Skip to main content

Shadows on Disk: Ext4 Deletion and Recovery

1. Setup

First, make sure your loop filesystem is created and mounted (see the initial setup guide).
To simplify permissions, give ownership to your user:

sudo chown -R $USER:$USER mnt
cd ~/fs-lab/mnt

2. Planting a Shadow

Let’s create a small file with a unique marker string:

echo "MY_SECRET_TOKEN_12345" > secret.txt
ls -li secret.txt

Sample output:

24 -rw-r--r-- 1 thomasrones thomasrones 21 Aug 20 10:03 secret.txt
  • The first column (24) is the inode number.
  • File size is 21 bytes (our string + newline).

3. Deletion

Now, remove it:

rm secret.txt

From the user’s perspective, it’s gone. But ext4 has only unlinked the directory entry — the inode and data blocks may still exist until reused.

4. Inspecting with debugfs

We can look directly into the filesystem metadata:

sudo debugfs /dev/loop7

Inside the prompt, list recently deleted inodes:

debugfs: lsdel

Output will show something like:

 Inode  Owner  Mode    Size     Blocks   Time deleted
   24   1000   0100644 21       8        Tue Aug 20 10:05:32 2025

💡 Notice the inode number matches what ls -li showed earlier.

5. Recovering the Shadow

If the blocks haven’t been reallocated, you can extract the file:

debugfs: dump <24> ./recovered.txt

Now compare:

cat recovered.txt
# MY_SECRET_TOKEN_12345

The contents survive, even after rm.

6. Why This Works

  • rm calls unlink(): removes the directory entry pointing to the inode.
  • Inode’s link count drops to zero → inode marked free.
  • Ext4 updates bitmaps so the data blocks are “available.”
  • But until something overwrites them, the raw bytes remain intact.
  • Tools like debugfs, photorec, or forensic software can pull them back.

7. Beyond rm: True Destruction

If you want to ensure the data is gone:

  • Overwrite the blocks: e.g. shred or dd if=/dev/zero of=file bs=...
  • Or physically destroy the drive (the only way agencies trust).

Because until those blocks are reused, your deleted files remain as shadows on disk.

Epilogue

“Not all that is deleted is truly lost.”

Ext4 protects consistency with journaling, but it does not eagerly wipe your data. Forensics can often bring back what you thought was gone. And sometimes, that shadow is enough.

(Perhaps in another piece, we’ll look at the other side of volatility — what lingers in memory dumps...)