How to Recover Deleted Files From Ubuntu Guest Sessions on Encrypted Volumes

Ubuntu guest sessions are a convenient way to let someone use your system with limited access to the network, file system, and other system functions without the ability to save data. The /usr/lib/lightdm/lightdm-guest-session binary handles guest sessions, and several services which are deemed unnecessary for a guest user are disabled. Refer to /usr/share/lightdm/guest-session/setup.sh for details on what is enabled.

When guest session starts, you will see a warning that any data saved will be lost as shown below.

How to Recover Deleted Files From Ubuntu Guest Sessions on Encrypted Volumes - guest_session

A temporary home directory is created under /tmp which will be deleted when guest session ends via logout, or a reboot. When the guest session is active, you will see a directory guest-xxxx as in the e.g /tmp/guest-6vqi30.

So what do you do if a guest session ends unexpectedly?! I recently logged out of a guest session by mistake and had to scramble to recover my son’s school essay which was ready to be submitted. I searched for help and every single article said I was out of luck and there is no way to recover files after a guest session ends. I found one article that gave me some hope by recommending testdisk; I installed testdisk and started my analysis. However, adding to my troubles, I have an encrypted root partition and testdisk failed to find the lost file even when I asked it to analyze the decrypted device file. Then, I came across scalpel, a tool that can restore deleted files. Since I kept the laptop running without rebooting it, I decided to give scalpel a try to see if I can find anything on tmpfs.

sudo apt-get install scalpel

Scalpel recovers files using a header/footer database. This means you can search for specific file types such as audio (wav, ra), LibreOffice (odt, odp),  PGP (pgd, pgp, txt), graphics (jpg, png), and so on. The scalpel configuration file  /etc/scalpel/scalpel.conf is used to control the types and sizes of files that are carved. For each file type, the configuration file describes the file’s extension, header and footer case sensitivity, size, and the header/footer; the footer is optional.

#               case    size    header                  footer
#extension   sensitive  
#
#---------------------------------------------------------------------
# EXAMPLE WITH NO SUFFIX
#---------------------------------------------------------------------
#
# Here is an example of how to use the no extension option. Any files 
# beginning with the string "FOREMOST" are carved and no file extensions
# are used. No footer is defined and the max carve size is 1000 bytes.
#
#      NONE     y      1000     FOREMOST
#

The scalpel default configuration file didn’t include LibreOffice, but I found an article that specified the right information. I added the following to the end of /etc/scalpel/scalpel.conf

#---------------------------------------------------------------------
# OPENOFFICE FILES
#---------------------------------------------------------------------
    odt y   20000000    PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.textPK META-INF/manifest.xmlPK????????????????????
    ods y   10000000    PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.spreadsheetPK  META-INF/manifest.xmlPK????????????????????
    odp y   10000000    PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.presentationPK META-INF/manifest.xmlPK????????????????????
#    odg y   10000000    PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.graphicsPK META-INF/manifest.xmlPK????????????????????
#    odc y   10000000    PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.chartPK    META-INF/manifest.xmlPK????????????????????
#    odf y   10000000    PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.formulaPK  META-INF/manifest.xmlPK????????????????????
#    odi y   10000000    PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.imagePK    META-INF/manifest.xmlPK????????????????????
#    odm y   10000000    PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.text-masterPK  META-INF/manifest.xmlPK????????????????????
#    sxw y   10000000    PK????????????????????????????mimetypeapplication/vnd.sun.xml.writerPK  META-INF/manifest.xmlPK????????????????????
#---------------------------------------------------------------------

The disk is encrypted, so we have to find the right device file to ask scalpel to carve.

sudo fdisk -l

Find the device named /dev/mapper/ubuntu–vg-root, this is the decrypted root device. Now we can run scalpel on this device. First create a recovery directory, I’m going to call it recover. I used the -b option to tell scalpel to carve files even if the defined footers aren’t discovered within maximum carve size for the file type.

sudo scalpel /dev/mapper/ubuntu--vg-root -b -o recover

When scalpel completed, I found several .odt files in the recover directory. At this point, it’s a matter of opening each to find the file that contains the complete essay. We had a happy ending with the full essay restored!

Here’s some lessons I learned about recovery from this experience:

  1. Guest accounts are best for special cases when data doesn’t need to saved.
  2. If you end up using guest account and have data to save, save it to permanent storage before logging out or rebooting.
  3. Customize guest sessions on the system to store files permanently.
  4. If you end up in a similar situation as me, there’s no need to despair as it isn’t the end of the world. Don’t reboot the system and make sure it stays powered on.
  5. Even if you have an encrypted disk it’s no problem, scalpel can recover deleted files from tmpfs.

Author: Shuah Khan

Shuah contributes to multiple aspects of the Linux Kernel, and she maintains the Kernel Selftest framework.

2 thoughts on “How to Recover Deleted Files From Ubuntu Guest Sessions on Encrypted Volumes”

  1. Thanks for your text.
    Although I was not able to retrieve my daughter’s word (due to a reboot), the info you provide is very interesting and I’m thankful to those who write and share their knowledge.

    Best Regards

Comments are closed.