An easier method of recovering deleted files on Linux

WARNING: The Steps Given in this Article are potentially Dangerous, Proceed at your own risk and read the Article in full before starting

Obviously, if you hose all your other data, it’s not my fault, even if you’ve followed the article word for word (not that I plan on leading you astray!).

Before you read any further, do the following

  1. Stop using the relevant disk immediately, you don’t want to overwrite the inodes!
  2. Inform any other users to avoid using the disk
  3. Obtain a second drive to recover the files to. Do Not Try to recover the files to the Disk they were deleted from. It’ll crash your system at best
  4. Make a backup of the disk you are going to be working on ( cat /dev/sda > mybackup.hd where sda is the name of your device )

Ok now to grab the program you need – PhotoRec. It comes bundled with TestDisk which is also a useful utility, however for our needs it is somewhat irrelevant for the time being. The utility comes precompiled for linux, so download the tarball and cd into the directory you saved it to (Don’t save it to the disk you deleted the files from!!!!) and then do the following.

tar jxvf testdisk-6.11.3.linux26.tar.bz2
cd testdisk-6.11.3/linux
chmod +x ./*
./photorec_static

This will load up and ask you a few questions, answer these to the best of your knowledge. For Hard Drive recovery (inc. USB) I chose Intel/PC for the disk type. Obviously you will want to select the appropriate partition for the files you deleted. Keep an eye on the bottom row of the screen as the File Options tab will appear part way through. Use the arrow keys to select this and then press Enter to access the filetype list.

Obviously the filetypes you want to recover will vary based on what you deleted. To try and keep the chaff to a minimum, only select relevant extensions (use the space bar to toggle between selected and not). Once you are happy with the selection press ‘s’ and then Enter

Use the arrow keys to move back to the continue tab, and finish answering the questions.

Note: The most misleading question is “Use /some/dir/ for recovery? [Y/N]” don’t press N, it’ll take you right back to the start. Instead use the arrow keys to navigate the directory list below (selecting .. takes you up 1 directory) until you’ve located the directory you wish to restore to (Which is obviously on a different disk!). Then press Y.

You will be asked what type of recovery you want to do – Full or Empty. If you have deleted the files recently, and not put anything new onto the disk then select Empty, it’s quicker. If there’s any chance you may have overwritten even part of the file, choose Full. But be aware that it will go through the entire disk, meaning
a) it’ll take a while
b) It’ll probably restore files that you did mean to delete.

Either way, you’ll need to leave your PC to it for a while, when you come back you’ll probably find several new directories within your recovery dir. These will be full of files starting with f. Unfortunately the program doesn’t recover filenames, so you’ll have to work through bit by bit to identify each one. The filename extension identifies the type of file that Photorec thinks it is ( Note: If you are recovering a DVD rip, the .Vob files will be restored with a .mpg extension ).

If you are trying to restore large media files, it can be an absolute nightmare, and it’s probably easier to restore from backup (you did make one didn’t you?). But for small files, it’s very handy (especially if they haven’t been backed up yet!).

Hopefully you’ve managed to recover your files, and have put up with the headache of identifying and recombining them, but if not then you have my commiserations.

Either way, now might be a very good time to review your backup schedules. Are you backing up regularly enough, are you making backups of what matters? A simple bash script added to your crontab is more than enough to automate your backups.

WARNING: The Steps Given in this Article are potentially Dangerous, Proceed at your own risk and read the Article in full before starting

Leave a Reply