File recovery on Linux is a bit different than Windows. It requires different software than the Windows counterparts because every OS has their own file system. Windows uses NTFS, or FAT file systems, while on the other hand, Linux uses ext-based file systems. I personally use ext4 file system because it's the latest and greatest ext-journaling system and supports a large level of directory recursion and file sizes, but most installations still use ext2 or ext3. When files are deleted from a disk, they are simply modified in binary to tell the computer that those files can be written over.
Today in Null Byte, we are going to be using the data recovery tool suite TestDisk + PhotoRec to carve files from our disk that we have deleted. For this guide, I will be running the tools under Arch Linux. Let's set up a test environment and get started.
Step 1 Download TestDisk + PhotoRec
All commands in bold are terminal commands.
- Download the toolsuite.
sudo wget http://www.cgsecurity.org/testdisk-6.13-WIP.tar.bz2
- Extract the archive.
sudo tar zxvf <file archive>
- Change to the newly made directory.
- Configure for compilation.
- Now, compile and install the software.
sudo make && sudo make install
Let's move on to the simulation of a lost file and its recovery.
Step 2 Delete a File and Recover It
For this example, we should set up a file or picture that we want to have deleted. I chose this one of Tux, the Linux mascot!
Now, open up a file manager, or a terminal and delete the file you would like to practice recovery on. After that's all set, open up a terminal and let's run the tool and recover it!
- Run the program.
- Select the hard drive that you will be recovering from.
- Hit Proceed.
- Select Intel partition type.
- Now select your home partition, mine is installed on /dev/sda3.
- Select Ext2, Ext3 and Ext4.
- For this part, I would select free to scour the free-space, or you could use the whole disk, it doesn't really matter.
- Select the directory you deleted the file in, mine was in ~/Downloads.
- After that runs, you should have all of it figured out and recovered! Congratulations on getting your file(s) back!
Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.
Other worthwhile deals to check out: