I want to restore files that I accidentally overwritten on Linux.

Asked 2 months ago, Updated 2 months ago, 1 views

Purpose

I want to restore the specified file that I accidentally overwritten on Linux.
I want /home/Documents/target in /dev/sda3 to be returned to the previous state of the specified time

USB-booting environment

Linux ubuntu 5.0.0-23-generic#24-18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Status

LDME4 accidentally overwrites the text file, so I shut down the system as soon as I realized it.
This disk is encrypted.Also, you know the password to boot and log in, partitioned as follows, and the file system is ext4.

[email protected]:/$sudo fdisk-l
(Not required, so abbreviated)
Disk /dev/sda: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors
Unit: Sector (1*512 = 512 bytes)
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O Size (minimum/recommended): 4096 bytes/4096 bytes
Disk Label Type: gpt
Disk identifier: 014F04A8-0B49-4946-ADB2-5897AB304DBC
(Not required, so abbreviated)

After that, there was a USB that could boot to USB, so I tried to restore it using ext4 magic by booting USB, but when I entered the command ext4 magic/dev/sda3/-l, I was not sure if I could restore it.

If I can restore it after checking if it can be restored, what should I do to it?
Thank you for your cooperation.

[email protected]:/$ sudo ext4magic /dev/sda3 -l
Filesystem in use: /dev/sda3

Using  internal Journal at Inode 8
Inode 2 is allocated
  100%   ユーザー名/.ecryptfs 
  100 % /. The private user name 
  100%   ユーザー名/README.txt 
  100 % user name   Access - Your - Private Data. de Desktop 
  100 % - rw # fs  . es, Integrity, and Encryption) and the username /. * CFUNCTION GLOBAL unlink/lib/dev-state/$devnameRESTORE, and Encryption) and / - mount 
  100 %  . / lib/dev-state/$devnameDELETE. * CFUNCTION GLOBAL unlink/lib/dev-state/$devnameRESTORE, and Encryption) and user name / crypt / autocomplete - People kept count 
  100%   .ecryptfs/ユーザー名/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWYbEn2jq0WNZEQ9FnS7MM8kugeCun6XcL0xDfiKNzUxK9rB8KYKbC9n0---/ECRYPTFS_FNEK_ENCRYPTED.FWYbEn2jq0WNZEQ9FnS7MM8kugeCun6XcL0xzacwkg3SVGakXQQNx5ng2E--/ECRYPTFS_FNEK_ENCRYPTED.FWYbEn2jq0WNZEQ9FnS7MM8kugeCun6XcL0xR2yYBhIcJh2Vv870qanAF---/ECRYPTFS_FNEK_ENCRYPTED.FWYbEn2jq0WNZEQ9FnS7MM8kugeCun6XcL0x23EOPNzvxLA6OE5IgFszB---/ECRYPTFS_FNEK_ENCRYPTED.FWYbEn2jq0WNZEQ9FnS7MM8kugeCun6XcL0x6JtaV1UG-ELXyhOaTzmowE--/ECRYPTFS_FNEK_ENCRYPTED.FWYbEn2jq0WNZEQ9FnS7MM8kugeCun6XcL0xH-sMlUWqCoRvHDIaqzXiAE--
(ryaku )
ext4magic : EXIT_SUCCESS

Reference

[email protected]:/$df-T
Filesystem Type 1K-blocks Used Available Use % Mounted on
udev devtmpfs15348412 0153484120%/dev
tmpfs tmpfs3081220 1780 30794401%/run
/dev/sdb1vfat61256224 2001952542724%/cdrom
/dev/loop0squashfs1895936 18959360 100%/rofs
/cow overlay 15406096 737076 146690205% /
tmpfs tmpfs1540609678728 153273681%/dev/shm
tmpfs tmpfs5120 451161%/run/lock
tmpfs tmpfs154060960 154060960%/sys/fs/cgroup
tmpfs tmpfs15406096 532 154055641%/tmp
tmpfs tmpfs30812166430811521%/run/user/999
/dev/loop1squashfs90624906240 100%/snap/core/7270
/dev/loop2squashfs55808 558080100%/snap/core18/1074
/dev/loop3squashfs43904 439040 100%/snap/gtk-common-themes/1313
/dev/loop4squashfs153600 153600 100% /snap/gnome-3-28-1804/67
/dev/loop5squashfs42242240 100% /snap/gnome-calculator/406
/dev/loop6squashfs15104 151040 100% /snap/gnome-characters/296
/dev/loop7squashfs1024 10240 100% /snap/gnome-logs/61
/dev/loop8squashfs384038400 100% /snap/gnome-system-monitor/100
/dev/sda3ext4102688032266383207079044828% /media/ubuntu/140fda0e-449f-4b18-a94c-c0c5c6a6064e

directory structure

[email protected]:/media$sudotree-a-L5.
.
├-- cdrom->/cdrom
└-- ubuntu
    └-- 140fda0e-449f-4b18-a94c-c0c5c6a6064e
        ├-- .ecryptfs
        │   -- -- Username
        │       -- --.Private
        │       -- --.ecryptfs
        ├-- Username
        │   -- --.Private ->/home/.ecryptfs/Username/.Private
        │   -- --.ecryptfs->/home/.ecryptfs/username/.ecryptfs
        │   -- -- Access-Your-Private-Data.desktop->/usr/share/cryptfs-utils/cryptfs-mount-private.desktop
        │   -- -- README.txt->/usr/share/ecryptfs-utils/ecryptfs-mount-private.txt
        └-- lost+found

Additional
When I entered the command indicated by cubick♦, it looked like the following and could not be restored

[email protected]:~$sudoext4magic/dev/sda3-a Time Start-b Time End-r-f "home/Documents/target"
"RECOVERDIR" accept for recoverdir
Filesystem in use: /dev/sda3

Using  internal Journal at Inode 8
Activ Time after: Mon Jul 20 Start 2020
Activ Time before: Mon Jul 20 Time End 2020
Error: Inode not found for "home/Documents/target"
Check the valid PATHNAME "home/Documents/target" and the BEFORE option" Mon Jul 20 13:50:38 2020
"
ext4magic : EXIT_SUCCESS

Since there is no such path in the first place, I don't know if the inode itself has already been deleted or the path is not known, so I'll create an encrypted disk, create a similar situation, shut it down immediately, and see if I can restore it from the encrypted disk with this command

linux

2022-09-30 13:58

1 Answers

See also the manext4magic and online documentation for more information.

If you apply the simplest conditions,

  • Partitions are /dev/sda3 in / except for swapping etc.
  • Assume that /home/Documents/target to be restored is a file

In this case, the following is likely to be done.

$sudoext4magic/dev/sda3-f "home/Documents/target"
  • If the date and time are correct, use the -a and -b options as well
  • Add -r if the target is a directory
  • Beware of destination directories! (Separate destination from original partition)


2022-09-30 13:58

If you have any answers or tips


© 2022 OneMinuteCode. All rights reserved.