Header Banner
Null Byte Logo
Null Byte
WonderHowTo Gadget Hacks Next Reality Null Byte
wonderhowto.mark.png
Cyber Weapons Lab Forum Metasploit Basics Facebook Hacks Password Cracking Top Wi-Fi Adapters Wi-Fi Hacking Linux Basics Mr. Robot Hacks Hack Like a Pro Forensics Recon Social Engineering Networking Basics Antivirus Evasion Spy Tactics MitM Advice from a Hacker
how to

How to Recover Deleted Files in Linux

Nov 2, 2011 07:10 PM

File recovery on Linux is a bit different than Windows. It requires different software than the Windows counterparts because every OS has their own file system. Windows uses NTFS, or FAT file systems, while on the other hand, Linux uses ext-based file systems. I personally use ext4 file system because it's the latest and greatest ext-journaling system and supports a large level of directory recursion and file sizes, but most installations still use ext2 or ext3. When files are deleted from a disk, they are simply modified in binary to tell the computer that those files can be written over.

Today in Null Byte, we are going to be using the data recovery tool suite TestDisk + PhotoRec to carve files from our disk that we have deleted. For this guide, I will be running the tools under Arch Linux. Let's set up a test environment and get started.

Download TestDisk + PhotoRec

All commands in bold are terminal commands.

  1. Download the toolsuite.

        sudo wget http://www.cgsecurity.org/testdisk-6.13-WIP.tar.bz2
  2. Extract the archive.

        sudo tar zxvf <file archive>
  3. Change to the newly made directory.

    cd <testdiskdir>
  4. Configure for compilation.

    ./configure
  5. Now, compile and install the software.

    sudo make && sudo make install

Let's move on to the simulation of a lost file and its recovery.

Delete a File and Recover It

For this example, we should set up a file or picture that we want to have deleted. I chose this one of Tux, the Linux mascot!

Cartoon penguin with green accents.

Now, open up a file manager, or a terminal and delete the file you would like to practice recovery on. After that's all set, open up a terminal and let's run the tool and recover it!

  1. Run the program.

    sudo photorec
  2. Select the hard drive that you will be recovering from.
  3. Hit Proceed.
  4. Select Intel partition type.
  5. Now select your home partition, mine is installed on /dev/sda3.
  6. Select Ext2, Ext3 and Ext4.
  7. For this part, I would select free to scour the free-space, or you could use the whole disk, it doesn't really matter.
  8. Select the directory you deleted the file in, mine was in ~/Downloads.
  9. After that runs, you should have all of it figured out and recovered! Congratulations on getting your file(s) back!

Be sure to drop by the forums and stop in IRC! We have a great programming session that will be happening Friday at 5 P.M. Join in!

Image via bablotech

You already know how to use your phone. With Gadget Hacks' newsletter, we'll show you how to master it. Each week, we explore features, hidden tools, and advanced settings that give you more control over iOS and Android than most users even know exists.

Sign up for Gadget Hacks Weekly and start unlocking your phone's full potential.

Related Articles

Comments

No Comments Exist

Be the first, drop a comment!