Backup

When you forgot to backup: recover deleted files in Linux

Forgot to backup? Sometimes you realize that one of the last rm commands was redundant. Of course, the best way to recover accidentally deleted files is backups. But it happens that the backup was created before the file appeared in the system, or since the backup was created many changes were made to the file: in the morning the manager uploaded the photos, but the administrator did not understand and deleted them.

Then the option from the backup will be irrelevant. Backup as it is, but in fact – it is not. Restoration of deleted files comes to the rescue – and the earlier you start this process, the higher the probability of success.

To recover deleted files, there are many different tools. The choice of tool depends on the type of file system and the type of file itself. So, when using the ext3 / ext4 file system, the extundelete utility shows good results. If you need to restore an image (JPEG / PNG / GIF, etc.), the best choice would be foremost. The universal soldier is a scalpel utility, let’s begin with it.

Scalpel utility for backup

Used to recover deleted files using the header database. Before running the scalpel, in its configuration file, you need to specify the type and headers of the files that need to be restored. The default configuration file already contains the headers of the most popular file types, the admin can only uncomment the corresponding lines. Of course, to restore exotic formats, you can specify your own headers.

Let’s see how the scalpel works in practice. Install the utility:

sudo apt install scalpel

Open the configuration file (/etc/scalpel/scalpel.conf or /etc/scalpel.conf). It already describes various file types. Before running the utility, you need to uncomment the lines corresponding to the types of files being restored. For example, to restore GIF and JPEG files, you need to bring the corresponding section of the config to the following form:

# GIF and JPG files (very common)

gif 5000000   \x47\x49\x46\x38\x37\x61   \x00\x3b

gif 5000000   \x47\x49\x46\x38\x39\x61   \x00\x3b

200000000 \xff\xd8\xff\xe0\x00\x10 xff\xd9

Now run the scalpel:

sudo scalpel /dev/sda1 -o recover

Here / dev / sda1 is the name of the device on which deleted files are being searched, and the -o option specifies the name of the folder into which the recovered files will be placed. It should be noted that instead of the device name, you can specify the image of this device.

The point is this: if the file system is actively used, the more time elapsed from the moment of removal to the attempt to restore, the fewer chances. Therefore, you can “freeze” time by creating an image of the device (using the dd command) and trying to recover files from it. So you can reduce the likelihood that the area where the file was recorded will be overwritten by another file – then you will not be able to restore anything.

The output of the utility:

Scalpel version 1.60
Written by Golden G. Richard III, based on Foremost 0.69.
Opening target "/dev/sda1"
Image file pass 1/2.
/dev/sda1: 9.1% |***** | 9.9 GB 39:16 ETA

It remains only to wait for recovery.

The restoration of images using foremost in Linux

A utility scalpel – it is a fork of foremost. Her specialty is the recovery rate. At the same time, foremost allows you to recover files more efficiently, especially for images.

Installation team foremost:

sudo apt install foremost

Then try to restore deleted image:

sudo foremost -t jpg,gif,png,bmp -i /dev/sda1 -o ~/recover

Everything here is as before: restoring from /dev/sda1, and the result is placed in the directory recover. On the advanced settings utility, you can read in the help system (man foremost).

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *