Have you accidentally deleted an important file because you are in a habit of using “Shift+Del” rather than delete only?? Well don’t panic. There are many utilities in Ubuntu and other Linux distributions which helps you in recovering the so called “permanently deleted” files. Lets look at a few good tools that help your recover deleted data in Ubuntu.
Before checking out the tools allow me to bore you with the theory behind deleting a file.
Actually when you delete a file permanently (accidentally or intentionally), It doesn’t get removed from your hard disk. It get stored in certain blocks of the storage device and they continue to exist in the blocks unless you overwrite them with newer files.
It is always recommended that you shouldn’t recover a file from the device when it is mounted. You should always do the recovery process with the Live CD followed by the file searching in the device like in my case device is /dev/sda1 . If you are unable to understand the upper condition, just forget about it. I am not going to bore you with the theory part anymore. Let’s take a look at the utilities:
Scalpel : It is a file system independent recovery tool. It ‘s basically available for Linux and Mac OS but you can also run it on Windows by compiling it using mingw. Latest version of scalpel is 2.0.It is the simplest utility of all. You can install it in Ubuntu by typing
sudo apt-get install scalpel .
After installing it you need to do some text editing. Scalpel utility has its configuration file in the /etc directory with full path as /etc/scalpel/scalpel.conf . When viewed (using gedit/nano/cat) you will notice that everything is a comment out there. Uncomment the file format which you want to recover. For example in my case I want to recover the .zip file so I will uncomment the .zip file section in the scalpel.conf file just like below.
After that go to the terminal and follow the syntax :
sudo scalpel “device name/Directoryname/file name” -o “output directory”
Output directory is the directory where you want to restore your deleted files. It should be empty before running the command, otherwise you will get an error. You can also input the deleted filename directly by using -i option.You can see the screenshot of my device search below .
Foremost : Forensics utility is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery. You can install it in Ubuntu and its derivatives by typing
sudo apt-get install foremost.
There are lot of options available for the foremost utility usage. We will understand them by taking some examples.
Searching for the deleted JPG Image
sudo foremost -t jpg -i /dev/sda1
-t option represents the type of the file you want to search for. In this case its jpg. If you want to search for all the file types you can give the -t option as “-t all” . Input option -i is used as the base device/directory for the search. It is common in all the foremost commands. You can also specify the output directory using -o option if you want to. If you want to search the jpg,pdf at a single time you can use the -t option as “-t jpg,pdf” . Screen shot of the output of the command is attached below
Photorec : It is the fastest utility of the three .You will find the photorec utility under the package of testdisk utility. If you don’t want to mess with too much of commands , then this utility is the best for you. All you need is to type the photorec as root in the terminal/terminator and you will see something like this :
Select the device on which you want to operate the search operation and then it will ask you for the partition table type. Select according to yours . In my case its Intel . As soon as you select the option, it will ask you to select the file system or partition of the device disk. Then it will prompt you to the filesystem selection screen. You will see something like
* indicates the mounted partition. Select the appropriate file system. Then in the end it will ask you for the folder where you want to restore the deleted files. After selection press y to proceed. Although utilities are there to recover your file I would recommend you guys to keep a habit of using plain old delete and not “Shift+Del” because prevention is always better than cure :D:D