4 Ways to Recover a Deleted File in Linux

By On Tuesday, November 06, 2018
A big white color delete buttonNo matter which operating system you're using, file deletion is one of the most common activities done on a daily basis. And sometimes, we delete an important file—inadvertently. Fortunately, there are several ways to recover a deleted file. We going to learn about the same, but specifically for the Linux platform. Almost all of the available solutions mentioned below work directly from the command line. I'll advise to once test these file recovery options through dummy file deletion events. Remember, these utilities will only work if you're triggering the file recovery process, as soon as possible. The more time passes by, the more is the chance that the content of the deleted file gets overwritten by a new file. The best possible scenario is when you never need the file recovering commands. And, for that, you need to delete files in a responsible way. All the file recovery utilities mentioned here are tested on a Ubuntu machine. They should work seamlessly on other distributions as well. Let's recover our deleted files.

A big white color delete button If you're a new Linux user, make sure you're comfortable with the shell environment and the basic day-to-day commands. Experienced users can straight away start testing the file recovery commands.

Read Also:
Beginners Guide to Understanding Linux Files and Directories

If you're using a Windows system, use a Linux virtual machine to test and learn these file recovery options. Let's get started.

#1 foremost command - The very first utility in this list is the foremost command which is quite powerful and easy-to-use. On a Ubuntu machine, use the following command to install it—easily.

sudo apt install foremost
This utility can recover a wide range of file formats. If the type of file to be recovered is not specified explicitly, all the supported file formats are taken into consideration during the recovery process.

Let's say you have a video file demo.mp4 that was earlier deleted through the regular rm command.
First, you need to find the mount device file (partition) where the file resides. You can use the mount command or the df -h command for the same.

Now, you can use the following command to recover the file.

foremost -t mp4 -i /dev/sda2
Here, /dev/sda2 is the partition where the deleted file resides. Once the file recovery process is completed, you can find the recovered file within the directory named output created right within the current directory where the recovery command was fired.

In case, the output directory already exists, the command given above will not work. There are two solutions to this simple problem. The first solution involves timestamping the output directory using the -T switch. Here's the modified command for the same.

foremost -t mp4 -i /dev/sda2 -T
The second solution is where you manually specify the directory where the recovered files should be written or stored. To do so, we'll use the -o switch. Here's how to do it.

foremost -t mp4 -i /dev/sda2 -o ./recovered_files
The command given above uses the directory recovered_files to store the recovered files. You're free to use your preferred name for this directory. The trick to successfully use this command is to correctly specify the disk partition where the deleted file resides.

#2 testdisk command - The next one is the testdisk utility which can be used to recover different types of deleted files. To install it on Ubuntu, use the following command.

sudo apt install testdisk
Once installed, invoke it with root privilege using the sudo testdisk command. It'll ensure that all the attached hard drives and their partitions are available within the utility's interface.

Test disk utility log file creation command On the very first screen, select the [ Create ] option to kick start the recovery process. Upon selecting this option, the next screen will show you the attached hard drives.

Linux hard drive device files Select the one where your deleted files reside and go ahead with the [Proceed ] option. The next screen may or may not display the selected drive partitions. If it is so, select the right partition and again use the [Proceed ] option.

Linux partition tables for a hard drive Here you'll get the partition table map. Select the one that leads to the right partition. In most cases, it is the [None ] entry in that list. But you can go back and forth to check the right path.

Advanced file system utilities for Linux The next screen offers several disk management options to choose from. Here you'll go ahead with the file system utilities accessible through the [ Advanced ] option.

The next screen may show you the recoverable partition for which you should select the [Undelete] option. Or, you may directly get the following screen.

Linux files and directory listing On this screen, the entries with the red color are the ones that are deleted. Scroll up or down and select the red entry you want to recover. Use the c option to start the recovery process. By default, the recovered file is written to the home directory of the user.

#3 ext4magic command - Another handy file recovery utility is the ext4magic command. You can install it through the following command.

sudo apt install ext4magic
Following are some of the important points you need to be aware of before using this command.
  • For the best possible results, unmount the filesystem (though not mandatory) from where the deleted file needs to be recovered.
  • By default, this command recovers the files deleted in the last 24 hours. For a specific time-frame, one needs to explicitly mention it during the command execution.
  • If you're not specifying the directory where the recovered data should be written, the command—by default—writes the recovered files to the RECOVERDIR directory.
  • A list of the file names to be recovered can be provided in the form of a single text file where each file name is on a new line and is surrounded by double quotes.
Let's see some of the recovery commands one can use on their Linux systems.

ext4magic /dev/sda1 -r -f rajeevedmonds/scripts/purge_cache.sh -d /confidential
Here, /dev/sda1 is the disk partition where the deleted file exists. The file purge_cache.sh is the deleted shell script that'll be recovered.

The command will prepend /home/ to the provided file path. So, rajeevedmonds is essentially the username followed by the subdirectory name. We've also provided the directory name /confidential where recovered file will be written.

Let's take a look at another file recovery attempt.

ext4magic /dev/sda2 -r -f rajeevedmonds/resume.txt -a $(date -d "-6 day" +%s) -b  $(date  -d "-5 day" +%s)
This command recovers the deleted file resume.txt residing on /dev/sda2 partition. Because we've not explicitly mentioned the directory name, the recovered file will go to the ./RECOVERDIR directory.

You may also note that we've used two dates in the command using two -a and -b switches. These dates inform the recovery command that the file was deleted 5 to 6 days back.

#4 scalpel command - File recovery is quite easy with the scalpel command. Once again, use the following simple command to install it on a Ubuntu machine.

sudo apt install scalpel
After installation, you need to edit the scalpel.conf configuration file. This file usually resides either in the /etc/scalpel/ directory or in the /etc/ directory.

Let's say we want to recover a PNG image file.

Configuration file for the scalpel command Open the scalpel.conf configuration file and uncomment the line (see image above) having the PNG file extension. If you're trying to recover another file type, uncomment the relevant line.

Save the file and use the command in the following way to recover the file.

scalpel /dev/sda3 -o recovered
Here, /dev/sda3 is the disk partition where the deleted PNG file exists and recovered is the target directory where the recovered file will be written. The recovery directory is always created in the current directory from where the command was initiated.