How to recover a deleted Linux partition. Instructions on how to recover deleted files from disk

Ext2/3/4FS (created in Linux or other OS), FAT12, FAT16, FAT32, NTFS, NTFS5 (created or modified in Windows 2000/XP/2003/Vista/7/8), exFAT, ReFS, APFS, HFS+, HFSX, HFS and UFS1, UFS2, UFS BigEndian (used in FreeBSD, OpenBSD and NetBSD OS).

Support for standard RAID levels: volume set, 0, 1, 4, 5, 6. Support for nested and non-standard RAID levels: 10(1+0), 1E, 5E, 5EE, 6E. Parity delay support for all relevant RAID levels. Support for custom RAID schemes.

Automatic recognition of RAID parameters. R-Studio is capable of recognizing all parameters for RAID 5 and 6. This allows the user to solve one of the most difficult tasks when restoring a RAID - determining its parameters.

New improved algorithm for recovering files by their signatures: this function allows you to recognize the typical characteristics of the structures of common file types and recover data from devices on which the file system is damaged or unknown (HDD, CD, DVD, floppy disks, USB drives, ZIP drives, flash drives -memory (Compact Flash Card, memory sticks) and other removable media).

Custom known file types. The user can create and add new types of files of any complexity to R-Studio for their precise identification.

Supported Operating Systems: files can be recovered on Win2000, XP, Vista, Win7, Win8, Mac OS X or Linux and certain UNIX platform operating systems.

Almost all R-Studio files (images, scan information, logs, etc.) can be saved and loaded over the network.

Optimization of the data recovery process: to increase the recovery speed and reduce the amount of data transferred over the network, the file analysis and recovery process is performed on a serviced computer with damaged/deleted disks. You can also save the recovered files on a disk on the same computer.

Creating an image file: using R-Studio you can create an image file of an entire physical disk, logical disk or partition. Such images are exact copies of objects and are compatible with all previous versions of R-Studio.

Additional features when creating an image file (another image file format): images can be divided into several parts, compressed and password protected. They are only compatible with current versions of R-Studio and the R-Drive Image program.

You can create an image and scan the copied data at the same time.

Disk copy module: byte-by-byte copying of any object in the Drives panel is possible, as well as copying partitions and hard drives with changing their parameters.

Hexadecimal disk and file editor: Supports storing non-resident NTFS file attribute. Allows you to analyze data and present it in accordance with various data templates (including custom ones). Files located in specific sectors are also shown.

R-Studio Emergency boot device. R-Studio Emergency runs from an external USB drive, CD/DVD or a set of floppy disks. This is very useful when you need to recover data from a computer that cannot boot due to file system corruption.

Viewing the contents of files: to view the contents of the restored file, simply double-click on it. Very useful in assessing chances of recovery. An efficient built-in file viewer that displays pictures as tiles and the first frames of video files as icons and supports a large number of . Now these files can be played without the corresponding programs installed.

Monitoring S.M.A.R.T. parameters R-Studio can display S.M.A.R.T. parameters. (Self-Monitoring, Analysis and Reporting Technology) for hard drives that show the state of their hardware and predict their possible failures. Any additional load on such disks should be avoided if warnings from the S.M.A.R.T system appear. Hard drive icons in Drive View (Disks panel) are used to show the overall S.M.A.R.T. status. for disks.

If PhotoRec does not bring results, then try other tools.

Using Scalpel

Scalpel is an open source file recovery program using a database of headers and footers. Can recover from disk or device images with raw blocks, headers and footers set by the user. The program is used not only for file recovery, but also for digital forensic research.

Installing Scalpel on Ubuntu, Linux Mint and Debian

Open a terminal and copy the command into it:

Sudo apt-get install scalpel

Once scalpel installation is complete, you need to find the file scalpel.conf:

Locate scalpel.conf

It is usually located in /etc/scalpel/scalpel.conf or /etc/scalpel.conf. Open this file with a text editor, you will see that all lines are commented out (starting with # ). Those. Before running scalpel you need to uncomment the file formats you want to recover. If you uncomment the entire file, it will take a lot of time and produce many false results.

Let's say I want to recover only .jpg files, then I will simply uncomment the jpg section in the scalpel config file.

# GIF and JPG files (very common) gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x3b jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9

On the command line you need to specify the location of the deleted files that you are trying to recover (in this example it is /dev/sda1 ):

Sudo scalpel /dev/sda1-o output

Switch -o points to the output directory where you want to save your recovered files. Before running the program, make sure that this directory is empty, otherwise you will receive an error. Command output:

Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/dev/sda1" Image file pass 1/2. /dev/sda1: 6.1% |***** | 6.6 GB 39:16 ETA

As you can see, now scalpel is doing its job, the process of recovering deleted files takes time, which depends on the size of the disk you are scanning and the speed of the machine.

Using extundelete

Use first

A file opened in the program has been deleted

If you think that the remote file is still open in some program (for example, a movie that is currently playing in a media player) and you know the file name, try this procedure first:

Lsof|grep "path/to/file" progname 5559 user 22r REG 8.5 1282410 1294349 /path/to/file

We remember the number in the second column, it is 5559, and the number in the fourth column, it is 22. Then the recovery command:

Cp /proc/5559/fd/22 restored.file

If this trick does not work, then immediately unmount the file system with the deleted file or set it to read-only mode.

V. Kostromin (edited by Vanderboot)

The other day, during a small revision of the contents of my site, I came across a translation of the article “10 ways to recover deleted files in Linux,” the original version of which was dated June 21, 2007. After re-reading the article and trying to follow the links provided in it, I discovered that some links do not work at all (the developers’ sites on the Internet have disappeared), and some of the utilities mentioned in the article have not been updated or supported for a long time.

The idea arose to see what tools for recovering accidentally deleted files exist at the moment. I believe that interest in funds of this kind has not disappeared over the past years. After all, novice users of Linux (as well as other operating systems) often find themselves in a situation where, by mistake caused by inexperience, they delete some files and immediately realize that they did not delete what they wanted. Or maybe they didn’t want to delete anything at all.

In addition to cases of erroneous data deletion, situations are possible when the media is damaged, bad sectors appear on the disk, and so on. In such situations, data recovery tools are also needed.

I would like to warn you right away that everything stated below has not been personally verified by me and is based only on information published on the developers’ websites or in articles describing the relevant products. And, of course, the article discusses only freely distributed products. If you are interested in paid (proprietary) products, you can easily find them yourself.

So here you go list of utilities for recovering lost data, which I managed to find (data current as of November 10, 2010).

1. unrm- a small console utility that, under certain conditions, can recover almost 99% of deleted data (similar to the undelete utility in DOS). Before using it, carefully read the FAQ file and preferably the Linux Ext2fs Undeletion Mini-HOWTO. Application:
   unrm [-b (no block padding)][-e (every block)][-f fstype][-vW] device
2. (gET iT i sAY) - file recovery tool for Ext2/Ext3 file systems. After installation, current files and newly created files in /root and /home can be restored. The utility allows users to recover all deleted files, recover files owned by a specified user, dump data from file locations, and recover specific file types, such as text or MP3. There is also an analyzer to help users during recovery.
3. ddrescue(in Ubuntu this utility is called gddrescue) This utility copies data from a file or hardware device containing the data to another location, while attempting to correct any read errors that may exist. ddrescue performs basic operations automatically, filling out the log file in parallel. If there are two or more copies of damaged files, ddrescue is able to completely restore the file, eliminating all errors.
   ddrescue sets the I/O buffer size to the sector size so that it can be used for sector-by-sector data recovery from devices.
4. TestDisk is a powerful free data recovery program! It was designed primarily as a tool for recovering lost partitions and/or restoring disk bootability if the problem is caused by software, viruses, or human error (such as accidentally deleting the Partition Table). It is very easy to restore Partition Tables with TestDisk. But TestDisk can also recover deleted files on FAT, NTFS and ext2 file systems; copy files from remote FAT, NTFS and ext2/ext3/ext4 partitions. (See the article by V. Simon, “Testdisk - restoring the disk partition table”).
5. - a console program that allows you to search for files on disks or their images using hex data, characteristic headers and endings. The program combs files for matches of predefined hex codes (signatures) corresponding to the most common file formats. Then it extracts them from the disk/image and puts them in a directory, along with a detailed report on what, how much and where it was recovered from. File types that foremost can immediately recover: jpg, gif, png, bmp, avi, exe, mpg, wav, riff, wmv, mov, pdf, ole, doc, zip, rar, htm, cpp. It is possible to add your own formats (in the configuration file /etc/foremost.conf), which the program does not know about.
   Articles: "Recovering deleted files using foremost", "Recovering deleted files in Linux OS".
6. R-Linux is a free program for recovering Ext2/Ext3/Ext4 FS file systems used on Linux and some Unix systems. The Scanning Technology used in R-Linux and the program’s easy-to-set interface give the user absolute control over the data recovery process. R-Linux allows you to copy information and create an image of an entire disk or part of it, and only then work with the image file saved on another medium, as with the original disk. R-Linux searches for known file types using the typical characteristics of their structures, which allows the user to search and recover files from devices where the file system is unknown - HD, CD, DVD, floppy disks, USB drives, ZIP drives and flash memory devices ( Compact Flash Card, Memory Sticks). However, the program does not have the ability to restore data over a network, as well as functionality for reconstructing disk arrays and recovering data from them.
7. DMDE- DM Disk Editor and Data Recovery Software. A program for disk editing and data recovery. The free version has all the functions of a disk editor, partition management and file recovery, with the exception of the ability to group restore files and directories; The full version allows you to restore groups of files and directories while maintaining the directory structure.
8. PhotoRec is a utility included in the TestDisk package. Designed to recover damaged files from memory cards of digital cameras (CompactFlash, Secure Digital, SmartMedia, Memory Stick, Microdrive, MMC), USB flash drives, hard drives and CD/DVD. Recovers files from most common image formats, including JPEG, audio files, including MP3, document files in Microsoft Office, PDF and HTML formats, and archives, including ZIP. It can work with ext2, ext3, FAT, NTFS and HFS+ file systems, and is capable of restoring graphic files even if the file system is damaged or formatted.
   Can run under Linux, DOS, Windows, FreeBSD, NetBSD, OpenBSD, Mac OS X and SunOS operating systems
9. Mondo Rescue. The main purpose of this program is to create backup copies of data. It can create backups to tape, CD, remote media via NFS, or as ISO images on local disks. But in case of data damage, the program allows you to restore it completely or partially, even if your hard drive is inaccessible by normal means.
   Mondo runs on all major Linux distributions and supports LVM, RAID, ext2, ext3, JFS, XFS, ReiserFS, VFAT and other file systems. It can restore disk geometry, migrate data to RAID arrays, and check the integrity of the computer’s file system. In addition, it allows you to restructure the disk, reduce/enlarge partitions, reassign devices, and add hard drives.
10. is a data recovery tool that attempts to extract data from accessible but problematic media (with bad sectors). The data source can be external devices (such as CD, DVD and Blu-ray) and hard disk partitions. The program has the advantage of continuing to run even when other tools stop due to I/O errors. Conventional copying tools such as cat, cp or dd do not allow you to create an image of a disk or removable media if a failure occurs while reading a sector.
11. The Sleuth Kit(TSK) - a set of programs (fls, icat, ffind, ifind, mmls, fsstat, etc.) for forensic analysis of file systems. TSK is a collection of UNIX command line tools that can analyze NTFS, FAT, FFS, EXT2FS, and EXT3FS file systems. TSK reads and processes file system structures on its own, so file system support is not required by the operating system.
    Articles: Recovering hidden or lost data.
12. Scalpel is a quick file recovery tool. The uniqueness of this software is that it does not depend on the file system. The program searches the database for the beginning and end of files of known formats and tries to find them on the disk. Therefore, recovery is possible both from FATx, NTFS, ext2/3, and from “bare” (raw) partitions.
    Articles: Recovering deleted files using Scalpel

In addition to those listed, some articles also mention utilities Magicrescue And ntfsundelete from the ntfstools package.

This list can be very useful to you if you find yourself in a situation where you need to recover data from damaged media. And it is advisable to master at least some of these tools before there is an urgent need to use them. To do this, it makes sense to test them on artificial examples of file deletion, as was done in one of the notes given in the list of sources.

In conclusion, a few tips, perhaps trivial, but certainly useful, on how to try to avoid getting into an unpleasant situation when the use of the above means is required. First, you can make it more difficult to accidentally delete a file or directory. To do this, make sure that instead of the command rm the command was called rm -i. This can be done using the alias command as follows:

Alias ​​rm="rm -i" Then before performing the deletion you will be asked an additional question whether you really want to do this.

Second tip: Back up your data as often as possible, every day or even every hour. If you follow this advice, then in the worst case scenario, you will only lose the results of your work that you received during the last hour. And in this case, data recovery procedures will be much easier to complete. You can automate the execution of these procedures using cron and the utility rsync by organizing periodic copying of important files and directories to another disk or partition. Or you can use the Mondo Rescue utility mentioned above. By the way, you will master its use, which may be useful if you need to restore data in an emergency.

And third: before you start trying to recover deleted files, make a copy of the partition in which these files were located and work with it, and not with the original partition. If you make a mistake again during the recovery process, you can start all over again. If you work with the original partition, you can damage the data irrevocably. You can make a copy of a partition using the command dd(you can read about the use of this command in A. Dmitriev’s article “dd: A command that is not like the others”).

It is also worth recalling that there are special Linux distributions that run from CDs or other removable media and contain a host of administration utilities, including data recovery tools. Examples of such distributions include SystemRescue CD and Trinity Rescue Kit.

I believe that the above list will also become outdated after a while, as happened with the list given in the article mentioned at the beginning of this note. But new means will appear, perhaps more advanced ones. To stay informed, sometimes check out the Linux Software Catalog website, or better yet, help keep this catalog up to date. Then, in any emergency or normal situation, you or another Linux user will be able to find the necessary tools and tools to solve their problems.

Sometimes it happens that we accidentally delete files that we still need. This is especially dangerous in the Linux terminal, since here files are not deleted into the trash, but are erased from the disk immediately and forever.

It is clear that you need to carefully handle file deletion commands, but what to do if everything has already been deleted, but the files were important and need to be restored urgently? In some cases this is possible. In our today's article we will look at recovering deleted Linux files.

Each file takes up a certain space on the hard drive, but the file system, to provide access to the file, gives us links to its beginning, through which any program can obtain the contents of the entire file. It would be ineffective if deleting a file resulted in a complete overwriting of its area on the disk.

Instead, the file system simply removes the reference to that area from its base and then marks the space where the file was located as immutable. But in fact, all your files are still there. From this we conclude that if, after deletion, the file system is very quickly switched to read-only mode, then all deleted files can be restored.

If you worked with this file system and the data on the disk was overwritten by others, then you will not be able to save anything yourself. You may have heard that intelligence agencies can recover data that has been overwritten several times using the residual magnetic trace on the disk. This is true. But to solve such a problem, you need special equipment; a few programs are not enough; you need a special laser that can read the magnetic trace along the edges of the track and other equipment. So you can forget about this method for yourself.

Well, we will focus on software recovery, when the data has been formally deleted, but is physically still on the disk intact and safe. Next, we’ll look at several utilities that will help you recover deleted Linux files.

1.Safecopy

Safecopy is a fairly simple data recovery tool that simply copies data from one location to another. The utility, as such, does not restore individual files. It simply allows you to copy data from a damaged device to a normal one.

The difference between this utility and other copy programs is that Safecopy does not exit when it encounters any errors, be it a bad read operation or a bad sector. It has many additional options for customization, as well as the ability to create a file system image from damaged media. Data is recovered carefully and quickly as possible.

The utility can be installed from the official repositories of your distribution. Ubuntu users can use this command:

sudo apt install safecopy

Here you will not recover deleted files, but you can copy damaged data. For example, for video, a few damages do not matter much. To start file recovery in Linux from the /dev/sda1 partition, run:

sudo safecopy /dev/sda1 /home/files/

All files that can be copied will be in /home/files/.

TestDisk is a very powerful data recovery tool. It doesn't try to copy data from a damaged device, but rather helps you fix errors and partition-level issues that may be preventing you from working with your data.

The utility can recover lost partitions, fix GPT and MBR partition tables, make disk backups, restore boot records, and most importantly, recover deleted files from NTFS, FAT, exFAT and Ext family file systems. You can also copy files even from remote partitions for the same file systems.

The way the utility works varies greatly depending on the desired action. Here you will find a pseudographic wizard who will guide you through all the steps. You can also install testdisk from the official repositories. On Ubuntu, use the command for this:

sudo apt install testdisk

Since the topic of our article is restoring Linux files, let’s look at how this is done using this utility. Run the program:

At the first step of the wizard, select Create New Log:

Select the partition table on the disk:

To work with the file system, select Advanced:

Next, select the section, then the list command:

Here you will see all the files that are on this section. Deleted but recoverable files will be marked in red.

It is more convenient to work with this utility than with Photorec, because here you can select only one file you need, and not restore a bunch of garbage at once. To copy a file simply select it, press c and choose a folder to save. True, you understand that for recovery it is necessary that the files are not overwritten, somewhere a little overwritten and that’s it.

Our latest program is focused primarily on searching and recovering deleted videos, photos, documents and archives. We can say that this is a program to recover deleted Linux files. The advantage of PhotoRec is that it completely ignores the file system and looks at the raw data, which means it will still work even if the file system is corrupted or reformatted, but only in fast mode, where only the headers are erased.

To avoid any problems, read-only access is used here, which is quite sufficient for data recovery. But as I said before, you need to stop all write operations as soon as you realize that you need to recover the file. Otherwise, the necessary data may be overwritten by something new and you will no longer be able to restore it.

The utility has several settings. You can specify file extensions to find, size, modification date, and so on. You can install the program in the same way as TestDisk - from the official repositories.

For example, on Ubuntu run:

sudo apt install photorec

As for use, there is an interactive interface similar to testdisk. Run the utility with the command:

Select the disk you want to work with:

Choose a section:

Select a file system: The program will recover many files, and most likely more than you need. Moreover, its main problem is that the file names are not saved and you will have to search further to find if what you need is there.

conclusions

These three tools cover a wide range of Linux file recovery tasks. Here you can not only recover deleted linux ext4 files, but also fix your hard drive or copy files from damaged media.

What are your favorite data recovery utilities? Which ones do you use? Write in the comments!

For dessert, a video from Discovery about how a hard drive works:

An operation such as recovering deleted files in Linux is rarely required. But in order not to be left without important data at the wrong moment, you should be prepared in advance and be able to quickly take the necessary measures.

Recovering deleted Linux files

There are 2 options for recovering data in a Linux system - directly from the system’s hard drive and from a flash drive.

Linux Hard Drive Data Recovery

File systems used in all operating systems, not just Unix-like ones, are organized in such a way that they do not allow a deleted file to disappear without a trace. That is, if a file was created and located on the hard drive, it means that it occupied some space and was included in the list of links among other objects.

When the user deletes it, the link to the file is deactivated, signaling to the file system that the occupied space can be marked as permanent. In fact, the deleted object still exists and is located on the clusters on which it was. Its complete erasure will occur only after its trace is overwritten with other data.

From which it follows that as long as the space where the file was located is untouched, it can be restored. Accordingly, after detecting data loss, you need to immediately stop all recording processes (downloading files, creating documents, updating the system and programs, installing software) and start restoring it.

Recovering data from a Linux flash drive

Since the Recycle Bin works slightly differently in Linux than in Windows, the first thing you should do is test it. Files deleted using the usual method, without emptying the recycle bin afterwards, are stored there. To restore, just connect the drive, go to the trash and restore the object.

But if the data is erased from both sources, you will have to resort to built-in or third-party recovery software. Before doing this, it is recommended to make a backup copy of the partition on which the file was located. To do this, you must follow the instructions below, with the caveat that to create a copy you need an amount of free hard disk space equal to the capacity of the flash drive. If attempts to restore data on the drive itself fail, you can contact a more experienced technician, providing him with a virtual copy of the partition.

File recovery programs for Linux

The simplest and most obvious way out is to go to a specialized data recovery service. But there is a huge disadvantage - the price. The extraction procedure is very expensive, and no one will tell how difficult this process was. There is also no guarantee for the return of all objects, especially since equipment that can restore a file after several overwrites is supplied only to special services. So, before you despair, you should try to carry out the operation on your own.

Recovering Linux Files with GParted

The most common program for working with partitions in Linux. However, not all distributions come with it. Not the most reliable assistant in such operations, but it’s worth trying as an option.

Recovering files with Scalpel

Scalpel Linux is a small tool that specializes in recovering deleted files from EXT4 partitions and other file systems. It has in its arsenal a database of file system types and data formats, which makes it universal. After all, during scanning, it compares the remaining records on the hard drive or flash drive with its own list, and if a match is found, it begins to recover deleted Linux files.

Installation and use are simple:

The process can be seen more clearly here:

Recovering Ubuntu Data with TestDisk

TestDisk can also help you recover files from Linux, but in a slightly different way. The fact is that this software is not aimed at extracting data from drives, but at testing and restoring the functionality of the partitions created on them.

There is also a program in Ubuntu - PhotoRec. First of all, its functionality is designed for restoring multimedia files and archives. This software completely ignores errors, missing or formatted file systems, thereby scanning data without any problems.

Now it comes bundled with TestDisk, and because of this combination of efforts, the resulting utility is considered the best among Ubuntu file recovery programs. To avoid problems due to user inexperience, during basic settings and manipulations, the utility uses the “everything in the system is read-only” approach.

By identifying information errors, TestDisk can recreate lost partitions in various file systems, such as FAT, NTFS and EXT4. Even if the partition was previously deleted, by finding traces of it, the program will be able to fix dependencies that prevent the file from being accessed correctly. The program is available in the official Canonical repository. In order to start recovering data from an Ubuntu hard drive, you need to follow the instructions:

Linux data recovery with Safecopy

Safecopy is a simple tool for interacting with partitions and data. It does not help in recovering data from an Ubuntu flash drive, but it will be able to copy objects from damaged media to healthy ones. Its advantage is that it completely ignores errors that occur when reading and copying files. What can best affect your attempt to save multimedia files.

A couple of broken bytes can do little harm to a photograph or video, and a text document will most likely just need to be corrected a little. But working with archives, especially if they are password-protected, can be disrupted.

To work with the program you need:

How to delete a file on Ubuntu

There are many ways to delete a file in Ubuntu. But it also all depends on whether it is a system file or a user one. This is easy to understand. Everything that is located before the /home directory is system files, while everything inside it is user files.