Recovering an overwritten file
Clash Royale CLAN TAG#URR8PPP
I accidentally misused the cp
command and overwrote one file's contents on an ext4 filesystem. Is there anyway I can recover this old file's contents and possibly its metadata (i.e., last write time, etc.)?
I'm aware that mv
frees up blocks for moves, but does the same apply for a wholesale copy operation?
data-recovery
|
show 3 more comments
I accidentally misused the cp
command and overwrote one file's contents on an ext4 filesystem. Is there anyway I can recover this old file's contents and possibly its metadata (i.e., last write time, etc.)?
I'm aware that mv
frees up blocks for moves, but does the same apply for a wholesale copy operation?
data-recovery
It depends on the type of filesystem. But unfortunately the spectrum of answers for different types of filesystem is likely to range between almost impossible and theoretically doable yet quite difficult.
– Celada
May 28 '15 at 17:52
exact command you used? file size before / after?
– frostschutz
May 28 '15 at 19:14
@Celada It is ext4.
– Melab
May 28 '15 at 20:38
@frostschutz The size before usingcp
was 1282 bytes and the size after usingcp
is now 3247 bytes.
– Melab
May 28 '15 at 20:44
2
@Melab Before doing anything, did you switch off any write operations on your partition/hard-drive? Just do it. The first thing to do in such cases is always to switch off the hard-drive/partition. When you have a solution, use it to extract your data. Until then DO NOT USE THAT HARD-DRIVE.
– shivams
May 28 '15 at 21:23
|
show 3 more comments
I accidentally misused the cp
command and overwrote one file's contents on an ext4 filesystem. Is there anyway I can recover this old file's contents and possibly its metadata (i.e., last write time, etc.)?
I'm aware that mv
frees up blocks for moves, but does the same apply for a wholesale copy operation?
data-recovery
I accidentally misused the cp
command and overwrote one file's contents on an ext4 filesystem. Is there anyway I can recover this old file's contents and possibly its metadata (i.e., last write time, etc.)?
I'm aware that mv
frees up blocks for moves, but does the same apply for a wholesale copy operation?
data-recovery
data-recovery
edited May 28 '15 at 20:39
Melab
asked May 28 '15 at 16:44
MelabMelab
92711423
92711423
It depends on the type of filesystem. But unfortunately the spectrum of answers for different types of filesystem is likely to range between almost impossible and theoretically doable yet quite difficult.
– Celada
May 28 '15 at 17:52
exact command you used? file size before / after?
– frostschutz
May 28 '15 at 19:14
@Celada It is ext4.
– Melab
May 28 '15 at 20:38
@frostschutz The size before usingcp
was 1282 bytes and the size after usingcp
is now 3247 bytes.
– Melab
May 28 '15 at 20:44
2
@Melab Before doing anything, did you switch off any write operations on your partition/hard-drive? Just do it. The first thing to do in such cases is always to switch off the hard-drive/partition. When you have a solution, use it to extract your data. Until then DO NOT USE THAT HARD-DRIVE.
– shivams
May 28 '15 at 21:23
|
show 3 more comments
It depends on the type of filesystem. But unfortunately the spectrum of answers for different types of filesystem is likely to range between almost impossible and theoretically doable yet quite difficult.
– Celada
May 28 '15 at 17:52
exact command you used? file size before / after?
– frostschutz
May 28 '15 at 19:14
@Celada It is ext4.
– Melab
May 28 '15 at 20:38
@frostschutz The size before usingcp
was 1282 bytes and the size after usingcp
is now 3247 bytes.
– Melab
May 28 '15 at 20:44
2
@Melab Before doing anything, did you switch off any write operations on your partition/hard-drive? Just do it. The first thing to do in such cases is always to switch off the hard-drive/partition. When you have a solution, use it to extract your data. Until then DO NOT USE THAT HARD-DRIVE.
– shivams
May 28 '15 at 21:23
It depends on the type of filesystem. But unfortunately the spectrum of answers for different types of filesystem is likely to range between almost impossible and theoretically doable yet quite difficult.
– Celada
May 28 '15 at 17:52
It depends on the type of filesystem. But unfortunately the spectrum of answers for different types of filesystem is likely to range between almost impossible and theoretically doable yet quite difficult.
– Celada
May 28 '15 at 17:52
exact command you used? file size before / after?
– frostschutz
May 28 '15 at 19:14
exact command you used? file size before / after?
– frostschutz
May 28 '15 at 19:14
@Celada It is ext4.
– Melab
May 28 '15 at 20:38
@Celada It is ext4.
– Melab
May 28 '15 at 20:38
@frostschutz The size before using
cp
was 1282 bytes and the size after using cp
is now 3247 bytes.– Melab
May 28 '15 at 20:44
@frostschutz The size before using
cp
was 1282 bytes and the size after using cp
is now 3247 bytes.– Melab
May 28 '15 at 20:44
2
2
@Melab Before doing anything, did you switch off any write operations on your partition/hard-drive? Just do it. The first thing to do in such cases is always to switch off the hard-drive/partition. When you have a solution, use it to extract your data. Until then DO NOT USE THAT HARD-DRIVE.
– shivams
May 28 '15 at 21:23
@Melab Before doing anything, did you switch off any write operations on your partition/hard-drive? Just do it. The first thing to do in such cases is always to switch off the hard-drive/partition. When you have a solution, use it to extract your data. Until then DO NOT USE THAT HARD-DRIVE.
– shivams
May 28 '15 at 21:23
|
show 3 more comments
3 Answers
3
active
oldest
votes
As i know is very difficult to recover a deleted file but try this
in 2005 i use this tool on ext3 partition and recover a lot of files.
Of course make a backup before use this and remind is not 100% guarantee to recover files
add a comment |
Example session in an ext4 filesystem:
Create two files a, b with your specified size:
# dd if=/dev/urandom of=a bs=1282 count=1
1+0 records in
1+0 records out
1282 bytes (1.3 kB) copied, 0.000647314 s, 2.0 MB/s
# dd if=/dev/urandom of=b bs=3247 count=1
1+0 records in
1+0 records out
3247 bytes (3.2 kB) copied, 0.00106112 s, 3.1 MB/s
Check where a is allocated physically:
# filefrag -sve a
Filesystem type is: ef53
File size of a is 1282 (1 block of 4096 bytes)
ext: logical_offset: physical_offset: length: expected: flags:
0: 0.. 0: 32833.. 32833: 1: last,eof
a: 1 extent found
Copy b to a, thereby "overwriting" a. (Output shortened.)
# strace cp b a
open("a", O_WRONLY|O_TRUNC) = 4
write(4, "CX256330x01pP326101~,252"3112022126021y377_S2542352262v3t"..., 3247) = 3247
Check where a is located physically after cp:
# filefrag -sve a
Filesystem type is: ef53
File size of a is 3247 (1 block of 4096 bytes)
ext: logical_offset: physical_offset: length: expected: flags:
0: 0.. 0: 33280.. 33280: 1: last,eof
a: 1 extent found
Note the location changed from 32833
to 33280
. Which means the original data is probably still to be found at 32833
- in this example.
What happened is that cp
truncates the output file so for a moment, it's a 0 byte file. That's nearly the same as deleting it, except it re-uses the inode. Writing to that file allocates from anywhere in the free space, which may be somewhere else as the old file used to be.
So there might be a chance of recovery if you know some part of the file content so you can locate it in the raw data. This is what photorec
does but only for known file types with distinct headers. extundelete
probably won't help as the file's inode wasn't really deleted, rather just re-used for the new file.
add a comment |
Depends how valuable the data is, as it is not easy. For now stop using the hard-disk, every operation on the disk will reduce your chance of recovery. For the future, learn and use a revision control system, and backup the repositories to a remote location.
If the files is removed, but is still open by some process, then it will not be deleted. It can still be recovered, by finding a reference to it, in /proc
, and copying to a new location.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f206137%2frecovering-an-overwritten-file%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
As i know is very difficult to recover a deleted file but try this
in 2005 i use this tool on ext3 partition and recover a lot of files.
Of course make a backup before use this and remind is not 100% guarantee to recover files
add a comment |
As i know is very difficult to recover a deleted file but try this
in 2005 i use this tool on ext3 partition and recover a lot of files.
Of course make a backup before use this and remind is not 100% guarantee to recover files
add a comment |
As i know is very difficult to recover a deleted file but try this
in 2005 i use this tool on ext3 partition and recover a lot of files.
Of course make a backup before use this and remind is not 100% guarantee to recover files
As i know is very difficult to recover a deleted file but try this
in 2005 i use this tool on ext3 partition and recover a lot of files.
Of course make a backup before use this and remind is not 100% guarantee to recover files
answered May 28 '15 at 18:03
elbarnaelbarna
4,155123784
4,155123784
add a comment |
add a comment |
Example session in an ext4 filesystem:
Create two files a, b with your specified size:
# dd if=/dev/urandom of=a bs=1282 count=1
1+0 records in
1+0 records out
1282 bytes (1.3 kB) copied, 0.000647314 s, 2.0 MB/s
# dd if=/dev/urandom of=b bs=3247 count=1
1+0 records in
1+0 records out
3247 bytes (3.2 kB) copied, 0.00106112 s, 3.1 MB/s
Check where a is allocated physically:
# filefrag -sve a
Filesystem type is: ef53
File size of a is 1282 (1 block of 4096 bytes)
ext: logical_offset: physical_offset: length: expected: flags:
0: 0.. 0: 32833.. 32833: 1: last,eof
a: 1 extent found
Copy b to a, thereby "overwriting" a. (Output shortened.)
# strace cp b a
open("a", O_WRONLY|O_TRUNC) = 4
write(4, "CX256330x01pP326101~,252"3112022126021y377_S2542352262v3t"..., 3247) = 3247
Check where a is located physically after cp:
# filefrag -sve a
Filesystem type is: ef53
File size of a is 3247 (1 block of 4096 bytes)
ext: logical_offset: physical_offset: length: expected: flags:
0: 0.. 0: 33280.. 33280: 1: last,eof
a: 1 extent found
Note the location changed from 32833
to 33280
. Which means the original data is probably still to be found at 32833
- in this example.
What happened is that cp
truncates the output file so for a moment, it's a 0 byte file. That's nearly the same as deleting it, except it re-uses the inode. Writing to that file allocates from anywhere in the free space, which may be somewhere else as the old file used to be.
So there might be a chance of recovery if you know some part of the file content so you can locate it in the raw data. This is what photorec
does but only for known file types with distinct headers. extundelete
probably won't help as the file's inode wasn't really deleted, rather just re-used for the new file.
add a comment |
Example session in an ext4 filesystem:
Create two files a, b with your specified size:
# dd if=/dev/urandom of=a bs=1282 count=1
1+0 records in
1+0 records out
1282 bytes (1.3 kB) copied, 0.000647314 s, 2.0 MB/s
# dd if=/dev/urandom of=b bs=3247 count=1
1+0 records in
1+0 records out
3247 bytes (3.2 kB) copied, 0.00106112 s, 3.1 MB/s
Check where a is allocated physically:
# filefrag -sve a
Filesystem type is: ef53
File size of a is 1282 (1 block of 4096 bytes)
ext: logical_offset: physical_offset: length: expected: flags:
0: 0.. 0: 32833.. 32833: 1: last,eof
a: 1 extent found
Copy b to a, thereby "overwriting" a. (Output shortened.)
# strace cp b a
open("a", O_WRONLY|O_TRUNC) = 4
write(4, "CX256330x01pP326101~,252"3112022126021y377_S2542352262v3t"..., 3247) = 3247
Check where a is located physically after cp:
# filefrag -sve a
Filesystem type is: ef53
File size of a is 3247 (1 block of 4096 bytes)
ext: logical_offset: physical_offset: length: expected: flags:
0: 0.. 0: 33280.. 33280: 1: last,eof
a: 1 extent found
Note the location changed from 32833
to 33280
. Which means the original data is probably still to be found at 32833
- in this example.
What happened is that cp
truncates the output file so for a moment, it's a 0 byte file. That's nearly the same as deleting it, except it re-uses the inode. Writing to that file allocates from anywhere in the free space, which may be somewhere else as the old file used to be.
So there might be a chance of recovery if you know some part of the file content so you can locate it in the raw data. This is what photorec
does but only for known file types with distinct headers. extundelete
probably won't help as the file's inode wasn't really deleted, rather just re-used for the new file.
add a comment |
Example session in an ext4 filesystem:
Create two files a, b with your specified size:
# dd if=/dev/urandom of=a bs=1282 count=1
1+0 records in
1+0 records out
1282 bytes (1.3 kB) copied, 0.000647314 s, 2.0 MB/s
# dd if=/dev/urandom of=b bs=3247 count=1
1+0 records in
1+0 records out
3247 bytes (3.2 kB) copied, 0.00106112 s, 3.1 MB/s
Check where a is allocated physically:
# filefrag -sve a
Filesystem type is: ef53
File size of a is 1282 (1 block of 4096 bytes)
ext: logical_offset: physical_offset: length: expected: flags:
0: 0.. 0: 32833.. 32833: 1: last,eof
a: 1 extent found
Copy b to a, thereby "overwriting" a. (Output shortened.)
# strace cp b a
open("a", O_WRONLY|O_TRUNC) = 4
write(4, "CX256330x01pP326101~,252"3112022126021y377_S2542352262v3t"..., 3247) = 3247
Check where a is located physically after cp:
# filefrag -sve a
Filesystem type is: ef53
File size of a is 3247 (1 block of 4096 bytes)
ext: logical_offset: physical_offset: length: expected: flags:
0: 0.. 0: 33280.. 33280: 1: last,eof
a: 1 extent found
Note the location changed from 32833
to 33280
. Which means the original data is probably still to be found at 32833
- in this example.
What happened is that cp
truncates the output file so for a moment, it's a 0 byte file. That's nearly the same as deleting it, except it re-uses the inode. Writing to that file allocates from anywhere in the free space, which may be somewhere else as the old file used to be.
So there might be a chance of recovery if you know some part of the file content so you can locate it in the raw data. This is what photorec
does but only for known file types with distinct headers. extundelete
probably won't help as the file's inode wasn't really deleted, rather just re-used for the new file.
Example session in an ext4 filesystem:
Create two files a, b with your specified size:
# dd if=/dev/urandom of=a bs=1282 count=1
1+0 records in
1+0 records out
1282 bytes (1.3 kB) copied, 0.000647314 s, 2.0 MB/s
# dd if=/dev/urandom of=b bs=3247 count=1
1+0 records in
1+0 records out
3247 bytes (3.2 kB) copied, 0.00106112 s, 3.1 MB/s
Check where a is allocated physically:
# filefrag -sve a
Filesystem type is: ef53
File size of a is 1282 (1 block of 4096 bytes)
ext: logical_offset: physical_offset: length: expected: flags:
0: 0.. 0: 32833.. 32833: 1: last,eof
a: 1 extent found
Copy b to a, thereby "overwriting" a. (Output shortened.)
# strace cp b a
open("a", O_WRONLY|O_TRUNC) = 4
write(4, "CX256330x01pP326101~,252"3112022126021y377_S2542352262v3t"..., 3247) = 3247
Check where a is located physically after cp:
# filefrag -sve a
Filesystem type is: ef53
File size of a is 3247 (1 block of 4096 bytes)
ext: logical_offset: physical_offset: length: expected: flags:
0: 0.. 0: 33280.. 33280: 1: last,eof
a: 1 extent found
Note the location changed from 32833
to 33280
. Which means the original data is probably still to be found at 32833
- in this example.
What happened is that cp
truncates the output file so for a moment, it's a 0 byte file. That's nearly the same as deleting it, except it re-uses the inode. Writing to that file allocates from anywhere in the free space, which may be somewhere else as the old file used to be.
So there might be a chance of recovery if you know some part of the file content so you can locate it in the raw data. This is what photorec
does but only for known file types with distinct headers. extundelete
probably won't help as the file's inode wasn't really deleted, rather just re-used for the new file.
answered May 29 '15 at 2:18
frostschutzfrostschutz
27.3k15586
27.3k15586
add a comment |
add a comment |
Depends how valuable the data is, as it is not easy. For now stop using the hard-disk, every operation on the disk will reduce your chance of recovery. For the future, learn and use a revision control system, and backup the repositories to a remote location.
If the files is removed, but is still open by some process, then it will not be deleted. It can still be recovered, by finding a reference to it, in /proc
, and copying to a new location.
add a comment |
Depends how valuable the data is, as it is not easy. For now stop using the hard-disk, every operation on the disk will reduce your chance of recovery. For the future, learn and use a revision control system, and backup the repositories to a remote location.
If the files is removed, but is still open by some process, then it will not be deleted. It can still be recovered, by finding a reference to it, in /proc
, and copying to a new location.
add a comment |
Depends how valuable the data is, as it is not easy. For now stop using the hard-disk, every operation on the disk will reduce your chance of recovery. For the future, learn and use a revision control system, and backup the repositories to a remote location.
If the files is removed, but is still open by some process, then it will not be deleted. It can still be recovered, by finding a reference to it, in /proc
, and copying to a new location.
Depends how valuable the data is, as it is not easy. For now stop using the hard-disk, every operation on the disk will reduce your chance of recovery. For the future, learn and use a revision control system, and backup the repositories to a remote location.
If the files is removed, but is still open by some process, then it will not be deleted. It can still be recovered, by finding a reference to it, in /proc
, and copying to a new location.
answered Feb 10 at 15:24
ctrl-alt-delorctrl-alt-delor
11.8k42160
11.8k42160
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f206137%2frecovering-an-overwritten-file%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
It depends on the type of filesystem. But unfortunately the spectrum of answers for different types of filesystem is likely to range between almost impossible and theoretically doable yet quite difficult.
– Celada
May 28 '15 at 17:52
exact command you used? file size before / after?
– frostschutz
May 28 '15 at 19:14
@Celada It is ext4.
– Melab
May 28 '15 at 20:38
@frostschutz The size before using
cp
was 1282 bytes and the size after usingcp
is now 3247 bytes.– Melab
May 28 '15 at 20:44
2
@Melab Before doing anything, did you switch off any write operations on your partition/hard-drive? Just do it. The first thing to do in such cases is always to switch off the hard-drive/partition. When you have a solution, use it to extract your data. Until then DO NOT USE THAT HARD-DRIVE.
– shivams
May 28 '15 at 21:23