Linux show deleted files

How to Recover a Deleted File in Linux?

We all have often faced a problem where we have accidentally deleted some files in Linux, that we definitely regretted deleting off later on after we did not even found it in the trash. But what if we can recover them? In this article, we will discuss How we can recover a Deleted File in Linux.

Whenever we delete something from our system, it does not actually get deleted, till that space gets overwritten by something else in the disk. You can also read about how to securely delete any files permanently.

The best way to Recover a Deleted File in Linux is as follows:

1. Unmounting:

Unmounting a device immediately after we realize we’ve deleted important files is the best option to prevent the data blocks of the deleted files from being overwritten with other data.

• At 1st Shut down the system, and do the recovery process by booting from a Live CD/USB
• Search the partition that contains the file you deleted, for example- /dev/sda1
• Recover the file (make sure you have enough space)

2. lsof command:

Sometimes an open file is deleted accidentally, in that case, lsof command is a life-saving command to recover that file.

A copy of the file is recreated with the help of lsof command before the file is being closed by the application holding it open. This happens because the inode is still active, so the data blocks are still on the disk until the application holding it open closes it.

Step 1: Make a test file inside the /tmp directory

Step 2: Run something that will hold the file open:

Note: Here the number is 8561 but in your case, it might be different so use the commands accordingly.

Step 3: List the process for confirming the open process

Step 4: Manually just delete the file and try listing the file, you will be shown an error message because it has been deleted

So now we are sure that the file is actually deleted, lets now try to recover it with the help of lsof command

Step 5: For displaying the open file descriptor of the process use lsof command

The PID of the process that is holding that file open is displayed in the second column.

Step 6: Now we have to locate the open file descriptor in /proc directory

Step 7: Now the open file (that was deleted but opened by some other process) can be copied back to its original location i.e., under /tmp. After that, you can also rename it by its original name

Now you are done recovering the file, that you thought to be lost forever.

3. Foremost (forensics tool):

Foremost is a forensic tool that comes more or less pre-installed in kali Linux but if it is not there, you can install it from the command line. The foremost tool is used to recover deleted files from hard disk, memory card, pen drive, etc.

This tool uses a process called File Carving for recovering data.

For recovering a deleted image use the following command:

Where /dev/sda1 is the underlying partition where /boot resides.

where /home/tithi/Downloads/gg is a directory on a separate disk where the recovered file will be located(don’t recover the files on the same drive where the removed ones were located, it might fail to recover anything). A lot of files will be get recovered together and the recovered name file won’t be similar to the original one.

Источник

Recover deleted files on Linux (Beginners Tutorial)

Have you ever deleted any important files by mistake? Who doesn’t! Okay, but can I recover them? In this post, you will learn how to recover deleted files on Linux using various programs on different file systems.

You will see how to recover deleted files from SD cards, HDDs, and deleted partitions on different Linux file systems such as EXT3, EXT4, and even from Windows file systems such as FAT32 & NTFS.

Table of Contents

Recover files from deleted partition

This is quite a problem. Often, Linux users frequently install several systems at the same time, and they may delete a partition by mistake during the installation process.

However, how to recover files from those deleted partitions? For this, we need to recover the partition using a tool called TestDisk.

Testdisk is a powerful partition analysis and data recovery utility. Most Linux distributions such as Debian and Ubuntu comes with TestDisk.

On the other hand, the application is cross-platform and supports a large number of partition tables such as Intel, MSDOS, and Mac. These are the most popular partition tables.

Also, it supports many file systems such as NTFS, EXT4, and other nonpopular file systems such as BeOS and ReiserFS.

When you delete a file, the list of clusters occupied by the file is deleted, marking those sectors available for the use. If the clusters have not been overwritten, TestDisk can recover the files.

First, start the application like this:

Next, you have the option to create a new file for the logs. If you want to create one, choose the create option and press Enter. If you don’t want a log file, select the No Log option.

Next, the disks or partitions recognized by the system will be scanned. In this particular case, sda is the partition we want to recover.

TestDisk recognizes various types of partition tables. It is usually Intel unless you are using a specialized one.

In the next screen, you will see a series of options that the program has. For this particular case, we need to choose the Analyse option.

With this option, the program will exhaustively analyze the disk to find the structure.

Then, it will ask about the type of search you wish to do. Usually, choose the Quick Search option.

If you are lucky, you will see the deleted partition. If not, you will have to choose a deeper search.

Then, choose the Write option to write the partition table. When finished, restart the system, and you will have your partition back!

Note that during these steps, it may take a long time. It depends on the disk size.

According to the type of file system, this partition may have, particular instructions will be followed. They will be detailed later.

Recover deleted files from an external drive

Now let us imagine we have an external flash drive, and by mistake, you have deleted some files from it. How to restore them?

Thanks to TestDisk, the process becomes quite similar to that of a deleted partition. But there are some differences.

To start the program, we will use the testdisk command. Also, we can add the flash drive as a parameter like this:

Next, select proceed. Then, choose the partition table type.

Then, select the Advanced options to recover files.

The next step is selecting the partition and the Undelete option.

Then, you will see all the deleted files on the partition.

Now, select the destination folder to place the recovered files. You need to press C on the first option to place the files on the current directory.

Finally, you will see this message:

Congratulations! Files restored.

Recover deleted files from SD card

Usually, on an SD card, it is common to notice that they are used for multimedia files. Therefore, it is advisable to use a more specialized program for these files.

In this case, we will use the application called Photorec that comes incorporated in TestDisk.

First, insert the SD card on the PC. Next, run photorec as root:

Then, you will see the following image. Select the media and proceed and press Enter.

Next, select the partition. And select Options and press enter.

There you will see the recovery options:

Press q to return to the previous screen. It is necessary to choose the types of files that we want to recover. This is achieved by selecting the File Opt option.

Press the s key to select and deselect all formats. You can also select the types of files you want to recover using the right key. To save the selected options, press the b key. Return to the main menu using the q key.

Then, on the main menu, choose the Search option to start the process. And choose the file system.

You will then be presented with two options. Free and Whole. Normally, Free is enough. If you want to do a deep analysis, choose Whole, but keep in mind that it will slow down the process.

Now, it is necessary to choose the location where the files will be saved. To do this, press the c key.

After choosing the destination, the recovery process will start. Remember that the system will collapse and freeze. So be patient.

In the end, you will see a message informing you of everything that has happened.

Next, check the results.

Recover deleted files from NTFS

NTFS is a Windows file system. If you are one of those who use both systems on the computer, then you may need to restore deleted files from a Windows partition with this file system.

To do this, we have a tool called ntfsundelete that is quite simple to use.

First, you need to scan the disk or partition. For example:

Then, we will be able to recover the deleted file with the following command:

The recovered files now belong to the root user. The last step is to change the permissions and owners of the files using the chown command.

Recover Files from FAT32

Another common Windows file system is FAT32. You can recover files from FAT32 is by using TestDisk.

So again run testdisk as root user and pass the disk as a parameter:

Then continue the steps as described above to restore the files.

Recover on memory files (Using inode)

If you delete a file that is used by another process, you can restore it from memory using inode.

Some initial conditions must be established. First, the deleted file MUST remain open by another process. Then you have to verify the process and finally recover it and change its permissions.

In this case, I will create a file called example.txt using the nano editor and add some text:

Then save the changes and open another terminal window and use the file. For example, with the less command.

Open another terminal session, delete the file and make sure it’s deleted:

As you can see, the file no longer exists. But we will be able to recover it. To do this, let’s get the number of the process associated with the inode of the file.

You will notice the process and command that is using the file (the less command). From that image, we have to pay attention to the second and fourth values. These are the PID of the process and the descriptor of the file respectively.

Then, recover it with the following command:

Then copy it to whatever location you want, and that is enough to recover it.

Next, check the results and open the file:

This way, we can recover a deleted file that still on memory and used by a process with the inode.

Recover Deleted Files from EXT4 (Using extundelete)

EXT4 is the default file system on most Linux distributions. It is quite fast and with technical features that are very well taken advantage of by the Linux kernel.

One of the used tools to recover files from the EXT4 filesystem is extundelete.

Extundelete is an open-source application that allows recovering deleted files from a partition or a disk with the EXT3 or EXT4 file system. It is simple to use and comes by default installed on most Linux distributions.

To recover a certain file, just use the following command:

If you want to recover all the files in a folder, use the wildcard character:

But if you want to restore all files on the partition or disk, the next command would suffice:

So, the recovered files will be on the RECOVERED_FILES directory. So this way, you can recover deleted files using extundelete.

Using debugfs

It is also possible to use the debugfs tool to recover deleted files. This tool also uses the inode number of the deleted file. However, it only works on EXT4 file systems.

Its operation is quite simple, too. First, you have to enter the partition or device.

Then, after a while, you will be able to login to the debugfs console to search for recently deleted files.

In the first column, you will see the inode number of the deleted files in that device. Then, restore it with the following command:

And that is it. It is quite easy.

Using ext4magic

Another alternative way to recover deleted files on a disk with an Ext4 file system is to use Ext4magic. This application is also quite simple to use.

The most basic syntax of the application is the following:

If I wanted to recover the deleted files from a folder called files, the command would be similar to this one:

That is how easy it is to use ext4magic. All this thanks to the fact that Ext4 is a community and open source file system.

Recover overwritten files (Using Scalpel)

Scapel is another open-source tool that allows you to recover files from formatted drives, overwritten files, and even damaged drives. It is well known for its speed and efficiency. In this sense, it emerges as an alternative to consider.

Scalpel carves files without the help of filesystems. It tries to extract headers and footers of files and tries to guess the entire file structure using some well-designed algorithms.

Like TestDisk, it is available in the official repositories of most Linux distributions. Therefore, its installation is reduced to the use of the terminal and the package manager of the distribution.

The fastest and easiest way to use Scapel is as follows:

The output_folder specifies where scapel will place all recovered files. Note that Scalpel will create the output directory itself.

But how does Scapel know which files to recover? Well, that is defined in the application configuration file.

This configuration file is usually located at the following location:

And you can open it with your favorite text editor, and there you will only have to uncomment the lines to define the file formats to search.

The file formats you uncomment, Scalpel will search for it.

Next, run the full Scalpel command, and in the output folder, you will see the recovered files.

Sometimes, Scalpel restores parts of the file. That depends on the health of the drive and how much data has been corrupted.

Also, there are many craving algorithms you can use, but we discussed here the basic way of craving data.

Recover files from a non-bootable system

This is a delicate case because we need to access from a Live cd of Ubuntu or another similar Linux distribution. Once we have boot, we could use TestDisk to try to recover the data.

In this case, we would have to use an external drive where to save the data. On the other hand, in case TestDisk can’t do the job, we can also try extundelete or ext4magic as long as the partition is Ext4.

If it does not work, you could try regenerating the partition using TestDisk as explained above.

Conclusion

It is possible to delete files accidentally. The idea is to know the appropriate tools and techniques to recover these files.

In this post, we have covered several circumstances and different file systems that could help avoid such problems.

Источник