ext4 file recovery with giis-ext4

982

Introduction
giis-ext4 is designed to protect certain important directories/files on linux systems that are using the ext4 filesystem.
The binary installation of giis-ext4 has only one dependency. That is : sqlite3, which should be available by default on most linux machines.
Installation
Installation of giis-ext4 will need root privileges. You should follow these
steps for both binary and source installation.
Download the latest tar file into your home directory
    wget http://www.giis.co.in/giis/giis-ext4_0.6.tar
Extract the tar file into your home directory, which will create  a new
directory called giis-ext4
    tar -xvf giis-ext4_0.6.tar
Change to the newly created directory
    cd giis-ext4
Now, To install giis-ext4 binary, run the following commands as root-
    sh install_giis_ext4.sh
This script will place the binary in /usr/bin and create the /usr/local/giis/
working directory structure and files.
    
giis-ext4 configuration
Once you have succuessfully installed giis-ext4 from either the binary or source
code, you need to configure it.
Run the following command as root to configure which directories to protect, how
many levels of directory and how often to look for changes.
Lets start the configuration by running
#giis-ext4 –install
Device Found : /dev/mapper/vg_space-lv_root
 giis : Taking snapshot of current File system
 giis-ext4:Installation begins..
 giis-ext4: header table created
 giis-ext4: file table created
 What’s the maximum directory depth?4

I want to protect four levels of directory depth like (dir1/subdir1/subdir2/subdir3) so enter “4”
Now it prompts for which directories to protect.
 Enter the dirname name,that you would like to protect(Max. 7 directories)
 Enter dirname:/tools
 Press 1 to add/protect another directory else Press 0 to complete: 1
 Enter dirname:/docs
 Press 1 to add/protect another directory else Press 0 to complete: 0

I want to protect files from two directories namely “tools” and “docs” and entered zero “0” to specify
end of directory.
Check for newly files every ‘auto update time’ minutes.
Enter auto update time: 20

Here I specified that every 20 minutes the tool should scan “tools” and “docs” directory for any new files or change in exising files.
If it finds new file or changes to existing files , keep track of it.

 Parsing directory  : /tools
 Parsing directory  : /docs
 *Please add following entry into your /etc/crontab file for auto update
 */20 * * * * root /usr/bin/giis-ext4 -u > /dev/null
 giis-ext4:Installation is complete.

Now append the corntab entry as suggested above,so that it runs for every  20 minutes.
Here is contents on tools directory
# ls -l /tools/
total 120
-rwxr-xr-x. 1 root root 60247 2011-03-17 22:56 cloud-seed.py
-rwxr-xr-x. 1 root root   335 2011-03-17 22:56 dbench_test.sh
-rwxr-xr-x. 1 root root   217 2011-03-17 22:56 iozone_test.sh
-rwxr-xr-x. 1 root root  5644 2011-03-17 22:56 kernel_compile.sh
#ls -l /docs/
-rw-r–r–. 1 root root  461 2011-03-17 22:57 bonnie++.txt
-rw-r–r–. 1 root root   66 2011-03-17 22:57 cpio.txt
-rw-r–r–. 1 root root  199 2011-03-17 22:57 dbench.txt
-rw-r–r–. 1 root root  340 2011-03-17 22:57 small_files.txt

For example here is md5sum of a file-
# md5sum /docs/small_files.txt
0669d98fe55c5e76f8c1841c9f08bf7f  /docs/small_files.txt

Say by mistake , I deleted a file named “small_files.txt”
#rm -rf /docs/small_files.txt
Now the file is gone. Its inode is freed.
Suddenly I realize , in fact small_files.txt was input for another shell script.
Now what would you do?
Relax,since you have configured giis-ext4 for this directory. You may still have chance to recover the file.
Recovering files
# giis-ext4 –recover
 Device Found : /dev/mapper/vg_space-lv_root
 press 1: get all user files
 press 2: get specific user files
 press 3: get specific file type
 press 4: get specific file
 press 5: get it by deleted date
 Enter your option:4

Since we know the exact file name that we wanted to recover – I selected option 4 and entered the file na,e
 Enter the Filename Name….small_files.txt
 Verifing inode:8126486|
 **giis-ext4 : Recovery completed.Please check /usr/local/giis/giis.log for more details and /usr/local/giis/got_it/ for files **

Lets check the log file-
# cat /usr/local/giis/giis.log
/docs/small_files.txt — recovered on — Thu Mar 17 23:22:37 2011

good.It says file “small_files.txt” recorded and placed under /docs directory.
Is it true-
# ls -l /docs/small_files.txt
-rw-r–r–. 1 root root 340 2011-03-17 23:29 /docs/small_files.txt

 

 

Yes,seems like the recovered file with same size.
But does it contains same data? Lets verify with md5sum-


# md5sum /docs/small_files.txt
0669d98fe55c5e76f8c1841c9f08bf7f  /docs/small_files.txt

cool.Seems like perfect match.
Other interesting recovery options –
 press 1: get all user files
 press 2: get specific user files
 press 3: get specific file type
 press 4: get specific file
 press 5: get it by deleted date

We have seen how option 4 works.The option 1,just recovers all possible files which are deleted from configured directories.
Option 2 ,will allow to recover files based on its owner.If you want to recover files belong to “Elija”.Simply enter the name with option2.
Enter your option:2
 Enter the User Name….Elija

With option 3,you can recover particular type of files. Say you want to recover only pdf  files.
Enter your option:3
 Make sure you use % before extentions – sql injection 🙂
 Enter the file extention  ( %.txt or  %.c or %.cpp …) :%.pdf

Option 5,It allows you to recover files based on delete dates!.You can recover all files deleted on specific date or within two date ranges or
recover all files deleted after/before a date.
 press 5: get it by deleted date
 Enter your option:5
Get Files by Deleted Date:
    Press 0 : Deleted on
    Press 1 : Deleted After
    Press 2 : Deleted Before
    Press 3 : Deleted Between

Override auto-update time-
While installing,we configured the update time as 20 minutes.
For example, I created an important file -wants to make its protected by giis-ext4,
I’m impatient and can’t wait till 20 minutes.You can add it like-
# giis-ext4 –update
 Device Found : /dev/mapper/vg_space-lv_root
 giis : Updating snapshot of current File system
 Parsing directory  : /tools
inode<7602199>Record already exists
 Parsing directory  : /docs
 giis-ext4:Update is complete.

Now the newly created file is added into giistable.
Viewing list of deleted files with “–list”
Say we deleted couple of files-
# rm -rf /docs/ffsb.txt
#rm -rf /tools/iozone_test.sh
# giis-ext4 –list
 Device Found : /dev/mapper/vg_space-lv_root
 Verifing inode:
File:iozone_test.sh was deleted from /tools/iozone_test.sh.
File:ffsb.txt was deleted from /docs/ffsb.txt.

giis-ext4 recognizes the two files are missing from its inventory.

Th-th-th-that’s all folks!  🙂