Attention:

This is a computer translation of the original webpage. It is provided for general information only and should not be regarded as complete nor accurate

Ext4magic: Inode - Directory - Journal - Install - Time_Options - Histogram - Scenarios - Tips&Tricks - Manpage - Expert-Mode

The function of the time markers

By the use of the journal data the file system in ext4magic has a virtual dimension more, the time. Files and directories do not exist from beginning and not eternally invariably. They can be again created and deleted, them can the names and the size or other characteristics change. Files and directories can receive a name, which was before already used by another file. All these changes leave traces, which ext4magic can find and handle in the journal. The timestamps are needed to find out whether the specific file at a certain time existed or not. The call of the command with the time stamps, specified for ext4magic the “time layer” of the file system should be worked on.

Search expiration: Search for a inode for a given Inode number

first all inode copys of a inode number collected and time sorted after into a list
if no copy is contained in the journal, the original inode from the file system is taken up to the list
this inode collection is backwards scanned in the time
all inode of c_time more largely than “BEFORE”, are not used
the search in the list is terminated as soon as a inode with one d_time smaller than “AFTER” is found
the first found inode of them d_time is not set, is used
None inode copy corresponds to the requirements, no file can be recovert for this inode number with these time options.

To found a deleted file, it must has existed in the time between “AFTER” and “BEFORE”, will be found several undeleted inode copies, then the copy be used those has the youngest time stamp, also near the “BEFORE” time.

Directory inode applies the same, also the suitable data blocks with are listing in the journal searched . If the inode copy was produced, without which the data blocks of the directory has changed, then for a copy of this data block at a later time searched. Also data blocks found temporally behind “BEFORE” are use so. If not found a copy of this block in the journal, then the original block of the file system used.

Thus two possibilities the “BEFORE” time result to set, Either it is set on a time after the erasing process, or it is set directly exactly as possible before the begin of the deletion or the overwriting of files.

Detailiertes Recover example, special use timestamps

Error situation:

In a directory thrumbnails should be generated, but by a wrong instruction in the script the new thumbnails has overwritten the original pictures with the same names. Result the original pictures disappeared, but now thrumbnails with the same names in the directory.

Preparation

umount the file system and create a image (“testfile.iso”) of the file system. (recommended and optional)

Investigation of the file system

The directory name is known, directory “user1/”

of this directory is created a list of all inode copies of the journal

ext4magic testfile.iso -f "user1"  -T

this list is to be investigated between the transactions 3341 and 3347

the difference are recognized by the file size.

ROBI@LINUX:/home/rob/test # ext4magic testfile.iso -f "user1"  -T | grep -A15 transaction
.....
Dump Inode 60929 from journal transaction 3341
Inode: 60929   Type: directory    Mode:  0755   Flags: 0x0
Generation: 301560004    Version: 0x00000000
User:     0   Group:     0   Size: 1024
File ACL: 0    Directory ACL: 0
Links: 2   Blockcount: 2
Fragment:  Address: 0    Number: 0    Size: 0
ctime: 1275076684 -- Fri May 28 21:58:04 2010
atime: 1275076686 -- Fri May 28 21:58:06 2010
mtime: 1275076684 -- Fri May 28 21:58:04 2010
    60929  d  755 (2)      0      0           1024 28-May-2010 21:58 .
        2  d  755 (2)      0      0           1024 28-May-2010 21:56 ..
    60930  _  755 (1)      0      0        1868983 28-May-2010 21:58 cimg1433.jpg
    60931  _  755 (1)      0      0        1865355 28-May-2010 21:58 cimg1434.jpg
    60932  _  755 (1)      0      0        2022342 28-May-2010 21:58 cimg1435.jpg
    60933  _  755 (1)      0      0        1871073 28-May-2010 21:58 cimg1436.jpg
--
Dump Inode 60929 from journal transaction 3347
Inode: 60929   Type: directory    Mode:  0755   Flags: 0x0
Generation: 301560004    Version: 0x00000000
User:     0   Group:     0   Size: 1024
File ACL: 0    Directory ACL: 0
Links: 2   Blockcount: 2
Fragment:  Address: 0    Number: 0    Size: 0
ctime: 1275076887 -- Fri May 28 22:01:27 2010
atime: 1275076686 -- Fri May 28 21:58:06 2010
mtime: 1275076887 -- Fri May 28 22:01:27 2010
    60929  d  755 (2)      0      0           1024 28-May-2010 22:01 .
        2  d  755 (2)      0      0           1024 28-May-2010 21:56 ..
    60957  _  644 (1)      0      0          51823 28-May-2010 22:01 cimg1433.jpg
    60930  _  644 (1)      0      0          42837 28-May-2010 22:01 cimg1434.jpg
    60931  _  644 (1)      0      0          47361 28-May-2010 22:01 cimg1435.jpg
    60932  _  644 (1)      0      0          43670 28-May-2010 22:01 cimg1436.jpg
--
....

transaction 3341 shows all pictures are represented still with the original file size. After that, the files are smaller.

“grep” shows here only some of the files, but to recognize, the smaller files use the same Inode numbers again

find out the correct timestamps

The adversity is not older than a few hours, before that there were no files deleted in this directory

so it can be used the default "AFTER" time (-24h).

The “BEFORE” time is crucial. It must smaller than 1275076887 (ctime from transaction 3347, which is files here already all overwritten) and bigger than 1275076684 (ctime from transaction 3341), there the original files are still present.

test of the timestaps

With the list option “-l” can be tried to determine which files are to repair. As “BEFORE” used the ctime from transaction 3341 + 1 second.

ROBI@LINUX:/home/rob/test # ext4magic testfile.iso -f "user1"  -b 1275076685 -l
Filesystem in use: testfile.iso
Using internal Journal at Inode 8
Activ Time after  : Thu May 27 23:02:29 2010
Activ Time before : Fri May 28 21:58:05 2010
Inode found "user1"   60929
Inode 60929 is allocated
   92%   user1/cimg1433.jpg
   88%   user1/cimg1434.jpg
   94%   user1/cimg1435.jpg
  100%   user1/cimg1436.jpg
  100%   user1/cimg1437.jpg
  100%   user1/cimg1438.jpg
  100%   user1/cimg1439.jpg
  100%   user1/cimg1441.jpg
  100%   user1/cimg1442.jpg
  100%   user1/cimg1443.jpg
  100%   user1/cimg1444.jpg
  100%   user1/cimg1445.jpg
  100%   user1/cimg1446.jpg
  100%   user1/cimg1456.jpg
  100%   user1/cimg1457.jpg
....

to see, the first 3 pictures has some overwritten data blocks, all other are okay and recoverable.

The Recover

Replacing only the list option (-l) by a recover option (-r)

ROBI@LINUX:/home/rob/test # ext4magic testfile.iso -f "user1"  -b 1275076685 -r
"RECOVERDIR"  accept for recoverdir
Filesystem in use: testfile.iso

Using internal Journal at Inode 8
Activ Time after  : Thu May 27 23:08:23 2010
Activ Time before : Fri May 28 21:58:05 2010
Inode found "user1"   60929
Inode 60929 is allocated
--------        RECOVERDIR/user1/cimg1436.jpg
--------        RECOVERDIR/user1/cimg1437.jpg
--------        RECOVERDIR/user1/cimg1438.jpg
--------        RECOVERDIR/user1/cimg1439.jpg
--------        RECOVERDIR/user1/cimg1441.jpg
--------        RECOVERDIR/user1/cimg1442.jpg
--------        RECOVERDIR/user1/cimg1443.jpg
--------        RECOVERDIR/user1/cimg1444.jpg
--------        RECOVERDIR/user1/cimg1445.jpg
--------        RECOVERDIR/user1/cimg1446.jpg
......

first check,

list the recoverten files. 3 files were partially destroyed and could not be restored.

ROBI@LINUX:/home/rob/test # ls -l RECOVERDIR/user1/cimg*
-rwxr-xr-x 1 root root 1871073 May 28 21:58 RECOVERDIR/user1/cimg1436.jpg
-rwxr-xr-x 1 root root 2039840 May 28 21:58 RECOVERDIR/user1/cimg1437.jpg
-rwxr-xr-x 1 root root 2061072 May 28 21:58 RECOVERDIR/user1/cimg1438.jpg
-rwxr-xr-x 1 root root 1844663 May 28 21:58 RECOVERDIR/user1/cimg1439.jpg
-rw-r--r-- 1 root root  715779 May 28 21:58 RECOVERDIR/user1/cimg1441.jpg
-rw-r--r-- 1 root root 2165891 May 28 21:58 RECOVERDIR/user1/cimg1442.jpg
-rw-r--r-- 1 root root  747751 May 28 21:58 RECOVERDIR/user1/cimg1443.jpg
-rw-r--r-- 1 root root  728500 May 28 21:58 RECOVERDIR/user1/cimg1444.jpg
-rw-r--r-- 1 root root  810420 May 28 21:58 RECOVERDIR/user1/cimg1445.jpg
-rw-r--r-- 1 root root  953308 May 28 21:58 RECOVERDIR/user1/cimg1446.jpg
......

Ext4magic: Inode - Directory - Journal - Install - Time_Options - Histogram - Scenarios - Tips&Tricks - Manpage - Expert-Mode

Ext4magic-Time Options

The function of the time markers

Detailiertes Recover example, special use timestamps