How to Recover Deleted Files in Linux


File recovery on Linux is a bit different than Windows. It requires different software than the Windows counterparts because every OS has their own file system. Windows uses NTFS, or FAT file systems, while on the other hand, Linux uses ext-based file systems.
I personally use ext4 file system because it's the latest and greatest ext-journaling system and supports a large level of directory recursion and file sizes, but most installations still use ext2 or ext3. When files are deleted from a disk, they are simply modified in binary to tell the computer that those files can be written over.

Today, we are going to be using the data recovery tool suite TestDisk + PhotoRec to carve files from our disk that we have deleted.
For this guide, I will be running the tools under Arch Linux. Let's set up a test environment and get started.

Step 1: Download TestDisk + PhotoRec

All commands in bold are terminal commands.
  1. Download the toolsuite.
        sudo wget http://www.cgsecurity.org/testdisk-6.13-WIP.tar.bz2
  2. Extract the archive.
        sudo tar zxvf <file archive>
  3. Change to the newly made directory.
        cd <testdiskdir>
  4. Configure for compilation.
        ./configure
  5. Now, compile and install the software.
        sudo make && sudo make install
Let's move on to the simulation of a lost file and its recovery.

Step 2: Delete a File and Recover It

For this example, we should set up a file or picture that we want to have deleted. I chose this one of Tux, the Linux mascot!

Now, open up a file manager, or a terminal and delete the file you would like to practice recovery on. After that's all set, open up a terminal and let's run the tool and recover it!

  1. Run the program.
        sudo photorec
  2. Select the hard drive that you will be recovering from.
  3. Hit Proceed.
  4. Select Intel partition type.
  5. Now select your home partition, mine is installed on /dev/sda3.
  6. Select Ext2, Ext3 and Ext4.
  7. For this part, I would select free to scour the free-space, or you could use the whole disk, it doesn't really matter.
  8. Select the directory you deleted the file in, mine was in ~/Downloads.
  9. After that runs, you should have all of it figured out and recovered! Congratulations on getting your file(s) back!

Do you have questions, comments, or suggestions? Feel free to post a comment! 




Subscribe to Saint Andrew's Paradise
Liked this post?

Subscribe to "Saint Andrew's Paradise" and get all new tricks, tools and regular updates to your inbox!

    




Share your views...

0 Respones to "How to Recover Deleted Files in Linux"

Post a Comment

Subscribe to: Post Comments (Atom)
 

About Me

Saint Andrew is a computer science student. Saint Andrew is a founder of the blog Saint Andrew's Hacking Paradise.

His mission and the aim of this blog is to make the reader aware of the existing threats and describe them in comprehensible way.

"Saint Andrew's Hacking Paradise" is a place to Learn, Understand and Explore the facts of computer technology.

You are always welcome to contact us to suggest ideas, tips, or to ask questions.

© 2011 Saint Andrew's Hacking Paradise

This blog run on iThesis Theme & hosted by Blogger