How to recover deleted files?

data-recovery

TestDisk / PhotoRec

TestDisk can sometimes recover recently deleted files using PhotoRec, which is part of TestDisk. Available on official repo and newer version on their site.

TestDisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software: certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy.

PhotoRec is part of TestDisk, and is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.


I have used foremost to recover damaged hard disk both under NTFS (windows), FAT32 (Flashcard from a Nokia phone), and ext3 with great results. Command-line only, but quite it's easy, something like this:

sudo foremost -i /dev/sda -o <dir where recovered files will be stored>

It will order the recovered files on folders by file-type. Openoffice docs are recovered as zip files. As you need to execute it as root (in order to directly access the hardware), output files are also owned by root, so you will likely need to change their ownership afterward.


extundelete is really great if your file system is ext3 or ext4.

Note: extundelete requires you to unmount your drive to work properly (this is a good idea to do ASAP anyway, to avoid potentially overwriting the hopefully-recoverable bytes in the deleted files).

Unmounting the drive on a live system can be tricky... you'll often get the 'device is busy' message. To clear this 'properly' requires shutting down all processes accessing the file system. But... you were likely working in your home directory, and a zillion processes are hooked into your home directory, so good luck with that.

The trick to getting around this is to do a 'lazy' unmount:

$ mount
/dev/sda7 on /home type ext4 (rw)
$ sudo umount -l /home

where:

  • that example is for me prepping my /home mount for use with extundelete. You obviously need to replace /home with your mount of interest
  • I did the mount command first to figure out what device (/dev/sda7) I need to pass to extundelete (output is truncated for brevity)
  • that is a lower case L in the -l option

Related

How to roll back Ubuntu to a previous version?
What's a good back-up strategy for 1 desktop PC?
What is the correct way to install proprietary ATI Catalyst Video Drivers (fglrx) directly from AMD?
What are the differences between 32-bit and 64-bit, and which should I choose?
Are PPAs safe to add to my system and what are some "red flags" to watch out for?
How do I install applications in Ubuntu?
How to disable the "Get Windows 10" icon shown in the notification area (tray)?
Why does my computer beep when I turn it on? What are these beep codes?
Why is my USB drive showing corrupted data when plugged as an internal SATA drive?
Is there way to enable more than 4 GB RAM in 32-bit Windows OS?
Is it possible to use the IE10 App without making Internet Explorer the default browser?
Assign a shortcut to running a script in OS X