Linux restore file after rm

RootUsers

Guides, tutorials, reviews and news for System Administrators.

How to Restore a Deleted File in Linux

If you’ve accidentally deleted a file in Linux, don’t worry, you can probably still restore it as long as that area of disk has not yet been overwritten. This post will show you how to easily restore a deleted file in Linux.

Foremost is able to search a disk or raw image file to recover files based on their headers, footers, and internal data structures.

Install Foremost

Foremost is available in many different distributions of Linux.

Mint/Debian/Ubuntu

We can install Foremost in Linux Mint, Debian, or Ubuntu by simply running the following command.

CentOS/RHEL

By default Foremost is not available in any of the standard CentOS/RHEL repositories, so we’ll install it directly from the RPM.

In this example we are using CentOS 7, however once you’ve installed Foremost the rest of the steps should be the same in any Linux distribution.

Deleting a File

Now that Foremost is installed, let’s delete a file. It’s worth noting that Foremost does not need to be installed when the file was deleted, that’s just the order I happened to do things in.

In this example we will be removing the image.jpg file shown below.

We’ll use this information later to verify that the file has been successfully restored. Now we’ll delete the file using the rm command .

Restore a Deleted File

Next we’ll create a directory to restore our files to. Foremost requires an empty directory for this purpose, so we’ll make /root/restored/.

Now we are ready to run the Foremost command and restore our image file. The -i switch is used to specify the disk or image file that we want to search, while -t is used to restore files of the type specified. Foremost supports many different files, check the foremost man page for the full list. This is required as foremost searches the disk based on the headers which that type of file uses.

This took approximately 2 minutes to complete on an 18gb disk. This will find any .jpg files in /dev/sda3 and restore them into the /root/restored/ directory, as long as the space they are using on disk has not yet been overwritten by anything else.

If we look inside our /root/restored directory, we can see that our image file has successfully been restored. The md5 hash of the file is exactly the same as the file before we deleted it.

As file names are not stored within the file itself it is not possible to restore the file with the original file name, however the data is all there.

Summary

We installed the Foremost tool on our CentOS 7 machine and used it to restore a deleted file. Using the md5 hash of the file before and after recovery, we can confirm that the exact same file has successfully been recovered.

Foremost is a pretty simple to use tool to perform data carving, I’ve used it with some success in a number of Capture The Flag (CTF) style challenges.

Источник

How to recover files I deleted now by running rm *? [duplicate]

By mistake I ran rm * on the current directory where I created many c program files. I had been working on these since morning. Now I can’t take out again the time that I spent since morning on creating the files. Please say how to recover. They aren’t in recycle bin also!

2 Answers 2

If a running program still has the deleted file open, you can recover the file through the open file descriptor in /proc/[pid]/fd/[num] . To determine if this is the case, you can attempt the following:

If the above gives output of the form:

take note of the PID in the second column, and the file descriptor number in the fourth column. Using this information you can recover the file by issuing the command:

If you’re not able to find the file with lsof , you should immediately remount the file system which housed the file read-only:

or unmount the file system altogether:

The reason for this is that as soon as the file has been unlinked, and there are no remaining hard links to the file in question, the underlying file system may free the blocks previously allocated for the deleted file, at which point the blocks may be allocated to another file and their contents overwritten. Ceasing any further writes to the file system is therefore time critical if any recovery is to be possible. If the file system is the root file system or cannot be made read-only or unmounted for some other reason, it might be necessary to shutdown the system (if possible) and continue the recovery from a live environment where you can leave the target file system read-only.

After writes to the file system have been prevented, there is no immediate hurry to attempt the actual recovery. To play it safe, you might want to make a backup of the file system to perform the actual recovery on:

The next steps now depend on the file system type. Assuming a typical Ubuntu installation, you most likely have a ext3 or ext4 file system. In this case, you may attempt recovery using extundelete . Recovery may be attempted safely on either the backup, or the raw device, as long as it is not mounted (or it is mounted read-only). DO NOT ATTEMPT RECOVERY FROM A LIVE FILE SYSTEM. This will most likely bring the file system to an inconsistent state.

extundelete will attempt restore any files it finds to a subdirectory of the current directory named RECOVERED_FILES . Typical usage to restore all deleted files from a backup would be:

With older versions:

With newer versions (e.g. 0.2.4), don’t mount the device you’re trying to recover from (thanks to Ryan Lue) :

Instead of —restore-all , you can try options like —restore-file

Источник

How to recover the deleted files using «rm -R» command in linux server? [closed]

Want to improve this question? Update the question so it’s on-topic for Stack Overflow.

Closed 5 years ago .

I have unfortunately deleted some important files and folders using ‘rm -R ‘ command in Linux server.

Is there any way to recover?

3 Answers 3

since answers are disappointing I would like suggest a way in which I got deleted stuff back.

I use an ide to code and accidently I used rm -rf from terminal to remove complete folder. Thanks to ide I recoved it back by reverting the change from ide’s local history.

(my ide is intelliJ but all ide’s support history backup)

Short answer: You can’t. rm removes files blindly, with no concept of ‘trash’.

Some Unix and Linux systems try to limit its destructive ability by aliasing it to rm -i by default, but not all do.

Long answer: Depending on your filesystem, disk activity, and how long ago the deletion occured, you may be able to recover some or all of what you deleted. If you’re using an EXT3 or EXT4 formatted drive, you can check out extundelete .

In the future, use rm with caution. Either create a del alias that provides interactivity, or use a file manager.

Источник

How To Recover Deleted Files In Linux [Beginner’s Guide]

Last updated October 29, 2020 By Community 108 Comments

Brief: This article shows you how to recover deleted files in Linux using command line tool Test Disk. It’s an easy to use tool that almost anyone can use to recover lost files in Ubuntu or other Linux distributions.

Have you ever gotten that horrible feeling? The one you get when you realize that you accidentally deleted files and it’s not even in the trash? Often it is immediately preceded by denial: I know I have another copy of it somewhere.

But rather than going through all the stages of grief, don’t worry. And remember you’re not alone; sooner or later everyone does this.

“Don’t worry?” you counter, “I just erased the only copy of my resume!”

No really, don’t worry. All that’s happened is that it’s been bumped off a list. So long as you don’t write onto the drive, it absolutely still exists. In fact, depending on the size of the file and the free space on your drive deleted files can persist indefinitely—even if you do write on the drive.

“Yes, fine” you say, “I’ll rest easy knowing my resume ‘exists’ in some abstract sense. But so far as I’m concerned if I can’t open, edit or print from it, it doesn’t exist in any practical sense. What would really help would be a way to ‘un-delete’ files. And one that doesn’t require an IT forensics lab.”

Really, don’t worry—you don’t need a lab to recover the deleted files. Furthermore, if you can get past using a primitive GUI, it’s actually easy to do! I’ll show you how to use TestDisk to recover deleted files.

How to recover deleted files in Linux using TestDisk

Let me present a simplified example: I took a clean thumb drive added some files, then deleted one. Now, my system has a feature which will directly delete files from removable media, by-passing the “trash” altogether; that is if I choose to “right” click on a file and then choose “delete”. It still presents a warning, but one click on the “yes” button and the file is gone forever. Or appears to be.

But this time I didn’t get that horrible feeling. And no, not because this is a cooked up scenario. I knew that all I had to do was open the terminal type “testdisk” and hit “enter”. When I did this for the first time I had one of my “Linux moments”. Because if you don’t have it—and I didn’t—it tells you how to get it! Just type “sudo apt install testdisk” and enter and you’ll have it in about 10 seconds.

If you prefer videos, you can watch this video of the same tutorial on It’s FOSS YouTube channel:

Step 1

You need to install TestDisk tool first. Most Linux distributions already have this tool in their official repository. In Ubuntu and other Ubuntu based Linux distributions such as Linux Mint, elementary OS etc, you can use the command below to install TestDisk:

sudo apt install testdisk

Arch Linux users can install it from AUR. You can download it for other Linux distributions from the link below:

Though I am using Ubuntu in this tutorial, this doesn’t mean it is only to recover deleted files in Ubuntu Linux. The instructions presented here works for other distributions as well.

Step 2

Run TestDisk in the terminal using the command below:

Step 3

When you open it, you’ll see something that looks like this. Be patient! The interface is actually straightforward but you do have to carefully read the text. Use the arrow keys to navigate and “enter” to select.

Screens that have extra commands will tell you so. Also note that TestDisk 7.0 tends to highlight the next reasonable step. It’s almost always right but do read the screen, since it can’t read your mind. In any case, when it wants you to let it create a log file, indulge it. It’s about to pull you out of a hole.

Step 4

Now, at this point, if you’re lucky, you should see your drive. And you can proceed to the last steps. But let’s assume you’re not, that you have, say, a multi-boot machine. In this case, ownerships can get blurry, and Testdisk needs your permission to open them. You’ll see something like this:

Select “sudo” and enter your password. Hit “enter” and “enter” again on the next screen to create another log file.

Step 5

This time Testdisk displays all your drives. Arrow key to the drive in question and hit enter.

Step 6

Testdisk has again selected the correct setting. This makes sense since a simple storage device is seldom partitioned. Again hit enter:

Step 7

And finally we have to do a little thinking to do. If you read the first screen—and I’ll bet you didn’t—this program isn’t just for recovering deleted files. It’s a powerful disk utility. But if we remember what we’re trying to do the choice is fairly obvious: we’re not trying to fix a disk, we’re trying to recover a file. Select “Advanced” and hit “enter”.

Step 8

At the bottom of the page choose “Undelete” and get ready to see a ghost!

Step 9

Testdisk will scan for files and produce a list of deleted files highlighted in red. Arrow down to it and carefully read the choices at the bottom.

Step 10

Again, bear in mind that Testdisk is a multi-function tool. Most of these options deal with groups of files; we only want our damn resume back! So hit “c”.

As you can see from the scoreboard, we’ve won 1-0. After hitting “c” there are options about where you might want to recover the file to, but it defaults to your home folder. And again this is generally the best thing to do. Navigating in Testdisk is a little tricky, whereas dragging and dropping after the fact is a breeze.

A few tips on recovering deleted files in Linux using TestDisk

First, if you find yourself somewhere you don’t want to be, hit “q” for quit. This won’t close the program, instead, it will act like the “back” button on a program with a full blown GUI, and put you back a page. And just like a “back” button repeating will eventually lead you back to the beginning.

Second, as with anything, the fewer the distractions, the easier it is to find what you’re looking for. In other words, physically detach all other storage drives. In graphically simple environments simplicity is your friend.

Finally, Testdisk can also help you retrieve files that have become inaccessible for other reasons. In fact, this is why I started using the program in the first place. I was trying to save files from a corrupted drive that could not be made to boot. Normally it’s simply a matter of removing said drive any hooking it up to a USB adapter. You can then mount it on another PC and copy the files where ever you want.

But what if the drive is formatted to LVM? This was my problem because a mounted LVM drive looks nothing like a normal Linux OS. None of the usual files appear, and hunting around simply doesn’t help. This, among other reasons, is because most Linux file managers can no longer read ext.2 file systems.

Nevertheless, after a few false starts, I was able to find and save the missing files. Note, however, that the sequence of steps here will be a little different, you may need to use the “analyze” option for Testdisk to make sense of the drive and you may have to poke around a little to find the “home” folder once you do. Furthermore, the files you’re looking for will not appear in red since they were never deleted in the first place. But once you do find them, the copying procedure is basically the same.

With Testdisk and a little luck, you may never lose your resume again as you can always recover deleted files in Linux.

Disclaimer: This tutorial is a reader submission.

Dave Merritt

I’m a 59 years old, full­time landscaper and part­time PCmedic. I’ve been an avid Linux user for over ten years. In that time, I do not claim to have made every possible mistake, only most of them. I’m a big fan of prog rock, avant­ jazz and J S Bach, and enjoy reading Neal Stevenson and anything to do with the foundational problems in modern physics.

Like what you read? Please share it with others.

Источник