June 28, 2016 - Shuah Khan

How to Recover Deleted Files From Ubuntu Guest Sessions on Encrypted Volumes

Ubuntu guest sessions are a convenient way to let someone use your system with limited access to the network, file system, and other system functions without the ability to save data. The /usr/lib/lightdm/lightdm-guest-session binary handles guest sessions, and several services which are deemed unnecessary for a guest user are disabled. Refer to /usr/share/lightdm/guest-session/setup.sh for details on what is enabled.

When guest session starts, you will see a warning that any data saved will be lost as shown below.

guest_session

A temporary home directory is created under /tmp which will be deleted when guest session ends via logout, or a reboot. When the guest session is active, you will see a directory guest-xxxx as in the e.g /tmp/guest-6vqi30.

So what do you do if a guest session ends unexpectedly?! I recently logged out of a guest session by mistake and had to scramble to recover my son’s school essay which was ready to be submitted. I searched for help and every single article said I was out of luck and there is no way to recover files after a guest session ends. I found one article that gave me some hope by recommending testdisk; I installed testdisk and started my analysis. However, adding to my troubles, I have an encrypted root partition and testdisk failed to find the lost file even when I asked it to analyze the decrypted device file. Then, I came across scalpel, a tool that can restore deleted files. Since I kept the laptop running without rebooting it, I decided to give scalpel a try to see if I can find anything on tmpfs.

Scalpel recovers files using a header/footer database. This means you can search for specific file types such as audio (wav, ra), LibreOffice (odt, odp),  PGP (pgd, pgp, txt), graphics (jpg, png), and so on. The scalpel configuration file  /etc/scalpel/scalpel.conf is used to control the types and sizes of files that are carved. For each file type, the configuration file describes the file’s extension, header and footer case sensitivity, size, and the header/footer; the footer is optional.

The scalpel default configuration file didn’t include LibreOffice, but I found an article that specified the right information. I added the following to the end of /etc/scalpel/scalpel.conf

The disk is encrypted, so we have to find the right device file to ask scalpel to carve.

Find the device named /dev/mapper/ubuntu–vg-root, this is the decrypted root device. Now we can run scalpel on this device. First create a recovery directory, I’m going to call it recover. I used the -b option to tell scalpel to carve files even if the defined footers aren’t discovered within maximum carve size for the file type.

When scalpel completed, I found several .odt files in the recover directory. At this point, it’s a matter of opening each to find the file that contains the complete essay. We had a happy ending with the full essay restored!

Here’s some lessons I learned about recovery from this experience:

  1. Guest accounts are best for special cases when data doesn’t need to saved.
  2. If you end up using guest account and have data to save, save it to permanent storage before logging out or rebooting.
  3. Customize guest sessions on the system to store files permanently.
  4. If you end up in a similar situation as me, there’s no need to despair as it isn’t the end of the world. Don’t reboot the system and make sure it stays powered on.
  5. Even if you have an encrypted disk it’s no problem, scalpel can recover deleted files from tmpfs.
Shuah Khan

About Shuah Khan

Shuah Khan is a Senior Linux Kernel Developer at Samsung’s Open Source Group. She is a Linux Kernel Maintainer and Contributor who focuses on Linux Media Core and Power Management. She maintains Kernel Selftest framework. She has contributed to IOMMU, and DMA areas. In addition, she is helping with stable release kernel testing. She authored Linux Kernel Testing and Debugging paper published on the Linux Journal and writes Linux Journal kernel news articles. She has presented at several Linux conferences and Linux Kernel Developer Keynote Panels. She served on the Linux Foundation Technical Advisory Board. Prior to joining Samsung, she worked as a kernel and software developer at HP and Lucent.

Image Credits: OSDC

Linux / Users file recovery / scapel / testdisk / Ubuntu /

Comments

  • JF K says:

    Thanks for your text.
    Although I was not able to retrieve my daughter’s word (due to a reboot), the info you provide is very interesting and I’m thankful to those who write and share their knowledge.

    Best Regards

Leave a Reply to JF K Cancel reply

Your email address will not be published. Required fields are marked *

Comments Protected by WP-SpamShield Anti-Spam