How To Recover Deleted Files on Linux
I was working on a Linux shell script yesterday, and did an accidental "rm *" in the directory containing the scripts I was writing (I had been doing "rm *" in an output directory to clear out test results).
I wasn't too worried, because I know that "rm" doesn't actually purge files from the hard drive, but rather just marks the space available for use. In other words, when you delete a file in Linux, the file doesn't get "deleted" so much as "forgotten", so some other application can use the space. I checked my hard drive contents (cat /dev/sda4 | grep -a) and sure enough, my data was there. Somewhere.
Ubuntu has several packages available for file recovery. I grabbed the first one from Synaptic that looked plausible: Magic Rescue.
Magic Rescue works off of recipes. A recipe tells Magic Rescue how to determine that a random string of data on the hard drive is actually that precious file you're looking for, by describing what the first line of your file looks like. You can recover anything: jpgs, gifs, zip files, etc.
Fortunately for me, Magic Rescue comes with some template recipes (/usr/share/magicrescue/recipes). Since I needed to recover a file with the extension "ksh", I just copied the template perl recipe modified it. Running it is as easy as:
#sudo magicrescue -r ksh -d /tmp/output /dev/sda4
which says: run magic rescue, using the "ksh" file type recipe, put whatever you find into the directory /tmp/output, and run it against the volume /dev/sda4.
Sure enough, 30 seconds later I had my files back!
Side notes:
- If you want to really delete a file in Linux, you need to shred it. See "man shred".
- If you want to really really delete a file so you're 100% sure no one can ever retrieve it, I suggest taking your hard drive apart and taking sand paper to it. Reliable sources tell me there are tools out there that can recover files even after random data has been written to the hard drive multiple times.
I wasn't too worried, because I know that "rm" doesn't actually purge files from the hard drive, but rather just marks the space available for use. In other words, when you delete a file in Linux, the file doesn't get "deleted" so much as "forgotten", so some other application can use the space. I checked my hard drive contents (cat /dev/sda4 | grep -a) and sure enough, my data was there. Somewhere.
Ubuntu has several packages available for file recovery. I grabbed the first one from Synaptic that looked plausible: Magic Rescue.
Magic Rescue works off of recipes. A recipe tells Magic Rescue how to determine that a random string of data on the hard drive is actually that precious file you're looking for, by describing what the first line of your file looks like. You can recover anything: jpgs, gifs, zip files, etc.
Fortunately for me, Magic Rescue comes with some template recipes (/usr/share/magicrescue/recipes). Since I needed to recover a file with the extension "ksh", I just copied the template perl recipe modified it. Running it is as easy as:
#sudo magicrescue -r ksh -d /tmp/output /dev/sda4
which says: run magic rescue, using the "ksh" file type recipe, put whatever you find into the directory /tmp/output, and run it against the volume /dev/sda4.
Sure enough, 30 seconds later I had my files back!
Side notes:
- If you want to really delete a file in Linux, you need to shred it. See "man shred".
- If you want to really really delete a file so you're 100% sure no one can ever retrieve it, I suggest taking your hard drive apart and taking sand paper to it. Reliable sources tell me there are tools out there that can recover files even after random data has been written to the hard drive multiple times.
Categories
How To , Technology0 TrackBacks
Listed below are links to blogs that reference this entry: How To Recover Deleted Files on Linux.
TrackBack URL for this entry: http://www.rootsilver.com/mt-tb.cgi/38
Leave a comment