161

Are there any tools, methods, incantations to recover recently deleted files on Ubuntu?

If it makes any difference, I want to recover a Keepass 2.x database file. But would be better to have a method/tool that works on any kind of file.

Braiam
  • 67,791
  • 32
  • 179
  • 269
Decio Lira
  • 7,866

12 Answers12

90

TestDisk / PhotoRec

TestDisk can sometimes recover recently deleted files using PhotoRec, which is part of TestDisk. Available on official repo and newer version on their site.

TestDisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software: certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy.

PhotoRec is part of TestDisk, and is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.

Nav
  • 1,059
vh1
  • 1,433
  • 5
    May be important to someone to know that specific for camera's cards, on TestDisk exists PhotoRec – Saic Siquot Oct 07 '15 at 19:34
  • 2
    At this moment, TestDisk does not have a graphical user interface and the help (man) pages are not enough informative for me. – silviubogan Dec 04 '15 at 14:52
  • 5
    PhotoRec (http://www.cgsecurity.org/wiki/PhotoRec) worked great for me to recover accidentally deleted files (on Ubuntu 14.04 with ext4). I first tried with TestDisk but it wasn't able to recover them. Anyway, I found both tools crafted in the same folder. – Andrea Jan 14 '16 at 14:00
  • 3
    @silviubogan actually TestDisk has a pretty good Textual User Interface with menus and explanations along the way. All actions have an associated key to perform them and they are clearly written on every screen for easier access. – Andrea Lazzarotto Jun 24 '16 at 12:30
  • Photorec just does not keep the file structure, which seems an important feature to me. I guess that R-Linux will do that, but untested. I just know it from R-Undelete, which is the smaller brother of R-Studio, which is of the same rtt family. – questionto42 Dec 21 '20 at 17:01
  • @Andrea Yes, photorec is part of the testdisk installation, see this tutorial: After sudo apt -y install testdisk you can directly execute sudo photorec. – questionto42 Dec 21 '20 at 17:47
  • Very important when using PhotoRec I highly advise to go in the configuration and check the recover corrupted files option. Although the videos were corrupted I was able to restore them using another tool. – Jan Moritz Feb 11 '21 at 20:22
  • At least for recovered pictures you can restore their filenames using the date and time properties within their EXIF data (if present). I've explained how to do it here. – Tymek Feb 05 '22 at 23:51
  • From an SD card with videos recorded by a Canon EOS camera, I got (small) MP4 and (large) MOV files. A plain cat f123.mp4 f456.mov > video.mp4 gave back a functional file! After figuring out which pair went together, of course ... – Raphael Feb 22 '23 at 22:47
31

If you deleted some file by accident but still know some strings which were written in that file you can use:

grep -a -B 25 -A 100 'containing string' /dev/sda1 > result.txt
  • 1
    what if the file is binary and not text? – Decio Lira Sep 09 '10 at 12:11
  • 1
    Assuming it was text, how can he recover the file with result.txt? I'm not getting it.. – sergio91pt Jul 02 '11 at 11:40
  • 4
    I tried several other prior answers. None of them worked. This simple trick did! Thanks! – JamesThomasMoon Jul 15 '15 at 17:41
  • 1
    Its really worked, awesome stuff. Thanks a lot. – Snehal Parmar Nov 24 '15 at 09:13
  • 6
    It should be noted that 25 and 100 are just some magic numbers that probably need to be tweaked for the specific case. – Andrea Lazzarotto Jun 24 '16 at 12:32
  • I'm getting a Unable to open file /home/deletedFolder' extundelete: Operation not permitted when trying to examine filesystem error – virtualxtc Jun 27 '18 at 01:03
  • 1
    Worked for me too. Recovered a .js file. Thank you! It would be nice though to have an explanation)). – takeshi Aug 07 '18 at 08:21
  • 1
    man grep to see what options like -a, -A, and -B means – igorkf May 04 '20 at 01:49
  • 1
    Wauw, thx for saving me a lot of time restoring my large local dev view shortcut file that i stupidly git cleaned away!!! :) – Rune Kaagaard May 28 '21 at 14:51
  • 1
    Amazing command, this's solved my issue. – Ahmed Sayed Sk Aug 17 '21 at 01:02
  • 3
    Worked out of the box without installing anything else. But watch out - ´/dev/sda1´ needs of course to be the right hard disk (check e.g. with ´df -h´) Also you better want to save result.txt onto another hard drive, not overwrite the data currently being recovered.

    In a nutshell: only the pointer to the data is lost, the data is still on the hard disk until it is overwritten. This grep command basically reads from the hard disk /dev/sda1, treats the binary input as string (-a), starts 25 lines before (-B) the matching string, and keeps 100 lines after (-A)

     – Max Jul 09 '22 at 01:47
  • Is this supposed to result in this type of output? How to read this text? If this says anything if file found or not!

    OPTION NV_bindless_texture; PARAM c[3] = { program.local[0..2] }; ATTRIB fragment_position = fragment.position; ATTRIB fragment_attrib[] = { fragment.attrib[0..0] }; TEMP R0, R1; LONG TEMP D0; TEMP T; OUTPUT result_color0 = result.color; MAD.F R0.y, fragment.position, c[0], c[0].x; MOV.F R0.x, fragment.position; ADD.F R0.xy, R0, -c[1]; MUL.F R0.zw, R0.xyxy, c[1]; DP2.F R1.x, R0.zwzw, R0.zwzw; DP2.F R0.x, R0.zwzw, R0; MUL.F R1.x, R1, {4, 0, 0, 0}; MAX. ...

     – Satya Prakash Sep 11 '22 at 12:04
  • Actually, the output file is very big. I am expecting a document file or pdf if I have converted to a pdf using Openoffice. result.txt file came 84 MB which default Ubuntu text doc could not open. Openoffice says it is corrupt. Only Leafpad opened with few lines like that. – Satya Prakash Sep 11 '22 at 16:22
  • This saved my ass! Was able to recover my deleted thesis code. Can't thank you enough! – ma08 Oct 14 '22 at 12:12
  • Great! Thanks, Man. – ayandebnath Nov 06 '22 at 16:04
29

I have used foremost to recover damaged hard disk both under NTFS (windows), FAT32 (Flashcard from a Nokia phone), and ext3 with great results. Command-line only, but quite it's easy, something like this:

sudo foremost -i /dev/sda -o <dir where recovered files will be stored>

It will order the recovered files on folders by file-type. Openoffice docs are recovered as zip files. As you need to execute it as root (in order to directly access the hardware), output files are also owned by root, so you will likely need to change their ownership afterward.

Andhi Irawan
  • 176
Javier Rivera
  • 35,153
  • This is probably too old question but, how does GIMP files look like after recovery? – wakeup Oct 03 '13 at 21:04
  • I don't know, I have never tried to recover them. – Javier Rivera Oct 04 '13 at 06:28
  • 1
    @JavierRivera - I do not believe that foremost can recover .xcf files. See the man page it can only deal with these file types: (jpg, gif, png, bmp, avi, exe, mpg, mp4, wav, riff, wmv, mov, pdf, ole, doc, zip, rar, htm, and cpp). – slm Mar 31 '14 at 00:48
  • already running...let me wait for results. Will share. – Patrick Mutwiri Apr 15 '16 at 05:09
  • how much time does it take to finish?? for a 32GB usb memory – 842Mono Mar 23 '17 at 23:17
  • any suggestions for script recovery forexample python scipt files (.py), matlab (.m) and latex (.tex)? how do i go about this? – guthik Sep 21 '21 at 09:18
  • excuse me i have files with extension .xtc and .tpr and .trr does this command can retrieve them – sam May 13 '22 at 02:07
27

extundelete is really great if your file system is ext3 or ext4.

Note: extundelete requires you to unmount your drive to work properly (this is a good idea to do ASAP anyway, to avoid potentially overwriting the hopefully-recoverable bytes in the deleted files).

Unmounting the drive on a live system can be tricky... you'll often get the 'device is busy' message. To clear this 'properly' requires shutting down all processes accessing the file system. But... you were likely working in your home directory, and a zillion processes are hooked into your home directory, so good luck with that.

The trick to getting around this is to do a 'lazy' unmount:

$ mount
/dev/sda7 on /home type ext4 (rw)
$ sudo umount -l /home

where:

  • that example is for me prepping my /home mount for use with extundelete. You obviously need to replace /home with your mount of interest
  • I did the mount command first to figure out what device (/dev/sda7) I need to pass to extundelete (output is truncated for brevity)
  • that is a lower case L in the -l option
Russ
  • 574
  • 4
    A lazy unmount doesn't really help since the fs remains mounted until all files on it are closed. You just need to shut down the system as soon as you delete the files, and run extundelete from a livecd. – psusi Jul 07 '11 at 01:52
  • @psusi - It is absolutely untrue to say that it doesn't help!! umount -l prevents any new files from being opened/created and written (web caches and such). However, it does not prevent existing opened files from still being written to (ie: it does not close existing files). You suggest shutting down, but I think a lazy unmount will (most of the time) result in less written files, depending on the partition in question. On that note, it is best is to have extundelete installed already, and if not, make sure to install it to some partition other than the one you are trying to recover! – Russ Jul 11 '11 at 15:30
  • As long as the fs is still mounted, attempting to access it will result in corruption. That is the reason that extundelete requires you unmount the fs in the first place. The lazy unmount simply fools it into thinking it is not mounted, and therefore, that it is safe to proceed with manipulating the disk, when that is not true. Proceeding with extundelete before the fs is actually dismounted can hose the whole disk. – psusi Jul 11 '11 at 18:15
  • 1
    @psusi - "can hose the whole disk"??! With a read-only operation? I don't get your argument, or what has you so paranoid. extundelete does not "manipulate the disk". The worst possible thing I can imagine happening is that extundelete expects an unmounted/static partitition and if, while reading the journal info, the lazily unmounted disk changes due to processes that had files open, extundelete may get confused and the recovery may fail. "possibly failed recovery" != "hosed disk". If it does fail, shut down, pray shutdown doesn't trash your lost data, and use a livecd as you suggest. – Russ Jul 12 '11 at 16:55
  • undeleting something involves writing to the disk. There is a reason that the authors of the program tell you to unmount the disk. I'm not pulling that out of thin air. I'm simply pointing out that a lazy unmount only fools the program into thinking it has been unmounted when it really hasn't. – psusi Jul 12 '11 at 17:12
  • any suggestions for script recovery forexample python scipt files (.py), matlab (.m) and latex (.tex)? how do i go about this? – guthik Sep 21 '21 at 09:19
15

R-Linux(Recovery studio) is one of the best. I have used this tool many times before. I worked at a company where they used the commercial version, 9/10 times it recovers everything you want. Truly superb application. I saved mine and my friends behind many times before.

R-Linux is a free file recovery utility for the Ext2/Ext3/Ext4 FS file system used in the Linux OS and several Unixes. R-Linux uses the same InteligentScan technology as R-Studio, and flexible parameter settings to provide the fastest and most reliable file recovery for the Linux platform. However, unlike R-Studio, R-Linux cannot recover data over a network or reconstruct RAIDs, or provide object copy.

Features (from their website):

R-Linux recover files:

  • Removed by virus attack, power failure, or system crash;
  • After the partition with the files was reformatted, damaged, or deleted;
  • When the partition structure on a disk was changed or damaged. In this case, R-Linux can scan the disk trying to find previously existing partitions and restore files from found partitions.
  • From disks with bad sectors. In this case, R-Linux can first copy the entire disk or its part into an image file and then process the image file. This is especially useful when new bad sectors are constantly appearing on the disk, and the remaining information must be immediately saved.

R-Linux Advanced features:

  • Standard "Windows Explorer" - style interface.

  • Host OS:

    • Linux variant: Linux, kernel 2.6 and above
    • Windows variant: Win2000, XP, 2003, Vista, Windows 7, Windows 8

  • Supported file systems: Ext2/Ext3/Ext4 FS (Linux) only.

  • Recognition and parsing Dynamic (Windows 2000/XP/Vista/Win7), Basic, GPT, and BSD (UNIX) partitions layout schema and Apple partition map. Dynamic partitions over GPT are supported as well as dynamic partitions over MBR.

  • Creates image files for an entire hard drive, logical disk, or its part. Such image files can be processed like regular disks. Images can be either simple exact object copies (Plain images) compatible with the old versions of R-Linux, or compressed images that can be compressed, split into several parts, and password-protected. Such images are fully compatible with the images created by R-Drive Image, but incompatible with the old versions of R-Linux.

  • Recognizes localized names.

  • Recovered files can be saved on any (including network) disks accessible by the host operating system.

Andhi Irawan
  • 176
blade19899
  • 26,704
  • 1
    I didn't expect this to be free for Linux. I already know R-Studio and it is a fabulous software. Great that it's free for Linux filesystems. – 0x01 Jun 12 '18 at 15:37
  • 1
    This tool is only free for recovering files less than 256kb – Tik0 Aug 16 '18 at 08:38
  • @Tik0 Is this restriction still there? I could not find this with a quick search. – questionto42 Dec 21 '20 at 16:59
14

To recover the directory you can use extundelete

  1. Install extundelete

    sudo apt-get install extundelete

  2. Command to recover

    sudo extundelete --restore-directory /home/Documents/ /dev/sda1

Note: In place of dev/sda1 put your hardisk partition name.

/home/Documents/ is your path to deleted directiory.

Aatish Sai
  • 827
  • 7
  • 17
  • 1
    I used autopsy to find the inodes I needed and then extundelete to restore them. Worked well! – Raphael Dec 07 '14 at 13:05
  • My results looks .....~/Books$ sudo extundelete --restore-directory /home/newubuntu/Books/LaTeX /dev/sda2 WARNING: Extended attributes are not restored. Loading filesystem metadata ... 522 groups loaded. Loading journal descriptors ... 32242 descriptors loaded. Writing output to directory RECOVERED_FILES/ Failed to restore file /home/newubuntu/Books/LaTeX Could not find correct inode number past inode 2621441. – alhelal May 03 '17 at 02:51
  • I want to send confirmation in the command. How? – alhelal May 08 '18 at 14:01
  • sudo extundelete -y --restore-directory /home/Documents/ /dev/sda1 like this. – alhelal May 08 '18 at 14:02
  • When I run that command to undelete a directory, I get the message --> extundelete: Bad magic number in super-block when trying to open filesystem /dev/sda1 – P Simdars Sep 24 '23 at 18:53
6

Try Scalpel

sudo apt-get install scalpel

for more info

man scalpel

Jorge Castro
  • 71,754
Rojan
  • 6,564
  • trying it now. I don't quite understand how to add new files to the conf file. Do you have nay source with details? – Decio Lira Sep 09 '10 at 02:30
  • 2
    I found http://www.howtoforge.com/recover-deleted-files-with-scalpel which is better than nothing. Good luck, this ain't no MS-DOS. – msw Sep 09 '10 at 02:58
  • see also http://ubuntu.stackexchange.com/questions/2596/comparison-of-ubuntu-backup-tools I use a relatively heavy system backup, but have "Back in Time" set up to dup selected directories from /home/msw (including .config which also catches .config/keepassx/* (your locations may vary)) to a spare partition nightly. I've also been using Unix since forever and you usually become pretty careful after the second time you blow away the-really-critical.file ;) – msw Sep 09 '10 at 03:06
  • 1
    Scalpel seems to be doing the same as foremost but while scalpel is no longer developed since 10 years, foremost got many updates in recent years. – sebix Aug 01 '15 at 18:41
  • Tried to use scalpel. Could not not even run it on my .dsk image with ext4. Got a bunch of segmentation faults on uninstalled it. – Norbert May 27 '23 at 11:22
6

If using secondary internal HD (suspect the same for external HD) for recovered file import (from main HD, where the files originally were), it’s necessary to make a directory, into which the files will be put in on secondary HD. To do it, you need to have BIOS setting for booting from CD first! 1. Start Live Ubuntu Rescue-Remix CD, give command to boot, then when it boots into terminal, check your HDs by command – Code: sudo fdisk -l

Realize what HD is main, and which is secondary, and what partition to check for files and into which to recover them – linux ext3 or Windows NTFS! Mine was Linux. Have enough room on it! (Then you can try to run Photorec (“sudo photorec”) and hopefully you’ll be able to see all your HDs. I was not that lucky, so I had to make directory and mount sec. HD.)

  1. Make directory for recovered files first, e.g. – media/disk. Give command – Code: sudo mkdir /media/disk

If alright, terminal prompt simply returns.

  1. Must mount secondary HD, or it’ll be invisible, even if “sudo fdisk -l” does show it. Give command for your secondary HD – Code: sudo mount -t ext3 /dev/sdb2 /media/disk

If alright, terminal prompt simply returns.

  1. Run Photorec by command – Code:

    sudo photorec

Go thru settings, and only choose file types that you want, otherwise you’ll have thousands of files to sift thru!

For more details you may please visit: http:/www..ubuntumanual.org/posts/357/recover-your-deleted-files-in-ubuntu

blade19899
  • 26,704
Abhilash
  • 69
5

Autopsy and the Sleuthkit tools are great for recovering deleted files, with a user-friendly UI, as well as being available in the repos:

sudo apt install autopsy
Pablo Bianchi
  • 15,657
nathwill
  • 2,605
3

Install scalpel

sudo apt-get install scalpel

Edit the scalpel.conf file and uncomment the file types you want to recover. Create an empty folder (eg:recovered_data) Find the partition your data was. You can use lsblk to get the partition map.

sudo lsblk

Run scalpel (assume the data was in sda1)

sudo scalpel -o recovered_data/ /dev/sda1
Kasun
  • 41
1

The Sleuth Kit https://en.wikipedia.org/wiki/The_Sleuth_Kit article on Wikipedia points to GUI tools, as well.

waltinator
  • 36,399
1

Recently I used ext3grep to recover a large SQLite 3 file that was deleted from an ext3 file system.

I had tried many other undelete tools, all which couldn't recover the file (from a dd image of the disk).

In order to use ext3grep, I needed to download and compile the source. Carefully reading http://www.xs4all.nl/~carlo17/howto/undelete_ext3.html from top to bottom in order to understand how the ext3 file system works and how to use the journal to find where deleted files use to be on the disk was also required.

This is not a simple solution, but very, very powerful. If you're prepared to invest a few hours to study the document and compile the program, it's well worth it.

Stacey Richards
  • 470