Ubuntu – Can you recover previous versions of files

data-recoverydeleteeditingfiles

I know that if I delete a file it won't actually be 'deleted' as such, just marked as 'can be overridden when needed' so that when that space is needed the file will just be overridden, and this means that after a file is deleted it is possible to recover it even though all links to it will be gone (if any of this information is incorrect please edit this question to explain it in the correct way).
But is the same true for files which have just been edited? Can one recover the previous version of a file if the previous version hasn't been made into a .save file or something? That is, if I edit a file and then save my changes, is there any way to recover the previous version of the file like one can do with deleted files? And if not, if one does not want anyone to be able to properly recover deleted files, should one first edit the file and replace the contents with something else?

So just to clarify, these are the points I want answered:

Is it possible to recover the previous versions of files if no backup file has been created (such as a .save file) like one can do with actually deleted files?
Is editing a file before deleting it safer than just deleting it (that is is it safer to overwrite the entire contents of a file with other contents before deleting it)?
Finally, do tools which 'shred' files such as BleachBit just overwrite the contents of a file with other contents (such as an encrypted version of the file where the private key is deleted) before deleting it or do they use another method?

But please note that I am not asking about how to log file changes, I am asking this question because I want to know if editing a file before deleting it is safer than just deleting it or whether previous versions can be recovered. I am not interested in answers telling me that I should use version control systems to monitor file changes.

Best Answer

Yes, it is possible to recover an overwritten file, but recovery depends on the file system and the application you're using. FAT, EXT2/3/4, NTFS all delete files by marking them deleted. (no experience with other file systems)

What all well-written applications normally do nowadays is to open a temporary file, and if that is written correctly, delete the old file and rename the temp file to the new file. That way is a program crashes while it's writing the new file, it doesn't destroy the old file. (E.G. That's how LibreOffice overwrites its files)

Secure wipe applications normally overwrite the file, but under EXT4 and NTFS defragmentation intelligence and journalling kick in so to be absolutely, positively sure that an overwritten file is completely gone, you need to overwrite the entire free space too.

(Even on an encrypted volume)

Related Solutions

Ubuntu – How to recover a previous version of a file

If you used GEdit and you havent disabled the backup function, then there must be a hidden file with name similar to your file but with ~ appended to it. So if your file name is somefile.txt then look for somefile.txt~ in the same directory. This is the backup file and will give you your files state before last save.

Ubuntu – way to recover a file that I have deleted but is still open somewhere

I don't know whether there are any text editors which keep the file opened while you are editing it. Normally (i.e. in Emacs), the file is read into a buffer in RAM and then the file is closed. You edit only in RAM. When you save the buffer, the file is opened, written, and closed again. You can use ps auxw | grep your_editor to find the PID of your editor, then lsof -p your_PID to see the files that are still open.

On the other hand, if the file is still in the buffer of your editor, you can just save it.

But that was not your question, so let's pretend you are using cat as your editor, and the file is really still open:

% cat >the_file.txt
Hello world!
^Z
zsh: suspended  cat > the_file.txt
% rm the_file.txt 
% ls -l the_file.txt
ls: cannot access the_file.txt: No such file or directory

You can use lsof -n to see all opened files and grep to search for your filename.

% lsof -n | grep the_file.txt
cat  2145  elmicha  1w  REG  9,1  13 108003357 /home/elmicha/tmp/the_file.txt (deleted)

In the second column you can see the PID of your cat command. You can change into the corresponding directory in the /proc filesystem, and into the fd (file descriptor) subdirectory:

% cd /proc/2145/fd
% ls -l
total 0
lrwx------ 1 elmicha elmicha 64 2012-11-07 00:22 0 -> /dev/pts/4
l-wx------ 1 elmicha elmicha 64 2012-11-07 00:22 1 -> /home/elmicha/tmp/the_file.txt (deleted)
lr-x------ 1 elmicha elmicha 64 2012-11-07 00:22 15 -> /proc/4501/auxv
lrwx------ 1 elmicha elmicha 64 2012-11-07 00:22 2 -> /dev/pts/4

Now you can just copy the "file" 1 to another file:

% cp 1 ~/tmp/the_old_file.txt

And see, it's there:

% cat ~/tmp/the_old_file.txt
Hello world!

Best Answer

Related Solutions

Ubuntu – How to recover a previous version of a file

Ubuntu – way to recover a file that I have deleted but is still open somewhere

Related Question