Data recovery. Recovering data in Ubuntu Linux recovering deleted files linux gui
An operation such as recovering deleted files on Linux is rarely required. But in order not to be left without important data at an inopportune moment, you should be prepared in advance and be able to quickly take the necessary measures.
Recovering deleted Linux files
There are 2 options for recovering data in a Linux system - directly from the system hard disk and from a USB flash drive.
Linux Hard Drive Data Recovery
File systems used in all operating systems, not only in Unix-like ones, are organized in such a way that they do not allow a deleted file to disappear without a trace. That is, if the file was created and was on the hard disk, then it took up some space and was included in the list of links among other objects.
When the user deletes it, the link to the file is deactivated, making it clear to the file system that the occupied space can be marked as non-swappable. In fact, the remote object still exists and is located on the clusters on which it was. Its complete erasure will occur only after overwriting its trace with other data.
From which it follows that as long as the space where the file was located is intact, it can be restored. Accordingly, after detecting the loss of data, you must immediately stop all recording processes (downloading files, creating documents, updating the system and programs, installing software) and start restoring it.
Recovering data from a Linux flash drive
Since the Recycle Bin works slightly differently on Linux than on Windows, the first step is to check it. Files deleted by the usual method, without emptying the trash after that, are stored there. To restore, it is enough to connect the drive, go to the trash and restore the object.
But if the data is erased from both sources, you will have to resort to built-in or third-party recovery software. Before doing this, it is advised to make a backup copy of the partition on which the file was located. To do this, you must follow the instructions below, with the proviso that to create a copy, you need an amount of free hard disk space equal to the size of the flash drive. In case of failure in attempts to restore data on the drive itself, you can contact a more experienced wizard, providing him with a virtual copy of the partition.
File recovery software for Linux
The easiest and most obvious way out is to go to a specialized data recovery service. But there is a huge disadvantage - the price. The extraction procedure is very expensive, and no one will tell how difficult this process was. Also, there is no guarantee for the return of all objects, especially since the equipment that can restore a file after several rewrites is supplied only to special services. So, before you despair, you should try to crank the operation on your own.
Recovering Linux files with GParted
The most common Linux partitioning program. However, not all distributions come bundled with it. Not the most reliable assistant in such operations, but it is worth trying it as an option.
Recovering files from Scalpel
Scalpel Linux is a small tool that specializes in recovering deleted files from EXT4 partitions and other file systems. It has in its arsenal a database of FS types and data formats, which makes it universal. Indeed, during scanning, it checks the remnants of records on the hard disk or flash drive with its own list, and if a match is found, it proceeds to recover deleted Linux files.
Installation and use are simple:
You can see the process more clearly here:
Recovering Ubuntu Data with TestDisk
TestDisk can also help you recover files from Linux, but in a slightly different way. The fact is that this software is not aimed at extracting data from drives, but for testing and restoring the performance of the partitions created on them.
There is also a program in Ubuntu called PhotoRec. First of all, its functionality is designed to recover files of multimedia formats and archives. This software completely ignores errors, absence or formatting of the file system, thereby scanning data without problems.
Now it ships with TestDisk, and because of this combination of efforts, the final utility is considered the best among Ubuntu file recovery software. To avoid problems due to inexperience of the user, during the basic settings and manipulations, the utility uses the approach "everything in the system is read only".
By detecting information errors, TestDisk can recreate lost partitions in various file systems, such as, for example, FAT, NTFS and EXT4. Even if the section was previously deleted, finding traces of it, the program will be able to fix dependencies that do not allow correct access to the file. The program is available in the official Canonical repository. In order to start recovering data from an Ubuntu hard drive, you need to follow the instructions:
Linux data recovery with Safecopy
Safecopy is a simple tool for interacting with sections and data. It does not help in recovering data from an Ubuntu flash drive, but it will be able to copy objects from a damaged media to a healthy one. Its advantage is that it completely ignores errors that occur when reading and copying files. Which can best affect the attempt to save multimedia files.
A couple of broken bytes will not do much harm to photos or videos, and a text document, most likely, will just need to be corrected a little. But work with archives, especially if they are under a password, can be violated.
To work with the program you need:
How to delete a file on Ubuntu
There are many ways to delete a file in Ubuntu. But it also all depends on whether it is a system file or a user file. It's easy to understand. Everything before the / home directory is system files, inside it are user files.
An acquaintance came to me with the following problem: It is necessary to recover deleted files from the flash card of the camera. I work in a store selling and configuring computers and it is natural that we only have Windows there. I had one fail-safe program in stock that helped me out, and not only, more than once - Zero Assumption Recovery. A good program, in fact, but paid for Windows. In a word, she scanned a 4 gig flash drive for 2-3 hours, and found something. I tried to restore, but in the end nothing was found in the restored folder. It was a shock for me! This was the first time with this program. I decided to try to conjure with a memory card at home, but already on my native Ubuntu 11.10.
To do this, I called a program for recovering from memory cards or flash drives called PhotoRec from the TestDisk package. If the program is not installed, then install:
sudo apt-get install testdisk
Now, without closing the Terminal, we call the program with the command
and enter the user's password
Next, all kinds of connected drives on our computer will open in front of us. The flash drive I needed was the third. Arrows up or down, right or left, we will move through the Terminal. Select the required disk / card / flash drive, in our case UDF 2.0 Silicon-Power 8G and press Enter.
If you need to restore all files, then press Enter, and if you need to restore files of one or several types, then use the Right arrow to go to the File Opt item and then press Enter.
By default, all file types are selected for search and recovery. Use the S to remove all selections. Use the Up and Down arrows to search for the desired file type and select with the Space button. We press Enter.
In the bottom menu, go to the Search item.
We select the item FAT32. We press Enter. From all the options we choose Other since our flash drive has a FAT32 file system.
If you select FREE, then the search will be performed in an empty space and in this case only deleted files will be restored, and if you select WHOLE, then the search will be performed on the entire surface of the flash drive or disk.
Now we need to specify the directory where we will save the files we need. Select the desired folder and naturally press Enter.
Troubles happen more often than we would like. One of them is deleting a file with important data. Moreover, in Unix, it is believed that he goes into oblivion. Unfortunately, in fact, recovering deleted files in Unix is not as easy as it is in Windows with its usual recycle bin for deleted files and numerous utilities from third-party vendors (for example, Norton Utilities). This is due to the peculiarities of the architecture of file systems
Unix. Linux OS defines the concept of a file more broadly. A file is any object that has a name in the file system. One of these objects is the catalog. The directory stores both the file name and additional information about the file - its size, information about the owner of the file, location on disk, creation date, date of last modification, access rights and much more. Moreover, for efficiency, additional information is placed in a special structure, and only a link to this structure is left in the catalog. When a file is deleted, this additional information is not physically removed from the disk, but only marked as free corresponding blocks. Therefore, there is a potential possibility of recovering a deleted file while nothing has been written to its location. I will try to suggest an algorithm of actions when such a problem occurs.
Termination of further work.
Immediately after you realize that something terrible has happened, stop further work on the partition of the disk with the deleted file. Naturally, not only you should stop working, but also all other users who are logged in to the system. Make sure that no one else can log into the system while you are restoring the file (for example, using / etc / nologin). The main thing is to prevent other processes from overwriting disk blocks previously used by the deleted file. The likelihood of this increases significantly if the section is almost full.
Himself a necrophiliac.
Let's consider two recovery options. One is quite universal, applicable, most likely, in any Unix system. The second one is tailored for working with the Ext2 file system
Linux.
Recovering files with known content
* create a copy of the root section and place it in a file from the / export section. This section must have enough free space to contain the entire section on which the file was deleted
# df -k // export
File system Kbytes used avail capacity Mounted on
/ dev / dsk / c0t3d0s0 122070 19512 102558 16% /
/ dev / dsk / c1t0d0s0 17592638 14425963 3166675 82% / export
# dd if = / dev / dsk / c0t3d0s0 of = / export / recover.dsk
263077 + 0 records in
263077 + 0 records out
# ls -l
-rw-r-r-- 1 root other 134701056 Jul 1 16:54 recover.dsk
* run the cat command with the -n switch (output line numbers), the output of which is redirected to the fgrep utility, which, after searching for a given pattern, will cut off all unnecessary
# cat -n recover.dsk | fgrep "root: x: 0: 1"
200601 root: x: 0: 1: Super-User: /: / sbin / sh
202108 root: x: 0: 1: Super-User: /: / sbin / sh
strings may not be found either in the event of an error in specifying the template, or in the event of the loss of the contents of the deleted file, which could have been overwritten. In our case, as we can see, two versions of the file have been preserved.
* display a number of lines after the found one
# fgrep -A10 "root: x: 0: 1" recover.dsk> passwd
# cat passwd
root: x: 0: 1: Super-User: /: / sbin / sh
daemon: x: 1: 1 :: /:
bin: x: 2: 2 :: / usr / bin:
...
keys -A<число строк>and -B<число строк>The fgrep utilities allow you to display multiple lines after (after) and before (before) a matched line. If you can get your entire file in one step, then you're in great luck. Unfortunately, files are usually fragmented, and the larger the file size, the higher the chance of fragmentation and the larger the fragments themselves. Therefore, most likely, you will have to repeat the described procedure, using different templates and combining the resulting parts. It can be difficult to understand which version of the file saved on the disk is the last one. This is determined only by viewing the contents of the recovered file. This means that you have to restore all versions of the file. Quite tedious, but effective.
File Recovery in Linux Ext2
This method is used in case of deletion with the rm command or the unlink function and does not require knowledge of the contents of the deleted file when restoring. To work, we need the debugfs file system debugger, a fairly powerful utility that is usually used to check and change the file system and provides direct access to the file system. We need her three commands:
- lsdel - List all remote inodes on the given filesystem
- cat - view the content corresponding to the descriptor
- dump - file recovery
Run debugfs in the required section:
At the prompt, enter the lsdel command (a cup of coffee will not hurt, since the system will take time to view the entire section):
debugfs: lsdel
Inode Owner Mode Size Blocks Time deleted
723300 1000 100664 27018 2/7 Mon May 20 19:08:17 2002
723301 1000 100444 1671 1/7 Tue May 20 19:08:17 2002
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
944887 1037 100600 597 1/1 Sun Jan 26 20:05:00 2003
717281 1000 100400 1 1/1 Sun Jan 26 20:05:13 2003
327101 1000 100644 15 1/1 Sun Jan 26 20:07:06 2003
Better to immediately redirect the output to a file by entering the command:
#echo lsdel | debugfs / dev / hda6> / tmp / lsdel-output
If there have been no operations with the section since the deletion, then the data we are interested in will be at the end of the list. Let's see the content corresponding to the last descriptor by typing the command:
debugfs: cat<327101>
my_very_important_data
The deleted file was found and contained a single line. The dump command repairs the file by writing it to disk as
my_recovered_file:
debugfs: dump -p<327101>/ tmp / my_recovered_file
the -p switch indicates that the file should remain the same owner, group and access rights.
Recovering a group of files in Linux Ext2
To restore a group of files, it is advisable to use the Tom Pike utility
... Installation is standard:
# tar zxf recover-1.3.tar.gz
# cd recover-1.3
# make
# make install
By default, the utility is installed under the / usr directory system. If you need to install it in a different location - read ReadMe. While recover is running, asking a few simple questions such as who owns the files, when these files were deleted, what is the approximate size of these files, runs debugfs, and recovers the inodes that match the specified criteria, placing them in a user-specified directory. Unfortunately, the filenames are not recoverable. The recovered files are named with the dump prefix followed by an inode number.
And what have we restored?
To identify recovered files, we use two utilities strings and file. The first one displays a sequence of ASCII characters by extracting it from the specified file, the second one finds out the type of the file (for example, whether it is an archive or, say, a file
PostScript).
Run the file utility:
# file *
dump39788: directory
dump98008: PGP armored text signed message
dump80154: gzip compressed data, deflated, last modified: Sun Jan 28 03:31:21 2001, os: Unix
dump73290: ASCII text
dump67095:? diff? output text
dump72945: JPEG file
dump9773: MPEG 1.0 layer 3 audio stream data, 128 kBit / s
dump8176: ASCII C program text
dump58764: Bourne shell script text executable
dump3223: troff or preprocessor input text
You can automate the process somewhat by using simple scripts like the following, which adds an extension to text files of C programs:
# for i in? file * | grep? ASCII C program text? | \ awk -F:? (print $ 1) ??;
do mv $ i $ i.c; done
After determining the file type, we will try to identify each file. For those that contain text, C code, sound or image, you can open the appropriate programs and try to guess the original name. Binary files, such as executables, libraries, or database files, are much more difficult to identify. And if executable files or libraries are easier not to identify, but simply to reinstall the missing ones, then you will have to tinker with the databases. In this case, you will need to use the strings utility, displaying all ASCII text strings in the file.
# strings dump44768
From the output, you can guess that this file is a database and open it with the appropriate program.
Conclusion
Remember, nothing replaces regular backups. And the application of the methods discussed in the article should be the exception rather than the rule. Believe me, it's a bit of a pleasure to descend into the abyss of nothingness.
Short description: This article shows you how to recover deleted files in Linux using command line tool Test Disk... It is an easy-to-use tool that almost anyone can use to recover lost files on Ubuntu or other Linux distributions.
Have you ever got this awful feeling? The one that you get when you realize that you've accidentally deleted files and it's not even in the trash? Often it is immediately preceded by a refusal: I know that I have another copy.
But don't go through all the stages of grief, don't worry. And remember that you are not alone; sooner or later everybody does it.
By the way, do you know? We have already written about this. You can go to the link above.
But after the phrase "Don't worry," you counter: "I just deleted the only copy of my resume!" and what to do?
No, don't worry all of your files in place... All that happened was that the file was knocked off the list. Until you do the installation of large programs and other files on the disk, it absolutely still exists. In fact, depending on the file size and free space on your disk, deleted files can persist indefinitely, even if you do overwriting and formatting on the disk. Recovering deleted Linux files can be done through the command line, we will tell you about this method.
How to recover deleted files in Linux
“Yes, okay,” you say, “I'll take it easy knowing that my file“ exists ”in some abstract sense. But as far as I'm concerned, if I can't open, edit, or print it, it doesn't exist in any practical sense. What would really help would be a way to recover those files that have been deleted from the disk. And one that doesn't require an IT expertise lab.
Actually, don't worry - you don't need a lab to recover deleted files. Plus, if you can get past the primitive GUI, it's actually easy to do! I will show you how to use TestDisk to recover deleted files.
How to recover deleted files in Linux using TestDisk
Let me give you a simplified example: I took a blank flash drive, added a few files, and then deleted one. Now my system has a function that will directly delete files from removable media, bypassing the "trash" altogether; that is, if I choose "right" click on the file and then choose "delete". It still presents a warning, but click Yes once and the file is gone forever. Or it looks like.
But this time I did not understand this terrible feeling. And no, not because this is a prepared script. I knew that all I had to do was open a terminal like " testdisk"And press" enter ". When I first did this, I had one of my "Linux moments". Because if you don't have it - and I don't… it tells you how to get it! Just enter “ sudo apt install testdisk”And press Enter and you will get it in about 10 seconds.
Step 1
Recovering deleted Linux files is very fast. First you need to install TestDisk. Most Linux distributions already have this tool in their official repository. On Ubuntu and other Ubuntu based Linux distributions like Linux Mint, Elementary OS, etc., you can use the below command to install TestDisk:
sudo apt install testdisk
Arch Linux users can install it from the AUR. You can download it for other Linux distributions from the link below:
Although I am using Ubuntu in this tutorial, this does not mean that only deleted files can be restored in Ubuntu Linux. The instructions provided here also work for other distributions.
Step 2
Start TestDisk in a terminal using the following command:
Step 3
When you open it, you will see something similar to this. Be patient! The interface is actually simple, but you need to read the text carefully. Use the arrow keys to navigate and "enter" to select.
The screens with additional commands will tell you about this. Also note that TestDisk 7.0 tends to highlight the next smart move. This is almost always correct, but read the screen as it cannot read your mind. Anyway, whenever he wants you to create a log file, indulge him. It's going to get you out of the hole.
Step 4
Now, at this point, if you're lucky, you should see your disk. And you can move on to the last steps. But let's assume you haven't, you have, say, a multi-boot machine. In this case, the owners may get blurry and Testdisk needs your permission to open them. You will see something like this:
Select "sudo" and enter your password. Press enter and enter again on the next screen to create another log file.
Step 5
This time Testdisk will list all of your disks. Arrow key to the appropriate drive and press enter.
Step 6
Testdisk chose the correct setting again. This makes sense because simple storage is rarely shared. Press enter again:
Step 7
We have gone through the main points when it comes to recovering deleted Linux files. Finally, we need to think a little. If you are reading the first screen, and I bet you didn't, this program is not only for recovering deleted files. It is a powerful disk utility. But if we remember that we are trying to make a choice, it is pretty obvious: we are not trying to fix the disk, we are trying to restore the file. Select "Advanced" and press "Enter".
Step 8
At the bottom of the page, select " Undelete»And get ready to see your file!
Step 9
Testdisk will check files and create a list of remote files allocated red color. Arrow down and read the options below carefully.
Step 10
Again, keep in mind that Testdisk is a multifunctional tool. Most of these options are for groups of files; we only want our deleted file to be returned! So press c.
As you can see on the scoreboard, we won 1-0. After pressing "c" there are options where you might want to restore the file, but the default is your home folder. Again, this is usually the best. Navigating Testdisk is a bit tricky, and dragging and dropping after the fact is a breeze.
That's all! Linux deleted file recovery is complete. Now you can find out about general tips for recovering files. There will be answers to many questions regarding this topic.
Some Tips to Recover Deleted Files in Linux with TestDisk
First, if you find yourself somewhere you don't want, press q to exit. This will not close the program, instead it will act like a back button in a full-blown GUI program and return the page to you. And just like repeating the back button will eventually lead you to the beginning.
Second, as in any case, the less distraction, the easier it is to find what you are looking for. In other words, physically disconnect all other drives. In graphically simple environments, simplicity is your friend.
Finally, Testdisk can also help you recover files that have become inaccessible for other reasons. In fact, this is why I started using the program in the first place. I was trying to save files from a damaged disk that couldn't be done to boot. It is usually just a matter of removing the said drive by plugging it into a USB adapter. Then you can connect it on another PC and copy the files whenever you want.
But what if disk formatted in LVM? This was my problem because the installed LVM drive doesn't look like a regular Linux OS. None of the regular files show up and hunting around just doesn't help. This is due, among other things, to the fact that most Linux file managers can no longer read ext.2 filesystems.
However, after a few false starts, i was able to find and save missing files. Note, however, that the sequence of steps will be slightly different here, you may need to use Testdisk "analysis" to understand the drive, and you may need to nudge a little to find the "home" folder once you do. Also, the files you are looking for will not appear in red as they were never deleted in the first place. But once you find them, the copying procedure is basically the same.
With Testdisk and a little bit of luck, you will never lose your files and videos again, as you can always recover deleted files in Linux.
This guide is a guide for those new to the world of distributions based on the well-known kernel. We hope that for you Recover Deleted Linux Files was fast.
conclusions
Recovering deleted Linux files is very fast and straightforward. Even a novice Linux user can figure it out with our guide. If the article was useful to you then share it on your pages on social networks Google+, Facebook, Twitter, VKontakte and Odnoklassniki. This will help us a lot. Let's develop our community together.
Also, if you still have questions on the topic "Recovering deleted Linux files" - write them in the comments form.
If you find an error, please select a piece of text and press Ctrl + Enter.
I will share a small find, a small program for recovering deleted files. Some time ago it was very necessary, but I did not find the Scalpel program, unfortunately. In my opinion, of all the methods I know of, this is one of the simplest. Scalpel emerged from the project.
And so dedicated to rm -rf lovers:
First and foremost, no one can guarantee that Scalpel will be able to recover your files, but chances are it will.
Installation (since Ubuntu is installed on the tested machine, I will talk about it):
sudo apt-get install scalpel
Before using Scalpel, let's edit the settings file:
sudo nano /etc/scalpel/scalpel.conf
In it, you need to specify the files of which type we will restore (by default, more than one type is not selected). I selected doc and pdf files for recovery:
…
doc y 10000000 \ xd0 \ xcf \ x11 \ xe0 \ xa1 \ xb1 \ x1a \ xe1 \ x00 \ x00 \ xd0 \ xcf \ x11 \ xe0 \ xa1 \ xb1 \ x1a \ xe1 \ x00 \ x00 NEXT
doc y 10000000 \ xd0 \ xcf \ x11 \ xe0 \ xa1 \ xb1
…
pdf y 5000000% PDF% EOF \ x0d REVERSE
pdf y 5000000% PDF% EOF \ x0a REVERSE
…
Now you can start recovery:
scalpel / dev / sda1 -o output
-o shows the directory where the recovered files will be stored, if the directory with the same name already exists (and is not empty) Scalpel will not start.
/ dev / sda1 - the actual volume that we will wool for lost files.
The list can be viewed using the mount command:
[email protected]: ~ $ mount
/ dev / sda1 on / type ext3 (rw, relatime, errors = remount-ro)
proc on / proc type proc (rw, noexec, nosuid, nodev)
/ sys on / sys type sysfs (rw, noexec, nosuid, nodev)
varrun on / var / run type tmpfs (rw, noexec, nosuid, nodev, mode = 0755)
udev on / dev type tmpfs (rw, mode = 0755)
devshm on / dev / shm type tmpfs (rw)
devpts on / dev / pts type devpts (rw, gid = 5, mode = 620)
lrm on /lib/modules/2.6.24-21-generic/volatile type tmpfs (rw)
/ dev / sda2 on / home type ext3 (rw, relatime)
After working out, go to the output directory and see what is there:
[email protected]: ~ / output $ ls -l
-rw-r - r-- 1 root root 28189 2009-03-24 14:42 audit.txt
drwxr-xr-x 2 root root 4096 2009-03-24 14:42 doc-3-0
drwxr-xr-x 2 root root 4096 2009-03-24 14:42 doc-3-1
drwxr-xr-x 2 root root 4096 2009-03-24 14:42 doc-3-2
drwxr-xr-x 2 root root 4096 2009-03-24 14:42 doc-4-0
…
drwxr-xr-x 2 root root 4096 2009-03-24 14:42 pdf-5-0
drwxr-xr-x 2 root root 4096 2009-03-24 14:42 pdf-6-0
…
The audit.txt file contains information about the recovery performed:
[email protected]: ~ / output $ cat audit.txtScalpel version 1.60 audit file
Started at Tue Mar 24 14:16:04 2009
Command line:
scalpel / dev / sda1 -o outputOutput directory: / home / username / output
Configuration file: /etc/scalpel/scalpel.confOpening target "/ dev / sda1"
The following files were carved:
File Start Chop Length Extracted From
00053045.doc 183664640 YES 10000000 sda1
00053046.doc 183971840 YES 10000000 sda1
…
00050372.doc 203272192 NO 208896 sda1
00050373.doc 203481088 NO 229376 sda1
…
Completed at Tue Mar 24 14:42:41 2009
We look into the subdirectories and see (if we're lucky) our files:
[email protected]: ~ / output / doc-3–0 $ ls -l
total 25564
-rw-r - r-- 1 root root 307200 2009–03–24 14:42 00050348.doc
-rw-r - r-- 1 root root 40960 2009–03–24 14:42 00050349.doc
-rw-r - r-- 1 root root 4354 2009-03-24 14:42 00050350.doc
-rw-r - r-- 1 root root 466686 2009–03–24 14:42 00050351.doc
-rw-r - r-- 1 root root 176128 2009–03–24 14:42 00050352.doc
…
Source - HowtoForge (free translation).
I will add from myself Scalpel has not restored everything, of course. But a lot, I even forgot about some files already. It works very slowly, it eats almost the entire processor during operation.
Scalpel can work with FAT, NTFS, ext 2/3 file systems, that is, you can recover data from win-partitions.
And finally, the best way to recover very important files is:
1. Make backups.
2. It is very good to think before deleting.
Happy data recovery!