Linux Data Recovery – How to Recover Deleted Files

data-recoverydeleted-fileslinux

Is there a command to recover/undelete deleted files by rm?

$ rm -rf /path/to/myfile

How can I recover myfile? If there is such a tool how can I use it?

Best Answer

The link someone provided in the comments is likely your best chance.

Linux debugfs Hack: Undelete Files

That write-up though looking a little intimidating is actually fairly straight forward to follow. In general the steps are as follows:

Use debugfs to view a filesystems log
```
$ debugfs -w /dev/mapper/wks01-root
```
At the debugfs prompt
```
debugfs: lsdel
```

Sample output

Inode  Owner  Mode    Size    Blocks   Time deleted
23601299      0 120777      3    1/   1 Tue Mar 13 16:17:30 2012
7536655      0 120777      3    1/   1 Tue May  1 06:21:22 2012
2 deleted inodes found.

Run the command in debugfs
```
debugfs: logdump -i <7536655>
```

Determine files inode

...
...
....
output truncated
    Fast_link_dest: bin
    Blocks:  (0+1): 7235938
  FS block 7536642 logged at sequence 38402086, journal block 26711
    (inode block for inode 7536655):
    Inode: 7536655   Type: symlink        Mode:  0777   Flags: 0x0   Generation: 3532221116
    User:     0   Group:     0   Size: 3
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    atime: 0x4f9fc730 -- Tue May  1 06:21:20 2012
    mtime: 0x4f9fc72f -- Tue May  1 06:21:19 2012
    dtime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    Fast_link_dest: bin
    Blocks:  (0+1): 7235938
No magic number at block 28053: end of journal.

With the above inode info run the following commands

# dd if=/dev/mapper/wks01-root of=recovered.file.001 bs=4096 count=1 skip=7235938
# file recovered.file.001
file: ASCII text, with very long lines

Files been recovered to recovered.file.001.

Other options

If the above isn't for you I've used tools such as photorec to recover files in the past, but it's geared for image files only. I've written about this method extensively on my blog in this article titled:

How to Recover Corrupt jpeg and mov Files from a Digital Camera's SDD Card on Fedora/CentOS/RHEL.

Restoring all

extundelete is designed to undelete files from an unmounted partition to a separate (mounted) partition. extundelete will restore any files it finds to a subdirectory of the current directory named “RECOVERED_FILES”. To run the program, type “extundelete --help” to see various options available to you.

Typical usage to restore all deleted files from a partition looks like this:
    $ extundelete /dev/sda4 --restore-all

Restoring a single file

In addition to this method highlighted in the command line usage:

--restore-file path/to/deleted/file
    Attemps to restore the file which was deleted at the given filename, 
    called as "--restore-file dirname/filename".

So you should be able to accomplish what you want doing this:

$ extundelete --restore-file /var/tmp/test.iso /dev/sda4

NOTE: In both cases you need to know the device, /dev/sda4 to perform this command. You'll have to remount the filesystem as readonly. This is one of the conditions of using extundelete and there isn't any way around this.

Best Answer

Other options

Related Solutions

Undelete File on ext4 with extundelete – Recover Deleted Files on ext4

Restoring all

Restoring a single file

Related Question