23

How do I undelete (recover) a deleted file on a btrfs partition?

I have not taken a snapshot yet, so I can't use that feature. I know there are some tools for other Linux file systems, but google has not turned up anything specific to btrfs. I came across one vague mention that btrfs includes an undelete tool, but I can't find it. Before trying tools for another file system, I'm asking here.

More info:

  • The (two) deleted files were deleted by a remote rsync command gone wrong.
  • These were small plain text files.
  • I know the names of the files.
  • I might be able to remember some strings in the files.
  • The disk is a regular HDD, but it is large (2TB).
  • I'm running Kubuntu 12.04 (beta2) with all latest updates.
  • I have not written any new data to the partition the files were deleted from.
  • I don't have a snapshot or a backup of these files. (The last backup is just a few hours older than these files.)
  • Strangely, a COW file system seems to have fewer file undelete options than ext3/4...
Improve this question
2
  • check btrfs restore which is simple and safe btrfs.wiki.kernel.org/index.php/Restore
    – Yami Odymel
    Commented Oct 31, 2020 at 0:16
  • @YamiOdymel "The btrfs restore utility is a non-destructive method for attempting to recover data from an unmountable filesystem." If you know how to use it to recover deleted files, please provide a complete answer and I'll accept it (if it works).
    – MountainX
    Commented Nov 1, 2020 at 2:15

4 Answers 4

Reset to default
10

As your files are small and plain text, I would try scanning the output of "strings" into the device where the filesystem resides, ie,

strings /dev/sda1 | less

then use "/" to search for the strings that could be in that file. When you find the text, delimit the start of it with "m" then move to the end and use "|cat >file" to save it to a file.

I've actually done that when I had a similar situation on another filesystem without undelete, a few years back, and it worked great for me.

Improve this answer
1
  • pv /dev/mapper/root | strings -w -n 1000 -s $'\n=x=x=x=x=x=x=x=x=x=x=x=x=x=x=y=z=\n' | gzip > /backup/strings2.gz or similar might be faster than hitting n in less cause you get one file at the end you can look at. csplit or similar could be used for automatic splitting.
    – Marc Weber
    Commented Sep 13, 2020 at 11:32
4

Jörg Walter implemented a btrfs-undelete shell script using the find-root and restore tools from btrfs-progs, which can be found here, and should help others in a similar position.

As it is licensed under GPLv2, I cannot include it here.

Improve this answer
6
  • 4
    Worth noting is that the said script has at least one path hardcoded (presumably by mistake) and has a few other problems, so buyers beware that it must be edited before use.
    – gamen
    Commented Jul 15, 2014 at 6:32
  • 5
    Here's a cleaned up version of the original script: gist.github.com/Changaco/45f8d171027ea2655d74
    – Changaco
    Commented Oct 30, 2015 at 17:03
  • 6
    "As it is licensed under GPLv2, I cannot include it here" - maybe you should read what the GPLv2 says, because that makes no sense whatsoever.
    – slang
    Commented Dec 12, 2016 at 23:37
  • 4
    @slang maybe you should read the terms of service of this site? Contributions must be licensed under the Creative Commons Attribution Share Alike 3.0 license.
    – suriv
    Commented Jan 7, 2017 at 16:37
  • @suriv - I guess I can understand their reasons for doing that, but that's pretty annoying. Especially since CC-BY-SA is only slightly more restrictive than the GPL (aside from GPLv3s patent stuff).
    – Omnifarious
    Commented Sep 8, 2018 at 6:53
4

If your btrfs drive has subvolumes you need to pass the additional -r <subvol-id> option to btrfs restore. Unfortunately the scripts out there, like the one user414471 posted (http://oelkers.de/tips/undeleteBtrfs.sh), don't have an option for doing this, but they can probably be adapted to this.

If you want to do this by hand you need to obtain the right subvol-id, either with:

# mount /dev/sdXY /mnt/blah
# btrfs subvolume list /mnt/blah
# umount /mnt/blah

or alternatively with:

# btrfs restore -l /dev/sdXY | grep ROOT_ITEM

Afterwards you use btrfs-find-root to get the block number to which you want to revert (usually the one just before the maximum one which is the current root). For this you need to first set the default subvolume to the one from which you want to revert files (and revert this change afterwards):

# mount /dev/sdXY /mnt/blah
# btrfs subvolume set-default <subvol-id> /mnt/blah
# umount /mnt/blah
# btrfs-find-root /dev/sdXY
Well block 4321280 seems great, but generation doesn't match, have=400760, want=400984 level 0
...
Well block 9928704 seems great, but generation doesn't match, have=400764, want=400984 level 1
Well block 1094836224 seems great, but generation doesn't match, have=400983, want=400984 level 1
Found tree root at 1095270400 gen 400984 level 1

You can finally use btrfs restore with -r <subvol-id> for the recovery (initially with the --dry-run argument if you wish):

# btrfs restore -r <subvol-id> -t 9928704 -v --path-regex '^/(|dir1(|/dir2(|/dir3(|/.*))))$' /dev/sdXY /tmp/recovery

More information about all this here: https://btrfs.wiki.kernel.org/index.php/Restore

Improve this answer
1
-1

I lost a bunch of video files on my NAS which uses the btrfs file system. As I am unfamiliar with Linux, I tried to find something that was less technical from the user standpoint. I tried photorec, but it only recovered photos (which I didn't even realize had been deleted), but did not find my video .mkv files.

I ended up using a product called ReclaiMe File Recovery (https://www.reclaime.com/download.aspx/) (ReclaiMe for short). I ran the program from my Windows 10 computer, with the NAS btrfs drive hooked up to a spare SATA connector. ReclaiMe found my NAS drive and all my deleted files, both the video files and photos. It neatly displayed the files in their original sub-directories, and I was able to select individual files that I wanted to restore. The recovered files had to be stored somewhere other than the NAS drive, so I just used a portable USB 3.0 hard-drive. I then reinstalled the NAS drive back in my NAS and uploaded the files from the USB drive to the NAS drive using the NAS software interface.

While ReclaiMe is not a free program, it was simple to use and allowed me to recover all my deleted files. It would would have taken me about 60 - 80 hours to recreate my video files from DVD, so I think the cost of the software was justified for me. The photo's I recovered could not be duplicated, so that also made it easier to justify the price of the software. I would recommend ReclaiMe software to anyone who needs to recover deleted files as it worked great for me. I would also add that you can download the software and try it before you buy. You can't recover files with the free software, but you can see if it finds your files before you purchase it. If it can't find the files you're looking for, it may be too late.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .