adb - How to recover a deleted file from /data partition?

I factory reset my rooted Android M phone but now I realize that there was a file in the /data directory which I need.

Is it possible to create an image (.img or something similar) of the /data partition so that I could run some recovery software for ext4 on that image? I have a little knowledge about ADB.

Answer

First to clarify root and data:

Root directory / of Android devices is a read-only pseudo (temporary) filesystem (rootfs) that lives in RAM and is vanished when device is powered off. When device is powered on, it's again extracted from initramfs that lives in boot partition along with kernel.
On newer devices with system-as-root, system partition is mounted at root /.

/data directory is a mountpoint, where largest partition, usually named userdata is mounted. This partition contains all user apps, their data (settings, databases, caches, temporary files etc.), system apps' data and all other configurations we make through Settings. /data/media/0 is the directory that we see as /sdcard or /storage/emulated/0 through emulation.

... there was a file in the /data directory which I need. Is it possible to create an image (.img or something similar) of the root directory ...

If a file is deleted from /data, you need to create a dump of data partition, not that of root directory.

You can do that in multiple ways described below. All require root access.

But first of all see this answer to make sure your data is recoverable.
In short, recovery is more or less possible only if ⁽¹⁾:

Your deleted data hasn't been TRIMmed or discarded.

And you haven't done a factory reset on encrypted /data partition.

What you should do immediately:

Switch off phone to make sure the deleted dats isn't overwritten.

Don't install data recovery apps on device, it can do more harm than good.

Mount the filesystem (if required) in recovery mode (or on PC) only with ro,nodiscard options.

FINDING BLOCK DEVICE:

In order to access userdata partition, you need to find its block device. If you have root access, you can do so from mounted partitions:

~# mount | grep 'on /data'
/dev/block/mmcblk0p... on /data type f2fs (rw,nosuid,nodev,...)

On Qualcomm devices, it's located at /dev/block/bootdevice/by-name/userdata (symlink). For MediaTek (MTK) and other SoCs, the path is slightly different. You can find all block devices or by-name directory using find command:

~# find /dev -type b
~# find /dev -type d -name 'by-name'

Or by hit and trial:

~# ls -d /dev/*/by-name
~# ls -d /dev/*/*/by-name
~# ls -d /dev/*/*/*/by-name

Note:

If your /data partition has Full Disk Encryption (FDE) and you unencrypted it in recovery, DMCrypt will create block device at dev/block/dm-0. Use this instead of userdata.

To prevent any data loss, recommended is to create dump when partition is not mounted i.e. in recovery mode.

CREATING PARTITION DUMP:

DISK DUMP (dd)
Once the block device is known, you can use dd command from:
- ADB shell (OS or custom recovery)
- A terminal emulator app like Termux
Since the userdata partition is the largest partition (all other partitions hardly using 5GB out of total storage), you can't dump it to your internal memory. An external SD card with larger capacity is needed.

To create dump:
```
~# dd if=/dev/block/bootdevice/by-name/userdata of=/path/to/ext_sdcard/data.img
```

ADB

If you don't want to use external SD card, you can also dump the partition directly to PC. First you need a working adb setup, running as root. Then it can be used in multiple ways:
```
~$ adb exec-out dd if=/dev/block/bootdevice/by-name/userdata > data.img  
```
^{* Make sure your adb binary (on Windows or Linux) supports exec-out.}

But you may end up with corrupted data when writing a whole large-sized partition to STDOUT of terminal because there are issues with line break types (CR LF). Also STDOUT or STDERR from the programs involved could possibly be added to file if not directed to /dev/null. Even a single wroge byte may render filesystem un-mountable. See this question for reference.
To avoid unwanted characters, use stty raw and/or dos2unix:
```
~$ adb shell 'stty raw && dd if=/dev/block/bootdevice/by-name/userdata' > data.img
```
But the most straightforward way is:
```
~$ adb pull /dev/block/bootdevice/by-name/userdata data.img
```
See this answer for more details.

STREAM OVER TCP
To avoid the terminal related complications described above or if for some reason adbd cannot be run as root, it's also possible to create a minimal TCP server for data transfer. Forward port from phone to PC and run netcat TCP server in listening mode:
```
~$ adb reverse tcp:1024 tcp:1024
~$ nc -v -l -p 1024 data.img
```
On phone:
```
~# cat /dev/block/bootdevice/by-name/userdata | busybox nc 127.0.0.1 1024
```

USB TETHERING (RNDIS)
To avoid using ADB at all, USB tethering can be used to provide network connectivity:
```
~# cd /sys/class/android_usb/android0
~# echo -n 0 >enable
~# echo -n rndis,adb >functions
~# echo -n 1 >enable
```
^{* You may also change other files like {iSerial,iProduct,iManufacturer} and f_rndis/{ethaddr,manufacturer,wceis,rndis_transports,max_pkt_per_xfer} in above directory if required.}

Add IP address:
```
~# busybox ip rule add lookup main
~# busybox ip address add 192.168.1.1/30 dev rndis0
~# busybox ip link set rndis0 up
```
On PC add IP manually (there's no DHCP server):
```
~$ sudo ip address add 192.168.1.2/30 dev usb0
~$ nc -v -l -p 1024 data.img
```
On phone:
```
~# busybox nc 192.168.1.2 1024 
```
In the same way it's also possible to use rclone rcat to transfer dump over WebDAV or FTP or SFTP. See How to stream an encrypted backup of the entire device to remote host?

USB MASS STORAGE (UMS)
This method is useful if you don't want to create a dump of partition, instead access partition directly on PC.

UMS is disabled by default on newer Android devices and only MTP is enabled. However you can enable that in custom recovery mode:
```
~# mountpoint /data && umount /data


~# echo '0' >/sys/class/android_usb/android0/enable
~# echo '/dev/block/bootdevice/by-name/userdata' >/sys/class/android_usb/android0/f_mass_storage/lun/file
~# echo 'mass_storage' >/sys/class/android_usb/android0/functions
~# echo '1' >/sys/class/android_usb/android0/enable
```
^{* Kernel should be built with CONFIG_USB_F_MASS_STORAGE}
^{* Paths may vary depending on device}

Now userdata will appear as a partition on Linux PC just as we connect a USB drive. If /dev/sda is the hard disk drive, usually /dev/sdb will be the userdata partition. You can find that by using blkid command:
```
~# blkid | grep userdata

/dev/sdb: PARTLABEL="userdata" PARTUUID="..."
```
You can run recovery progam directly on block device or mount the filesystem (if needed) or may also create a dump.

HOW TO RECOVER DATA?

There are basically two ways to recover deleted data as mentioned in this answer: carving method and through filesystem.

Recovery tools mostly don't need mounting filesystems but if it's required, it needs to be done on Linux PC because Windows doesn't support ext4 or f2fs natively, hence the tools aren't easily available AFAIK.

^{If anyone has been able to successfully make block/journal level access to Linux/Android filesystem for data recovery on Windows through Ext3Fsd or any other driver, let me know so that I can update the answer.}

On Linux you can use tools like extundelete to recover data using filesystem journal:

~# extundelete --restore-all data.img

Or to recover data directly with UMS:

~# extundelete --restore-all /dev/sdb

Since you have done a factory reset which erases filesystem, consider carving method using tools like testdisk or scalpel:

~# testdisk data.img

In the same way you can use any other data recovery tools. See ArchWiki File Recovery for more details.

RELATED:

Android

Saturday, June 20, 2015