Recover Deleted Files in Linux

20
104049
It's all coming back!

It's all coming back!

Have you accidentally deleted an important file because you have the habit of using Shift+Del instead of only Del? Well, don’t panic. I had this very problem some time ago, and found some utilities that helped me recover the so-called “permanently deleted” files; so thought of sharing this useful discovery.

You must be wondering how we could recover a deleted file, because the very word “delete” implies “permanently gone”. However, when you delete a file (accidentally or intentionally), its contents are not removed from your hard disk; the blocks that the file occupied on the storage device (like a hard disk) still contain the data, until the blocks are overwritten with new data. Deleting a file by its name only removes the reference to the inode of the file, and not the inode itself. (For more information, refer to the Wikipedia article on inode.)

It is always recommended that you unmount a device immediately after you realise you’ve deleted important files, to prevent the data blocks of those files from being overwritten with other data. Thus, you should ideally shut down the system, and do the recovery process by booting from a Live CD/USB, and then searching the partition that contained the files (e.g., /dev/sda1). I am using the Ubuntu 10.04 32-bit desktop edition, and the information here is specific to that distro.

Note: Be sure that you have enough space to accommodate the deleted files; otherwise, you will face some crazy errors during the post-recovery boot-up process and login.

Scalpel

This is a filesystem-independent recovery tool for Linux and Mac OS, which you can also run on Windows by compiling it with MinGW. The latest version is 2.0. Install it in Ubuntu with sudo apt-get install scalpel.

Next is some text editing — the configuration file is /etc/scalpel/scalpel.conf. You will find that everything has been commented out — uncomment the specific file format that you want to recover. For example, if I want to recover a deleted zip file, I will uncomment the .zip file section in scalpel.conf, as shown in Figure 1.

Figure 1: Scalpel.config file
Figure 1: Scalpel.config file

Next, in a terminal, run:

sudo scalpel  [device/directory/file name] -o [output directory]

The output directory, in which you want to store recovered files, should be empty before running Scalpel; otherwise, you will get an error.

Foremost

Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on disk or partition image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive.

The headers and footers can be specified by a configuration file, or you can use command-line switches to specify built-in file types. Install in Ubuntu and its derivatives with the following command:

sudo apt-get install foremost

There are a lot of options available. For example, to search for a deleted JPEG file, use:

sudo foremost -t jpg -i /dev/sda1

The -t (“type”) option can be given as -t all to search for all file types. Multiple file types are comma-separated, like -t jpg, pdf. The (required) option -i is the base device/directory for the search. You can also specify an output directory with -o.

Photorec

This is the fastest utility of the three. It’s installed by the testdisk utility package. If you don’t want to mess with the command-line, this is the best utility for you. Just run photorecas the root user in a terminal, and you will see a nice ncurses-based UI as shown in Figure 2.

Figure 2: Photorec welcome screen
Figure 2: Photorec welcome screen

Select the device to search, and it will ask you for the partition table type. Select yours; in my case, it’s Intel. Next, you have to select the filesystem or partition of the device disk. Next, it prompts you to choose the file system, as shown in Figure 3. * indicates a mounted partition. Last, it will ask for an output folder in which to store recovered files. After making a selection, press y to proceed.
Figure 3: Filesystem selection in Photorec
Figure 3: Filesystem selection in Photorec

Note: The above utilities will not recover replaced files, because in the case of replacement you are replacing the inode itself, so it’s not possible to recover it.

Although there are utilities to recover deleted files, I recommend that prevention is always better than cure so don’t use Shift+Del or rm indiscriminately.

20 COMMENTS

  1. Hi, hope i can find an answer, please someone help me. This is good but I cannot do it and have no linux experience. I would like to recover folders that i removed from trash. I have linux 10.04. WOuld be good to get help. skype pinchinme

  2. user@tux:~$ sudo apt-get-install scalpel
    [sudo] password for user:
    sudo: apt-get-install: command not found
    user@tux:~$ sudo apt-get-install scalpel
    sudo: apt-get-install: command not found
    user@tux:~$ /etc/scalpel/scalpel.conf
    bash: /etc/scalpel/scalpel.conf: No such file or directory
    user@tux:~$ /etc/scalpel/scalpel.conf
    bash: /etc/scalpel/scalpel.conf: No such file or directory

    • it did run something, told me 0 installed, 0 to be updatesd or something and 122 for something. thought that was what i copied below.

    • bash: /etc/scalpel/scalpel.conf: No such file or directory

      sudo gedit /etc/scalpel/scalpel.conf

      you can replace gedit with other text editor

  3. [sudo] password for user:
    Reading package listst… Done
    Building dependency tree
    Reading state information… Done
    0 upgraded, 0 newly installed, 0 to remove and 122 not upgraded.
    W: Duplicate sources.list entry http://archive.canonical.com/ubuntu/ lucid/partner Packages (/var/lib/apt/lists/archive.canonical.com_ubuntu_dists_lucid_partner_binary-i386_Packages)
    W: You may want to run apt-get update to correct these problems
    here is what i go

  4. None of these solutions work to recover a single file.
    All of them are using the disk image..so you are going to run out of space…. and say goodbye to your file.

    • Yes, that’s why you have to save the recovered files onto a different location (preferreably a different partition)

  5. So this (scalpel) is pretty useless if you want to recover a directory isn’t it… and it’s giving errors that empty recovery directories are not in fact empty when they are and were just created…

LEAVE A REPLY

Please enter your comment!
Please enter your name here