Recently, we encountered a case where a system (ext4) was completely wiped. We obtained the deleted system image, and the file system was severely damaged. This provided an opportunity to evaluate various Linux data recovery tools in extreme scenarios to see how they perform.
Linux Data Recovery Toolkit
- debugfs
- testdisk
- extundelete
- R-Studio
- DiskGenius
- X-ways Forensics
Preparation Before Recovery
We have the system disk image of a Linux system, and we will perform different operations depending on the recovery scenario.
Entering Rescue Mode
If using Linux data recovery tools, create an instance from the image and directly enter rescue mode.
Copy System Disk and Remount to Windows Instance
Using Windows data recovery tools is relatively more cumbersome.
Since the cloud does not support mounting the system disk as a data disk, you need to copy the system disk to a data disk first (this feature is not officially open yet and requires a ticket request), then remount it to the Windows instance.
debugfs
We are not using the system’s built-in debugfs but a heavily modified version based on debugfs 1.42.7 source code, specifically for emergency forensics.
Recover Files Based on Content Characteristics
For example, the ~/.bash_history file has a timestamp characteristic, so you can use the timestamp as a keyword to search.
./debugfs /dev/vda1 -R 'dump_unused -k "#169" -v ' | tee history-recover.log
Files containing dates like 2023-09-01 in ssh logs are also easy to recover.
./debugfs /dev/vda1 -R 'dump_unused -k "2023-08-31 " -v' | tee 2023-08-31.log
Note: The files recovered using debugfs are not complete files but fragments containing file content characteristics! This is only suitable for forensic scenarios.
testdisk
It can only list the root directory and cannot recover files or data at all.
extundelete
Like testdisk, it can recognize the root directory but cannot recover files.
inode 2 indicates the root directory in Linux.
Attempting to recover all files from the disk.
It directly reports an error and still cannot recover files.
R-Studio
R-Studio performed relatively well. Although some directory files were not recognized, it showed which files in recognized directories could be recovered and the probability of recovery.
It then shows the recoverable directory files.
Although most files still show as empty (unrecoverable), it is much better than the two tools above that cannot recover anything.
DiskGenius
Although DiskGenius can categorize files scanned from the disk by type and preview them, it still cannot recognize lost directories, making it feel less useful.
X-ways Forensics
After scanning with X-ways, it can recognize the complete root directory but cannot successfully recover files. It is possible that I did not use it correctly.
Conclusion
Due to the severe damage to the file system, most data recovery tools performed poorly. From the results, the simplest and most effective tool that recovered the most files was R-Studio, which can be considered as the preferred tool for data recovery in the future.