Monday, August 26, 2013

Recover Deleted Files in Linux

You need only few microseconds to lose your files which you have done by spending more that few hours or days even. But thanks to Smart guys there are ways to recover it fully or partially.
First of all,  come on, Calm down! it is not only yours but also happened to others.... just follow these simple steps:

  1. Install a tool called "foremost" which  is used for recovering deleted files. Type sudo apt-get install foremost in your shell terminal. 
  2. Find the name of your disk by using the command sudo fdisk -l.  This command lists all the drives found in your system including the pen drives (if plugged)Assume we want to recover the files deleted  from a disk /dev/sdb1 
  3. Create an image of the drive you want to recover by using sudo dd if=/dev/sdb1 of=/home/myimg.img, Where /dev/sdb1 is the name of the drive to be recovered and /home/myimg.img is the out put location and file of the recovered file. 
    Please note that, make sure  to have enough space in out put directory. If you don't have you can use external storage devices.  This step may take long time depending on your disk size and how large your files have been. So be patient and wait until it finish. If you are not patient google for other solutions or redo the work :-) 
  4. Once the recovery  image is created give a permission for the user by typing sudo chown name.name /home/myimg.img Where name is the name of the user in your system. 
  5. Create a directory for your recovery files. Lets use the home directory; use this command  mkdir recovery when recovery can be any valid name  directory.
  6. Use this command and recover your files. foremost -vqQ -o recovery/ -t type -i mypendriveimage.img Where the option -t type specifies the file format (e.g. pdf, doc...) you want to recover from the image.  This tool currently supports some common formats only. As a result ofg this you may not get back the file you are looking. After this step completes check the recovery directory, and you can get the recovered files organized by file format. However, the file name of the files is a number not the original file names. It is a bit difficult to filter your file from very huge (really depends on your files) list of files. Most probably the first file recovered may be the latest file created in your system. You can check audit.txt file created during the recovery to know which is recovered first.  Otherwise use other commands such as grep to get your files or manually (would be very tiresome and may be easier to redo the work :-) ) check each files.... 
Still you don't get your files.... Uhmmmm .... be calm and google around or redo it. Or Write a program that can recover deleted files.... and share to us as welll ;-) 

The best way is DON'T DO SHIFT PLUS DELETE unless you're quite certain that you don't need the files in the future.  

Reference: