Recovering an overwritten file

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












1















I accidentally misused the cp command and overwrote one file's contents on an ext4 filesystem. Is there anyway I can recover this old file's contents and possibly its metadata (i.e., last write time, etc.)?



I'm aware that mv frees up blocks for moves, but does the same apply for a wholesale copy operation?










share|improve this question
























  • It depends on the type of filesystem. But unfortunately the spectrum of answers for different types of filesystem is likely to range between almost impossible and theoretically doable yet quite difficult.

    – Celada
    May 28 '15 at 17:52











  • exact command you used? file size before / after?

    – frostschutz
    May 28 '15 at 19:14











  • @Celada It is ext4.

    – Melab
    May 28 '15 at 20:38











  • @frostschutz The size before using cp was 1282 bytes and the size after using cp is now 3247 bytes.

    – Melab
    May 28 '15 at 20:44






  • 2





    @Melab Before doing anything, did you switch off any write operations on your partition/hard-drive? Just do it. The first thing to do in such cases is always to switch off the hard-drive/partition. When you have a solution, use it to extract your data. Until then DO NOT USE THAT HARD-DRIVE.

    – shivams
    May 28 '15 at 21:23
















1















I accidentally misused the cp command and overwrote one file's contents on an ext4 filesystem. Is there anyway I can recover this old file's contents and possibly its metadata (i.e., last write time, etc.)?



I'm aware that mv frees up blocks for moves, but does the same apply for a wholesale copy operation?










share|improve this question
























  • It depends on the type of filesystem. But unfortunately the spectrum of answers for different types of filesystem is likely to range between almost impossible and theoretically doable yet quite difficult.

    – Celada
    May 28 '15 at 17:52











  • exact command you used? file size before / after?

    – frostschutz
    May 28 '15 at 19:14











  • @Celada It is ext4.

    – Melab
    May 28 '15 at 20:38











  • @frostschutz The size before using cp was 1282 bytes and the size after using cp is now 3247 bytes.

    – Melab
    May 28 '15 at 20:44






  • 2





    @Melab Before doing anything, did you switch off any write operations on your partition/hard-drive? Just do it. The first thing to do in such cases is always to switch off the hard-drive/partition. When you have a solution, use it to extract your data. Until then DO NOT USE THAT HARD-DRIVE.

    – shivams
    May 28 '15 at 21:23














1












1








1


1






I accidentally misused the cp command and overwrote one file's contents on an ext4 filesystem. Is there anyway I can recover this old file's contents and possibly its metadata (i.e., last write time, etc.)?



I'm aware that mv frees up blocks for moves, but does the same apply for a wholesale copy operation?










share|improve this question
















I accidentally misused the cp command and overwrote one file's contents on an ext4 filesystem. Is there anyway I can recover this old file's contents and possibly its metadata (i.e., last write time, etc.)?



I'm aware that mv frees up blocks for moves, but does the same apply for a wholesale copy operation?







data-recovery






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited May 28 '15 at 20:39







Melab

















asked May 28 '15 at 16:44









MelabMelab

92711423




92711423












  • It depends on the type of filesystem. But unfortunately the spectrum of answers for different types of filesystem is likely to range between almost impossible and theoretically doable yet quite difficult.

    – Celada
    May 28 '15 at 17:52











  • exact command you used? file size before / after?

    – frostschutz
    May 28 '15 at 19:14











  • @Celada It is ext4.

    – Melab
    May 28 '15 at 20:38











  • @frostschutz The size before using cp was 1282 bytes and the size after using cp is now 3247 bytes.

    – Melab
    May 28 '15 at 20:44






  • 2





    @Melab Before doing anything, did you switch off any write operations on your partition/hard-drive? Just do it. The first thing to do in such cases is always to switch off the hard-drive/partition. When you have a solution, use it to extract your data. Until then DO NOT USE THAT HARD-DRIVE.

    – shivams
    May 28 '15 at 21:23


















  • It depends on the type of filesystem. But unfortunately the spectrum of answers for different types of filesystem is likely to range between almost impossible and theoretically doable yet quite difficult.

    – Celada
    May 28 '15 at 17:52











  • exact command you used? file size before / after?

    – frostschutz
    May 28 '15 at 19:14











  • @Celada It is ext4.

    – Melab
    May 28 '15 at 20:38











  • @frostschutz The size before using cp was 1282 bytes and the size after using cp is now 3247 bytes.

    – Melab
    May 28 '15 at 20:44






  • 2





    @Melab Before doing anything, did you switch off any write operations on your partition/hard-drive? Just do it. The first thing to do in such cases is always to switch off the hard-drive/partition. When you have a solution, use it to extract your data. Until then DO NOT USE THAT HARD-DRIVE.

    – shivams
    May 28 '15 at 21:23

















It depends on the type of filesystem. But unfortunately the spectrum of answers for different types of filesystem is likely to range between almost impossible and theoretically doable yet quite difficult.

– Celada
May 28 '15 at 17:52





It depends on the type of filesystem. But unfortunately the spectrum of answers for different types of filesystem is likely to range between almost impossible and theoretically doable yet quite difficult.

– Celada
May 28 '15 at 17:52













exact command you used? file size before / after?

– frostschutz
May 28 '15 at 19:14





exact command you used? file size before / after?

– frostschutz
May 28 '15 at 19:14













@Celada It is ext4.

– Melab
May 28 '15 at 20:38





@Celada It is ext4.

– Melab
May 28 '15 at 20:38













@frostschutz The size before using cp was 1282 bytes and the size after using cp is now 3247 bytes.

– Melab
May 28 '15 at 20:44





@frostschutz The size before using cp was 1282 bytes and the size after using cp is now 3247 bytes.

– Melab
May 28 '15 at 20:44




2




2





@Melab Before doing anything, did you switch off any write operations on your partition/hard-drive? Just do it. The first thing to do in such cases is always to switch off the hard-drive/partition. When you have a solution, use it to extract your data. Until then DO NOT USE THAT HARD-DRIVE.

– shivams
May 28 '15 at 21:23






@Melab Before doing anything, did you switch off any write operations on your partition/hard-drive? Just do it. The first thing to do in such cases is always to switch off the hard-drive/partition. When you have a solution, use it to extract your data. Until then DO NOT USE THAT HARD-DRIVE.

– shivams
May 28 '15 at 21:23











3 Answers
3






active

oldest

votes


















0














As i know is very difficult to recover a deleted file but try this



in 2005 i use this tool on ext3 partition and recover a lot of files.
Of course make a backup before use this and remind is not 100% guarantee to recover files






share|improve this answer






























    0














    Example session in an ext4 filesystem:



    Create two files a, b with your specified size:



    # dd if=/dev/urandom of=a bs=1282 count=1
    1+0 records in
    1+0 records out
    1282 bytes (1.3 kB) copied, 0.000647314 s, 2.0 MB/s
    # dd if=/dev/urandom of=b bs=3247 count=1
    1+0 records in
    1+0 records out
    3247 bytes (3.2 kB) copied, 0.00106112 s, 3.1 MB/s


    Check where a is allocated physically:



    # filefrag -sve a
    Filesystem type is: ef53
    File size of a is 1282 (1 block of 4096 bytes)
    ext: logical_offset: physical_offset: length: expected: flags:
    0: 0.. 0: 32833.. 32833: 1: last,eof
    a: 1 extent found


    Copy b to a, thereby "overwriting" a. (Output shortened.)



    # strace cp b a
    open("a", O_WRONLY|O_TRUNC) = 4
    write(4, "CX256330x01pP326101~,252"3112022126021y377_S2542352262v3t"..., 3247) = 3247


    Check where a is located physically after cp:



    # filefrag -sve a
    Filesystem type is: ef53
    File size of a is 3247 (1 block of 4096 bytes)
    ext: logical_offset: physical_offset: length: expected: flags:
    0: 0.. 0: 33280.. 33280: 1: last,eof
    a: 1 extent found


    Note the location changed from 32833 to 33280. Which means the original data is probably still to be found at 32833 - in this example.



    What happened is that cp truncates the output file so for a moment, it's a 0 byte file. That's nearly the same as deleting it, except it re-uses the inode. Writing to that file allocates from anywhere in the free space, which may be somewhere else as the old file used to be.



    So there might be a chance of recovery if you know some part of the file content so you can locate it in the raw data. This is what photorec does but only for known file types with distinct headers. extundelete probably won't help as the file's inode wasn't really deleted, rather just re-used for the new file.






    share|improve this answer






























      0














      Depends how valuable the data is, as it is not easy. For now stop using the hard-disk, every operation on the disk will reduce your chance of recovery. For the future, learn and use a revision control system, and backup the repositories to a remote location.



      If the files is removed, but is still open by some process, then it will not be deleted. It can still be recovered, by finding a reference to it, in /proc, and copying to a new location.






      share|improve this answer






















        Your Answer








        StackExchange.ready(function()
        var channelOptions =
        tags: "".split(" "),
        id: "106"
        ;
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function()
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled)
        StackExchange.using("snippets", function()
        createEditor();
        );

        else
        createEditor();

        );

        function createEditor()
        StackExchange.prepareEditor(
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: false,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        imageUploader:
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        ,
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        );



        );













        draft saved

        draft discarded


















        StackExchange.ready(
        function ()
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f206137%2frecovering-an-overwritten-file%23new-answer', 'question_page');

        );

        Post as a guest















        Required, but never shown

























        3 Answers
        3






        active

        oldest

        votes








        3 Answers
        3






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        0














        As i know is very difficult to recover a deleted file but try this



        in 2005 i use this tool on ext3 partition and recover a lot of files.
        Of course make a backup before use this and remind is not 100% guarantee to recover files






        share|improve this answer



























          0














          As i know is very difficult to recover a deleted file but try this



          in 2005 i use this tool on ext3 partition and recover a lot of files.
          Of course make a backup before use this and remind is not 100% guarantee to recover files






          share|improve this answer

























            0












            0








            0







            As i know is very difficult to recover a deleted file but try this



            in 2005 i use this tool on ext3 partition and recover a lot of files.
            Of course make a backup before use this and remind is not 100% guarantee to recover files






            share|improve this answer













            As i know is very difficult to recover a deleted file but try this



            in 2005 i use this tool on ext3 partition and recover a lot of files.
            Of course make a backup before use this and remind is not 100% guarantee to recover files







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered May 28 '15 at 18:03









            elbarnaelbarna

            4,155123784




            4,155123784























                0














                Example session in an ext4 filesystem:



                Create two files a, b with your specified size:



                # dd if=/dev/urandom of=a bs=1282 count=1
                1+0 records in
                1+0 records out
                1282 bytes (1.3 kB) copied, 0.000647314 s, 2.0 MB/s
                # dd if=/dev/urandom of=b bs=3247 count=1
                1+0 records in
                1+0 records out
                3247 bytes (3.2 kB) copied, 0.00106112 s, 3.1 MB/s


                Check where a is allocated physically:



                # filefrag -sve a
                Filesystem type is: ef53
                File size of a is 1282 (1 block of 4096 bytes)
                ext: logical_offset: physical_offset: length: expected: flags:
                0: 0.. 0: 32833.. 32833: 1: last,eof
                a: 1 extent found


                Copy b to a, thereby "overwriting" a. (Output shortened.)



                # strace cp b a
                open("a", O_WRONLY|O_TRUNC) = 4
                write(4, "CX256330x01pP326101~,252"3112022126021y377_S2542352262v3t"..., 3247) = 3247


                Check where a is located physically after cp:



                # filefrag -sve a
                Filesystem type is: ef53
                File size of a is 3247 (1 block of 4096 bytes)
                ext: logical_offset: physical_offset: length: expected: flags:
                0: 0.. 0: 33280.. 33280: 1: last,eof
                a: 1 extent found


                Note the location changed from 32833 to 33280. Which means the original data is probably still to be found at 32833 - in this example.



                What happened is that cp truncates the output file so for a moment, it's a 0 byte file. That's nearly the same as deleting it, except it re-uses the inode. Writing to that file allocates from anywhere in the free space, which may be somewhere else as the old file used to be.



                So there might be a chance of recovery if you know some part of the file content so you can locate it in the raw data. This is what photorec does but only for known file types with distinct headers. extundelete probably won't help as the file's inode wasn't really deleted, rather just re-used for the new file.






                share|improve this answer



























                  0














                  Example session in an ext4 filesystem:



                  Create two files a, b with your specified size:



                  # dd if=/dev/urandom of=a bs=1282 count=1
                  1+0 records in
                  1+0 records out
                  1282 bytes (1.3 kB) copied, 0.000647314 s, 2.0 MB/s
                  # dd if=/dev/urandom of=b bs=3247 count=1
                  1+0 records in
                  1+0 records out
                  3247 bytes (3.2 kB) copied, 0.00106112 s, 3.1 MB/s


                  Check where a is allocated physically:



                  # filefrag -sve a
                  Filesystem type is: ef53
                  File size of a is 1282 (1 block of 4096 bytes)
                  ext: logical_offset: physical_offset: length: expected: flags:
                  0: 0.. 0: 32833.. 32833: 1: last,eof
                  a: 1 extent found


                  Copy b to a, thereby "overwriting" a. (Output shortened.)



                  # strace cp b a
                  open("a", O_WRONLY|O_TRUNC) = 4
                  write(4, "CX256330x01pP326101~,252"3112022126021y377_S2542352262v3t"..., 3247) = 3247


                  Check where a is located physically after cp:



                  # filefrag -sve a
                  Filesystem type is: ef53
                  File size of a is 3247 (1 block of 4096 bytes)
                  ext: logical_offset: physical_offset: length: expected: flags:
                  0: 0.. 0: 33280.. 33280: 1: last,eof
                  a: 1 extent found


                  Note the location changed from 32833 to 33280. Which means the original data is probably still to be found at 32833 - in this example.



                  What happened is that cp truncates the output file so for a moment, it's a 0 byte file. That's nearly the same as deleting it, except it re-uses the inode. Writing to that file allocates from anywhere in the free space, which may be somewhere else as the old file used to be.



                  So there might be a chance of recovery if you know some part of the file content so you can locate it in the raw data. This is what photorec does but only for known file types with distinct headers. extundelete probably won't help as the file's inode wasn't really deleted, rather just re-used for the new file.






                  share|improve this answer

























                    0












                    0








                    0







                    Example session in an ext4 filesystem:



                    Create two files a, b with your specified size:



                    # dd if=/dev/urandom of=a bs=1282 count=1
                    1+0 records in
                    1+0 records out
                    1282 bytes (1.3 kB) copied, 0.000647314 s, 2.0 MB/s
                    # dd if=/dev/urandom of=b bs=3247 count=1
                    1+0 records in
                    1+0 records out
                    3247 bytes (3.2 kB) copied, 0.00106112 s, 3.1 MB/s


                    Check where a is allocated physically:



                    # filefrag -sve a
                    Filesystem type is: ef53
                    File size of a is 1282 (1 block of 4096 bytes)
                    ext: logical_offset: physical_offset: length: expected: flags:
                    0: 0.. 0: 32833.. 32833: 1: last,eof
                    a: 1 extent found


                    Copy b to a, thereby "overwriting" a. (Output shortened.)



                    # strace cp b a
                    open("a", O_WRONLY|O_TRUNC) = 4
                    write(4, "CX256330x01pP326101~,252"3112022126021y377_S2542352262v3t"..., 3247) = 3247


                    Check where a is located physically after cp:



                    # filefrag -sve a
                    Filesystem type is: ef53
                    File size of a is 3247 (1 block of 4096 bytes)
                    ext: logical_offset: physical_offset: length: expected: flags:
                    0: 0.. 0: 33280.. 33280: 1: last,eof
                    a: 1 extent found


                    Note the location changed from 32833 to 33280. Which means the original data is probably still to be found at 32833 - in this example.



                    What happened is that cp truncates the output file so for a moment, it's a 0 byte file. That's nearly the same as deleting it, except it re-uses the inode. Writing to that file allocates from anywhere in the free space, which may be somewhere else as the old file used to be.



                    So there might be a chance of recovery if you know some part of the file content so you can locate it in the raw data. This is what photorec does but only for known file types with distinct headers. extundelete probably won't help as the file's inode wasn't really deleted, rather just re-used for the new file.






                    share|improve this answer













                    Example session in an ext4 filesystem:



                    Create two files a, b with your specified size:



                    # dd if=/dev/urandom of=a bs=1282 count=1
                    1+0 records in
                    1+0 records out
                    1282 bytes (1.3 kB) copied, 0.000647314 s, 2.0 MB/s
                    # dd if=/dev/urandom of=b bs=3247 count=1
                    1+0 records in
                    1+0 records out
                    3247 bytes (3.2 kB) copied, 0.00106112 s, 3.1 MB/s


                    Check where a is allocated physically:



                    # filefrag -sve a
                    Filesystem type is: ef53
                    File size of a is 1282 (1 block of 4096 bytes)
                    ext: logical_offset: physical_offset: length: expected: flags:
                    0: 0.. 0: 32833.. 32833: 1: last,eof
                    a: 1 extent found


                    Copy b to a, thereby "overwriting" a. (Output shortened.)



                    # strace cp b a
                    open("a", O_WRONLY|O_TRUNC) = 4
                    write(4, "CX256330x01pP326101~,252"3112022126021y377_S2542352262v3t"..., 3247) = 3247


                    Check where a is located physically after cp:



                    # filefrag -sve a
                    Filesystem type is: ef53
                    File size of a is 3247 (1 block of 4096 bytes)
                    ext: logical_offset: physical_offset: length: expected: flags:
                    0: 0.. 0: 33280.. 33280: 1: last,eof
                    a: 1 extent found


                    Note the location changed from 32833 to 33280. Which means the original data is probably still to be found at 32833 - in this example.



                    What happened is that cp truncates the output file so for a moment, it's a 0 byte file. That's nearly the same as deleting it, except it re-uses the inode. Writing to that file allocates from anywhere in the free space, which may be somewhere else as the old file used to be.



                    So there might be a chance of recovery if you know some part of the file content so you can locate it in the raw data. This is what photorec does but only for known file types with distinct headers. extundelete probably won't help as the file's inode wasn't really deleted, rather just re-used for the new file.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered May 29 '15 at 2:18









                    frostschutzfrostschutz

                    27.3k15586




                    27.3k15586





















                        0














                        Depends how valuable the data is, as it is not easy. For now stop using the hard-disk, every operation on the disk will reduce your chance of recovery. For the future, learn and use a revision control system, and backup the repositories to a remote location.



                        If the files is removed, but is still open by some process, then it will not be deleted. It can still be recovered, by finding a reference to it, in /proc, and copying to a new location.






                        share|improve this answer



























                          0














                          Depends how valuable the data is, as it is not easy. For now stop using the hard-disk, every operation on the disk will reduce your chance of recovery. For the future, learn and use a revision control system, and backup the repositories to a remote location.



                          If the files is removed, but is still open by some process, then it will not be deleted. It can still be recovered, by finding a reference to it, in /proc, and copying to a new location.






                          share|improve this answer

























                            0












                            0








                            0







                            Depends how valuable the data is, as it is not easy. For now stop using the hard-disk, every operation on the disk will reduce your chance of recovery. For the future, learn and use a revision control system, and backup the repositories to a remote location.



                            If the files is removed, but is still open by some process, then it will not be deleted. It can still be recovered, by finding a reference to it, in /proc, and copying to a new location.






                            share|improve this answer













                            Depends how valuable the data is, as it is not easy. For now stop using the hard-disk, every operation on the disk will reduce your chance of recovery. For the future, learn and use a revision control system, and backup the repositories to a remote location.



                            If the files is removed, but is still open by some process, then it will not be deleted. It can still be recovered, by finding a reference to it, in /proc, and copying to a new location.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Feb 10 at 15:24









                            ctrl-alt-delorctrl-alt-delor

                            11.8k42160




                            11.8k42160



























                                draft saved

                                draft discarded
















































                                Thanks for contributing an answer to Unix & Linux Stack Exchange!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid


                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.

                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function ()
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f206137%2frecovering-an-overwritten-file%23new-answer', 'question_page');

                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown






                                Popular posts from this blog

                                How to check contact read email or not when send email to Individual?

                                Displaying single band from multi-band raster using QGIS

                                How many registers does an x86_64 CPU actually have?