- How to recover a removed file under Linux?
- 15 Answers 15
- How To Recover Deleted Files by RM Command on Linux (Ubuntu)
- In this article
- Part 1: What Is the RM Command?
- How To Use the RM Command?
- Where Do Files Go When Running the RM Command
- Does RM Permanently Delete Files on Linux?
- Part 2: Recover RM Files in Linux Using Wondershare Recoverit (GUI Tool)
How to recover a removed file under Linux?
By accident, I used rm on a file I didn’t want to delete. Is there a way that I can get it back under Linux?
@Nav, rm is a «dangerous» UNIX/Linux command (read $ man rm ). Use it with extreme caution. With that said, it is a quick way to delete files you are sure of. Modern Linux and Unix Desktop Environments do provide with a solution of «Trash Can», so the user easily can recover accidentally deleted files.
Don’t use «rm» if you wish to restore the files in future .Use «rm-trash» utility instead : github.com/nateshmbhat/rm-trash
15 Answers 15
The following are generic steps to recover text files.
- First use wall command to tell user that system is going down in a single user mode:
# wall System is going down to . please save your work. grep -b 'search-text' /dev/partition > file.txt grep -a -B[size before] -A[size after] 'text' /dev/[your_partition] > file.txt -i : Ignore case distinctions in both the PATTERN and the input files i.e. match both uppercase and lowercase character. -a : Process a binary file as if it were text -B Print number lines/size of leading context before matching lines. -A: Print number lines/size of trailing context after matching lines. # grep -i -a -B10 -A100 'nixCraft' /dev/sda1 > file.txt This method works wonders for text files, thanks! What I like about it is that it doesn’t rely on the filesystem’s journal (like extundelete), but it actually scans the raw bytes of the entire drive instead. If this command doesn’t find your file, nothing will.
@Quinma, this method can work remotely with only slight modifications. Instead of running init 1 , manually kill every system daemons except sshd . I also think at this point you should be remounting all filesystems RO and saving to tmpfs (assuming your temp files will fit in ram) to avoid overwriting the files with the temp data. You will of course have to copy it elsewhere later, either to a remote server or back to local filesystems after remounting them RW.
@Qback, I really don’t know. As stated, I just followed the step-by-step. But the init 1 is meant for administrative tasks, and maybe kill process not related to that runlevel scenario. That may help preventing harddisk from being used, overwriting the file you’re trying to recover.
- If it’s very-very important, take the disk from the computer and hire a company to do it for you.
- If it is only very important, mount the disk read-only, copy the whole partition to a file using dd and try to find the file within it (using grep , or an editor).
Edit: sometimes ddrescue works better than dd .
«try to find the file within it» I’m confused, how would one reasonably open a 15+ GB file and search or pipe this beast into grep? And what would you do when you found the text? How on earth is this recovery?
The first thing to do is to try some common tools before burning a lot of cash for an uncertain result. BTW, grep won’t really help, photorec or ext3grep will.
If your filesystem is ext3, use ext3grep.
Testdisk has an undelete option that should work with Linux.
There is a walkthrough for Linux. Note that it works for ext2, ext3, and ext4.
extundelete is also handy if the partition is ext3/4. However, the first thing to do is perhaps to unmount the partition.
I did this a couple of years ago. My approach was to directly, no time to lose, unmount partition and then
dd if=/dev/hda1 of=backup_image.ext3 to have a backup file of the exact state of the partition. Then you can mount the partition again and continue with business as usual as you search for the the deleted file in your created image. The image will probably be VERY large since you need all the «empty» space, so it might be a practical problem to store it.
Then it was just to perform boring searches after text snippets I expected to be somewhere in the soup of partition content. E.g. to find .tex-files, I ran
grep --binary-files=text -1000 "subsection" < backup_image.ext3 >latexfiles which printed a large context around the phrase «subsection» and saved the output to a file to be manually searched through. I printed such a large context since it took such a long time to search the image that I’d rather not do it more times than I had to.
Also the command strings was helpful in removing binary garbage from the output, but if I recall correctly it also stripped all newlines, which could be a problem.
To find binary files in the same way, one might have success in finding a characteristic header or something of a certain file, but I imagine it to be a rather big adventure.
Brief technical notes: there are technical difficulties with disk recovery and Ext3/4. It is a long thing to explain, but briefly (and inadequately): Ext3/4 removes the «markers» that tell the OS where files are located on disk when you delete them. The files aren’t scrubbed, but no one knows where on the disk they start and end anymore, and sometimes they even are fragmented at several places. Some other file systems just set the files’ statuses to «deleted», but keep the location data. Then undelete is not harder than to look at file pointers with this flag (they should still be available if not too much activity has occured), and then hope their content has not been overwritten.
What is best? Rhetorical, in my view. Frequent backup is the answer to all these problems. Important data without an automated backup system is an accident waiting to happen, IMHO.
Obligatory personal anecdote: I was going to remove foo\ foo* from ~ . I wrote
, which sadly, since foo apparently was a symlink and the only file matching this, the shell made into
I pressed Enter and sat there looking at the command, which should have taken a second at most. After a bit longer time rm asked me if I wanted «to remove the write-protected file ‘something'».Quite quickly I felt the chills and softly and very controlled I pressed Ctrl+c . ~Half of my ~ was deleted, but I managed to get everything of value back through above described grepping and some more or less current backups. I had some personally very valuable (read: time consuming) and very recent measurement data on disk that was lost, but I had made quadruple backups. One disappared here, another due to system outage at school, another was corrupt, and at first I couldn’t find the fourth, since I by mistake had put it in the wrong folder 😀 . Had not rm -r got stuck on a write-protected file, the fourth would have been eaten since that folder was mounted via sshfs in my ~ . I’m a lot more careful about that kind of stuff since.
How To Recover Deleted Files by RM Command on Linux (Ubuntu)
Here are the 3 methods to recover deleted files by RM command in Linux.
David Darlington
“Can files/directories deleted with rm be restored?” – askUbuntu
The » rm » command is a utility in Linux systems that allows you to delete files. However, sometimes you may accidentally delete important files using the rm command. There are even cases when this happens due to malware attacks, software-level corruption, or hard drive failure.
When it comes to Ubuntu, running the wrong command adds on. In such cases, it is possible to recover these deleted files using specific tools. This article will discuss how to recover deleted files in Linux using rm . We will explain the general concept of the rm command and the steps to recover files deleted by the rm command in Ubuntu using the GUI tool, command line tool, and extundelete.
In this article
Part 1: What Is the RM Command?
The » rm » command is a Linux utility used to delete files. It stands for «remove.» When you use the rm command to delete a file, it is permanently removed from the file system and cannot be recovered easily. Therefore, it is essential to be careful when using the rm command, especially if you delete important files.
Note: The rm command deletes files without asking for approval. As a result, it’s essential to use caution when using it to prevent unintentionally destroying important files.
How To Use the RM Command?
It would be best if you opened a Terminal on your Linux system to use the rm command. You can delete a file using the rm command by typing the command and the file’s name in the Terminal. As an example, you remove a file. The path to the file must be specified if it is in a separate directory. By separating the names of the files with a space, you can also remove multiple files at once.
The basic syntax for using the rm command is:
rm [options] file
Here, » file » is the name of the file that you want to delete. You can specify multiple files to be deleted by separating them with a space.
Deleting single file: If you want to delete a single file, you have to use the “rm” command followed by the file’s name as an argument.
rm filename
Deleting multiple files: You just need to pass the filenames as arguments separated by space if you want to delete multiple files.
rm filename1 filename2 filename3 filename 4
Removing directories: If you want to remove one or more than one directory, you have to use » -d «.
rm -d dirname
You can use several options with the rm command to modify its behavior. For example,
- The » -i » option forces the rm command to prompt for confirmation before deleting each file. It will display a message asking if you want to delete each file, and you can choose to delete or skip the file by typing » y » or » n ,» respectively.
- The » -f » option forces the rm command to ignore non-existent files and not prompt confirmation. It is helpful if you want to delete multiple files and wonder if some might not exist. The rm command will ignore the non-existent files and delete the rest.
- The » -r » option allows you to delete directories and their contents recursively. It will delete the directory and all its files and subdirectories. Be careful when using the » -r » option, as it can delete many files at once and is not reversible.
It is worth noting that the rm command does not send the deleted files to the trash bin or recycle bin. Instead, it permanently removes them from the file system, so it is important to be careful when using them.
For Windows XP/Vista/7/8/10/11
For macOS X 10.10 — macOS 13
Where Do Files Go When Running the RM Command
Let’s quickly review the Linux filesystem’s operation before moving to where the files are stored. The system establishes a link to the file when we create it. The system then uses these links to locate files on the disk.
The system only removes the link to the file when we use the rm command. It means that the file’s actual data is still present on the disk. Because of this, when we use the rm command, the filesystem deletes the references to the files and informs the operating system that the storage blocks have been released.
The rm command often instructs the system to mark the file’s inode and data blocks as unused. Data recovery was once possible in earlier Linux versions, but nothing can be recovered these days because the metadata has been erased.
There is no recycle bin or trash can with the rm command. Use the GUI, where files are typically relocated to the trash directory when removed if we need a recycle bin.
Does RM Permanently Delete Files on Linux?
Yes, when you use the rm command to delete a file in Linux, it is permanently removed from the file system and cannot be easily recovered. The rm command does not send the deleted files to the trash or recycle bin, as with some desktop environments. Instead, it permanently removes the files from the file system, so it is important to be careful when using it.
Even though the rm command permanently removes the files from the file system, it is still possible to recover the deleted files in some cases. It is because when a file is deleted, the system only marks the space occupied by the file as available for reuse, but the actual data is not immediately overwritten. Therefore, retrieving deleted files using specific tools is possible if new data has not been overwritten.
Part 2: Recover RM Files in Linux Using Wondershare Recoverit (GUI Tool)
We’ve all experienced the frustration of seeking a file to have it vanish, even in the trash. Well, that case will not be a problem anymore. Consider employing a third-party tool to recover your deleted files by RM command. One highly recommended tool is the Wondershare Recoverit Linux Recovery. Recoverit is a one-stop Linux data recovery solution that proudly offers its professional grade features like: