recovery Linux software provides recovery from Ext2, Ext3 & Reiser file system
0 comments:
Post a Comment