Recovering linux deleted files

How to recover deleted files?

Are there any tools, methods, incantations to recover recently deleted files on Ubuntu? If it makes any difference, I want to recover a Keepass 2.x database file. But would be better to have a method/tool that works on any kind of file.

12 Answers 12

TestDisk / PhotoRec

TestDisk can sometimes recover recently deleted files using PhotoRec, which is part of TestDisk. Available on official repo and newer version on their site.

TestDisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software: certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy.

PhotoRec is part of TestDisk, and is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media’s file system has been severely damaged or reformatted.

At this moment, TestDisk does not have a graphical user interface and the help (man) pages are not enough informative for me.

PhotoRec (cgsecurity.org/wiki/PhotoRec) worked great for me to recover accidentally deleted files (on Ubuntu 14.04 with ext4). I first tried with TestDisk but it wasn’t able to recover them. Anyway, I found both tools crafted in the same folder.

@silviubogan actually TestDisk has a pretty good Textual User Interface with menus and explanations along the way. All actions have an associated key to perform them and they are clearly written on every screen for easier access.

Photorec just does not keep the file structure, which seems an important feature to me. I guess that R-Linux will do that, but untested. I just know it from R-Undelete, which is the smaller brother of R-Studio, which is of the same rtt family.

If you deleted some file by accident but still know some strings which were written in that file you can use:

grep -a -B 25 -A 100 'containing string' /dev/sda1 > result.txt 

It should be noted that 25 and 100 are just some magic numbers that probably need to be tweaked for the specific case.

I have used foremost to recover damaged hard disk both under NTFS (windows), FAT32 (Flashcard from a Nokia phone), and ext3 with great results. Command-line only, but quite it’s easy, something like this:

It will order the recovered files on folders by file-type. Openoffice docs are recovered as zip files. As you need to execute it as root (in order to directly access the hardware), output files are also owned by root, so you will likely need to change their ownership afterward.

Читайте также:  Основы линукс для хакеров

@JavierRivera — I do not believe that foremost can recover .xcf files. See the man page it can only deal with these file types: (jpg, gif, png, bmp, avi, exe, mpg, mp4, wav, riff, wmv, mov, pdf, ole, doc, zip, rar, htm, and cpp).

extundelete is really great if your file system is ext3 or ext4.

Note: extundelete requires you to unmount your drive to work properly (this is a good idea to do ASAP anyway, to avoid potentially overwriting the hopefully-recoverable bytes in the deleted files).

Unmounting the drive on a live system can be tricky. you’ll often get the ‘ device is busy ‘ message. To clear this ‘properly’ requires shutting down all processes accessing the file system. But. you were likely working in your home directory, and a zillion processes are hooked into your home directory, so good luck with that.

The trick to getting around this is to do a ‘lazy’ unmount:

$ mount /dev/sda7 on /home type ext4 (rw) $ sudo umount -l /home 
  • that example is for me prepping my /home mount for use with extundelete. You obviously need to replace /home with your mount of interest
  • I did the mount command first to figure out what device ( /dev/sda7 ) I need to pass to extundelete (output is truncated for brevity)
  • that is a lower case L in the -l option

A lazy unmount doesn’t really help since the fs remains mounted until all files on it are closed. You just need to shut down the system as soon as you delete the files, and run extundelete from a livecd.

@psusi — It is absolutely untrue to say that it doesn’t help!! umount -l prevents any new files from being opened/created and written (web caches and such). However, it does not prevent existing opened files from still being written to (ie: it does not close existing files). You suggest shutting down, but I think a lazy unmount will (most of the time) result in less written files, depending on the partition in question. On that note, it is best is to have extundelete installed already, and if not, make sure to install it to some partition other than the one you are trying to recover!

As long as the fs is still mounted, attempting to access it will result in corruption. That is the reason that extundelete requires you unmount the fs in the first place. The lazy unmount simply fools it into thinking it is not mounted, and therefore, that it is safe to proceed with manipulating the disk, when that is not true. Proceeding with extundelete before the fs is actually dismounted can hose the whole disk.

Читайте также:  Java jre version linux

@psusi — «can hose the whole disk». With a read-only operation? I don’t get your argument, or what has you so paranoid. extundelete does not «manipulate the disk». The worst possible thing I can imagine happening is that extundelete expects an unmounted/static partitition and if, while reading the journal info, the lazily unmounted disk changes due to processes that had files open, extundelete may get confused and the recovery may fail. «possibly failed recovery» != «hosed disk». If it does fail, shut down, pray shutdown doesn’t trash your lost data, and use a livecd as you suggest.

undeleting something involves writing to the disk. There is a reason that the authors of the program tell you to unmount the disk. I’m not pulling that out of thin air. I’m simply pointing out that a lazy unmount only fools the program into thinking it has been unmounted when it really hasn’t.

To recover the directory you can use extundelete

sudo apt-get install extundelete 
sudo extundelete --restore-directory /home/Documents/ /dev/sda1 

Note: In place of dev/sda1 put your hardisk partition name.

/home/Documents/ is your path to deleted directiory.

My results looks . ~/Books$ sudo extundelete —restore-directory /home/newubuntu/Books/LaTeX /dev/sda2 WARNING: Extended attributes are not restored. Loading filesystem metadata . 522 groups loaded. Loading journal descriptors . 32242 descriptors loaded. Writing output to directory RECOVERED_FILES/ Failed to restore file /home/newubuntu/Books/LaTeX Could not find correct inode number past inode 2621441.

R-Linux(Recovery studio) is one of the best. I have used this tool many times before. I worked at a company where they used the commercial version, 9/10 times it recovers everything you want. Truly superb application. I saved mine and my friends behind many times before.

R-Linux is a free file recovery utility for the Ext2/Ext3/Ext4 FS file system used in the Linux OS and several Unixes. R-Linux uses the same InteligentScan technology as R-Studio, and flexible parameter settings to provide the fastest and most reliable file recovery for the Linux platform. However, unlike R-Studio, R-Linux cannot recover data over a network or reconstruct RAIDs, or provide object copy.

Features (from their website):

R-Linux recover files:

  • Removed by virus attack, power failure, or system crash;
  • After the partition with the files was reformatted, damaged, or deleted;
  • When the partition structure on a disk was changed or damaged. In this case, R-Linux can scan the disk trying to find previously existing partitions and restore files from found partitions.
  • From disks with bad sectors. In this case, R-Linux can first copy the entire disk or its part into an image file and then process the image file. This is especially useful when new bad sectors are constantly appearing on the disk, and the remaining information must be immediately saved.
Читайте также:  Основы linux от основателя gentoo все части

R-Linux Advanced features:

  • Standard «Windows Explorer» — style interface.
  • Host OS:
    • Linux variant: Linux, kernel 2.6 and above
    • Windows variant: Win2000, XP, 2003, Vista, Windows 7, Windows 8

    I didn’t expect this to be free for Linux. I already know R-Studio and it is a fabulous software. Great that it’s free for Linux filesystems.

    sudo apt-get install scalpel 

    trying it now. I don’t quite understand how to add new files to the conf file. Do you have nay source with details?

    I found howtoforge.com/recover-deleted-files-with-scalpel which is better than nothing. Good luck, this ain’t no MS-DOS.

    see also ubuntu.stackexchange.com/questions/2596/… I use a relatively heavy system backup, but have «Back in Time» set up to dup selected directories from /home/msw (including .config which also catches .config/keepassx/* (your locations may vary)) to a spare partition nightly. I’ve also been using Unix since forever and you usually become pretty careful after the second time you blow away the-really-critical.file 😉

    Scalpel seems to be doing the same as foremost but while scalpel is no longer developed since 10 years, foremost got many updates in recent years.

    Tried to use scalpel. Could not not even run it on my .dsk image with ext4. Got a bunch of segmentation faults on uninstalled it.

    If using secondary internal HD (suspect the same for external HD) for recovered file import (from main HD, where the files originally were), it’s necessary to make a directory, into which the files will be put in on secondary HD. To do it, you need to have BIOS setting for booting from CD first! 1. Start Live Ubuntu Rescue-Remix CD, give command to boot, then when it boots into terminal, check your HDs by command – Code: sudo fdisk -l

    Realize what HD is main, and which is secondary, and what partition to check for files and into which to recover them – linux ext3 or Windows NTFS! Mine was Linux. Have enough room on it! (Then you can try to run Photorec (“sudo photorec”) and hopefully you’ll be able to see all your HDs. I was not that lucky, so I had to make directory and mount sec. HD.)

    1. Make directory for recovered files first, e.g. – media/disk. Give command – Code: sudo mkdir /media/disk

    If alright, terminal prompt simply returns.

    1. Must mount secondary HD, or it’ll be invisible, even if “sudo fdisk -l” does show it. Give command for your secondary HD – Code: sudo mount -t ext3 /dev/sdb2 /media/disk

    If alright, terminal prompt simply returns.

    Go thru settings, and only choose file types that you want, otherwise you’ll have thousands of files to sift thru!

    Источник

Оцените статью
Adblock
detector