Recover an Overwritten File on ext3 File System

I've needed to recover deleted files on ext3, FAT, and NTFS file systems in the past, but I recently needed to recover a previous version of a text file I had overwritten by editing and saving it. I initially thought I might be able to recover it either by accessing the inode used by the previous version of the file, or by looking at ext3's journal.

Unfortunately, I had used nano to edit the file. Apparently, nano saves files by truncating and overwriting the file, reusing the same inode. Also, I quickly realized ext3's journal wouldn't help because my file system was mounted using data=ordered, not data=journal. From the ext3 FAQ:

  1. data=journal: Journals all data and metadata, so data is written twice.
  2. data=ordered: Only journals metadata changes.

Ultimately, I was able to recover the file with some help from stat, debugfs, and blkls from The Sleuth Kit. Before getting started, you'll need to install The Sleuth Kit. On Debian, it is available as a package, so:

apt-get install sleuthkit

First, check the inode being used by the file:

stat file.txt | grep Inode

This should return a line containing the inode, like:

Inode: 1474575

Next, backup the file, then delete it:

cp file.txt file.old
rm file.txt

Run debugfs /dev/sda1, replacing /dev/sda1 with the hard drive the file is on. From the debugfs CLI, run stats and check its output for "Blocks per group". On my system, and most of the time, this is 32768. While still in the debugfs CLI, run imap to get the block:

imap <1474575>

In my case, the block was 5898242.

Once you know the block the inode is in, and the number of blocks per group, create a block range:

5898242+32768-1

Then use blkls to copy the block to a file:

blkls /dev/sda1 5898242-5931009 >tmp.dat

Finally, open tmp.dat in your favorite text editor or use grep to search for the overwritten version of your file.

For more details about ext3 file systems and recovering deleted files:

  1. Recovering Deleted Files on an ext3 File System
  2. Data Recovery on Linux and ext3

3 thoughts on “Recover an Overwritten File on ext3 File System

  1. Jim

    I found this from a google search and it worked!
    I was so surprised. I am using Debain 5.0.7. I have no idea how this works! (but If I read through your links I probaby will find out how)

    I was working on some code and used mv instead of cp on a file :(
    I opened up my code in Vim and deleted most of the contents, saved and quit. An hour or so later I realised what I did by checking history.
    This saved me a weeks work thank you.

    Small note that sleuthkit package that apt installed didn't have blkls in it. Reading the man page for blkls reveals that it was also called dls.

    Thanks again.

  2. Katsushi

    – THANK YOU SO MUCH! YOUR WEBSITE SAVED MY WHOLE LIFE!
    – Yesterday I mistakenly overwrite the text file today. There are my personal writings for around 8 years (!) in this file.
    – My whole data has been lost in just a moment. I was so shocked and could not sleep that day.
    – Next day, I tried to find out the way. I can hardly give up my effort for 8 years. Then I reached to your website, I followed your guide with hope. Finally I could solve the problem. Though the recovered data was little bit messed, but I remarked the last word I put before the catastrophe.
    – THANK YOU SO MUCH! YOU SAVED MY WHOLE LIFE!

Leave a Reply

Your email address will not be published. Required fields are marked *