How to Undelete a file or folder from linux and windows

The Murphy’s Law "Whatever can go wrong, will go wrong".

My friend’s final year project is in one of the drives, and I decided to install Linux. Soon I started installing and I have removed the drive where the project lies. I should thank the windows, for their automatic process of undelete-ing a file. I just had to undelete all the files and folders, Lucky for me that the Linux hasn’t overwritten project folders. So you follow the below process to undelete files on the windows.

You can use a bootable Norton System works CD to this for you, if you don’t have.
You can remove the hard disk and attach the same to a another computer, run system works on that, and check for disk repairer, It will automatically undelete a file or folder.

Thanks for reading the crap, but the real fun starts now, what happens if some one deletes files in Linux and I believe there is no robust tool as Norton system works to do it for you.
So the only way is to find the inodes or the datablocks, with the latest modified time and which are deleted and manually undelete them. Assume the /dev/hda5 is the filesystem on which files have to be undeleted.

1) We are trying to modify the file system contents, so better make a copy of the drive to another drive or other file system.
#cp /dev/hda5 /root/working

2) Run the command , #debugfs /dev/hda5
3) Now a new command shell for debugfs pops, debugfs: lsdel
4) Or you can try this # echo lsdel debugfs /dev/hda5 > lsdel.out
5) We have a slight different for undeleting files more than 12 blocks.
6) To undelete a small block, use stat command to do that, let us assume 148003 is the inode in one of delete list
debugfs: stat <148003>
Inode: 148003 Type: regular Mode: 0644 Flags: 0x0 Version: 1
User: 503 Group: 100 Size: 6065
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 12
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x31a9a574 −− Mon May 27 13:52:04 1996
atime: 0x31a21dd1 −− Tue May 21 20:47:29 1996
mtime: 0x313bf4d7 −− Tue Mar 5 08:01:27 1996
dtime: 0x31a9a574 −− Mon May 27 13:52:04 1996
BLOCKS:
594810 594811 594814 594815 594816 594817
TOTAL: 6

7) So we have 6 blocks, less than 12, we can recover it directly,
debugfs: dump <148003> /mnt/recovered.000
OR
# dd count=1 if=/mnt/recovered.000 of=/mnt/resized.000 bs=6065

8) If you have more than six blogs, you should better read the ext2 filesystem, how an large file is stored.
9) The other way to undelete a file is to modify the inode structure, the deletetime to 0 and the link count to 1.
10) And now you modified the inodes, but no directly links to this inode.So you run the command below
# e2fsck −f /dev/hda5
11) Now the recovered file or directory is in the location /lost+found