Shell – Recovered deleted files on Mac by command line

data-recoveryshellshell-script

I accidentally deleted a file by running:

rm -rf ./Desktop/myScript.sh

I think it's possible to recover the file, because the rm command removes temporarily. How can I recover the deleted file on Mac OSX?

Best Answer

MacOS is a Unix OS and rm means "good-bye". The GUI interface allows you to move a file to the trash (which you can then recover) but that's not what you did. If you have a backup (e.g. you have Time Machine running) then you are saved.

Clarification

Strictly speaking (as @ire_and_curses points out) a rm simply deletes the directory entry for the file while leaving the disk blocks it used, untouched. If you could quiesce the filesystem in which the file had been, there are advanced methods by which you can try to re-discover those blocks contents. There are also some recovery tools which can be purchased to recover the loss. The central issue is that nothing else re-uses any of the disk blocks represented by your file.

The MacOS also has a secure remove command (srm) which over-writes a file before it is unlinked making it unrecoverable. I use the unlink term since this is the underlying system call associated with a shell's rm command. This sets the stage for the next part of this discussion, below.

Sidenote

[ I should hasten to add that even if you over-write a disk multiple times, there are ways to read what was written a dozen or more times before. To properly sanitize a disk for disposal really requires an acid bath, a big hammer and a shredder. ]

unlinking a file decrements the file's inode link-count. If this value reaches zero, the file is deleted from the filesystem directory and its disk blocks freed for re-use. This only happens when no processes have the file open. It is often confusing to administrators to find that a filesystem is utilizing very large amounts of space that can't be accounted for by the simple summation of disk blocks (with something like du). Most often the reason is that an open file has been removed, so that it is no longer represented in its directory. The reason is that the disk blocks remain inuse until the last process using the file terminates.

Opening a file and immediately unlinking it is actually a common practice for creating secure, temporary files. Tools like lsof can expose these otherwise invisible files if you look for files with a link count (NLINK) of zero.

In Unix and Linux (of which the MacOS is a branded Unix), an rm follows the Unix philosophy of "do-it" without fanfare if it can. That is, if you have the permissions to remove a file (i.e. your directory allows writing) then rm does just what you ask. You might like to create a shell alias rm='rm -i' that prompts you for confirmation before performing the operation. Using the -f switch with rm overrides that if necessary. An aliased rm is most useful when you do glob removes like rm *.log. That is, you have the option of skipping a file in the list.

Related Solutions

Data Recovery – Recovering Accidentally Deleted Files

I would advise against immediately installing some utility. Basically your biggest enemy here are disk writes. You want to avoid them at all costs right now.

Your best bet is an auto-backup created by your editor--if it exists. If not, I would try the following trick using grep if you remember some unique string in your .tex file:

$sudo grep -i -a -B100 -A100 'string' /dev/sda1 > file.txt

Replace /dev/sda1 with the device that the file was on and replace 'string' with the unique string in your file. This could take some time. But basically, what this does is it searches for the string on the device and then returns 100 lines before and after that line and puts it in file.txt. If you need more lines returned just adjust the -B and -A options as appropriate. You might get a bunch of extra garbage returned, but you should be able to get your text back.

Good luck.

Linux Data Recovery – How to Recover Deleted Files

The link someone provided in the comments is likely your best chance.

Linux debugfs Hack: Undelete Files

That write-up though looking a little intimidating is actually fairly straight forward to follow. In general the steps are as follows:

Use debugfs to view a filesystems log
```
$ debugfs -w /dev/mapper/wks01-root
```
At the debugfs prompt
```
debugfs: lsdel
```

Sample output

Inode  Owner  Mode    Size    Blocks   Time deleted
23601299      0 120777      3    1/   1 Tue Mar 13 16:17:30 2012
7536655      0 120777      3    1/   1 Tue May  1 06:21:22 2012
2 deleted inodes found.

Run the command in debugfs
```
debugfs: logdump -i <7536655>
```

Determine files inode

...
...
....
output truncated
    Fast_link_dest: bin
    Blocks:  (0+1): 7235938
  FS block 7536642 logged at sequence 38402086, journal block 26711
    (inode block for inode 7536655):
    Inode: 7536655   Type: symlink        Mode:  0777   Flags: 0x0   Generation: 3532221116
    User:     0   Group:     0   Size: 3
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    atime: 0x4f9fc730 -- Tue May  1 06:21:20 2012
    mtime: 0x4f9fc72f -- Tue May  1 06:21:19 2012
    dtime: 0x4f9fc732 -- Tue May  1 06:21:22 2012
    Fast_link_dest: bin
    Blocks:  (0+1): 7235938
No magic number at block 28053: end of journal.

With the above inode info run the following commands

# dd if=/dev/mapper/wks01-root of=recovered.file.001 bs=4096 count=1 skip=7235938
# file recovered.file.001
file: ASCII text, with very long lines

Files been recovered to recovered.file.001.

Other options

If the above isn't for you I've used tools such as photorec to recover files in the past, but it's geared for image files only. I've written about this method extensively on my blog in this article titled:

How to Recover Corrupt jpeg and mov Files from a Digital Camera's SDD Card on Fedora/CentOS/RHEL.

Best Answer

Related Solutions

Data Recovery – Recovering Accidentally Deleted Files

Linux Data Recovery – How to Recover Deleted Files

Other options

Related Question