How To Recover Deleted Files In Linux [Beginner’s Guide]
Last updated August 7, 2019 By Community 87 Comments
Brief: This article shows you how to recover deleted files in Linux using command line tool Test Disk. It’s an easy to use tool that almost anyone can use to recover lost files in Ubuntu or other Linux distributions.
Have you ever gotten that horrible feeling? The one you get when you realize that you accidentally deleted files and it’s not even in the trash? Often it is immediately preceded by denial: I know I have another copy of it somewhere.
But rather than going through all the stages of grief, don’t worry. And remember you’re not alone; sooner or later everyone does this.
“Don’t worry?” you counter, “I just erased the only copy of my resume!”
No really, don’t worry. All that’s happened is that it’s been bumped off a list. So long as you don’t write onto the drive, it absolutely still exists. In fact, depending on the size of the file and the free space on your drive deleted files can persist indefinitely—even if you do write on the drive.
“Yes, fine” you say, “I’ll rest easy knowing my resume ‘exists’ in some abstract sense. But so far as I’m concerned if I can’t open, edit or print from it, it doesn’t exist in any practical sense. What would really help would be a way to ‘un-delete’ files. And one that doesn’t require an IT forensics lab.”
Really, don’t worry—you don’t need a lab to recover the deleted files. Furthermore, if you can get past using a primitive GUI, it’s actually easy to do! I’ll show you how to use TestDisk to recover deleted files.
How to recover deleted files in Linux using TestDisk
Let me present a simplified example: I took a clean thumb drive added some files, then deleted one. Now, my system has a feature which will directly delete files from removable media, by-passing the “trash” altogether; that is if I choose to “right” click on a file and then choose “delete”. It still presents a warning, but one click on the “yes” button and the file is gone forever. Or appears to be.
But this time I didn’t get that horrible feeling. And no, not because this is a cooked up scenario. I knew that all I had to do was open the terminal type “testdisk” and hit “enter”. When I did this for the first time I had one of my “Linux moments”. Because if you don’t have it—and I didn’t—it tells you how to get it! Just type “sudo apt install testdisk” and enter and you’ll have it in about 10 seconds.
If you prefer videos, you can watch this video of the same tutorial on It’s FOSS YouTube channel:
Step 1
You need to install TestDisk tool first. Most Linux distributions already have this tool in their official repository. In Ubuntu and other Ubuntu based Linux distributions such as Linux Mint, elementary OS etc, you can use the command below to install TestDisk:
sudo apt install testdisk
Arch Linux users can install it from AUR. You can download it for other Linux distributions from the link below:
Though I am using Ubuntu in this tutorial, this doesn’t mean it is only to recover deleted files in Ubuntu Linux. The instructions presented here works for other distributions as well.
Step 2
Run TestDisk in the terminal using the command below:
Step 3
When you open it, you’ll see something that looks like this. Be patient! The interface is actually straightforward but you do have to carefully read the text. Use the arrow keys to navigate and “enter” to select.
Screens that have extra commands will tell you so. Also note that TestDisk 7.0 tends to highlight the next reasonable step. It’s almost always right but do read the screen, since it can’t read your mind. In any case, when it wants you to let it create a log file, indulge it. It’s about to pull you out of a hole.
Step 4
Now, at this point, if you’re lucky, you should see your drive. And you can proceed to the last steps. But let’s assume you’re not, that you have, say, a multi-boot machine. In this case, ownerships can get blurry, and Testdisk needs your permission to open them. You’ll see something like this:
Select “sudo” and enter your password. Hit “enter” and “enter” again on the next screen to create another log file.
Step 5
This time Testdisk displays all your drives. Arrow key to the drive in question and hit enter.
Step 6
Testdisk has again selected the correct setting. This makes sense since a simple storage device is seldom partitioned. Again hit enter:
Step 7
And finally we have to do a little thinking to do. If you read the first screen—and I’ll bet you didn’t—this program isn’t just for recovering deleted files. It’s a powerful disk utility. But if we remember what we’re trying to do the choice is fairly obvious: we’re not trying to fix a disk, we’re trying to recover a file. Select “Advanced” and hit “enter”.
Step 8
At the bottom of the page choose “Undelete” and get ready to see a ghost!
Step 9
Testdisk will scan for files and produce a list of deleted files highlighted in red. Arrow down to it and carefully read the choices at the bottom.
Step 10
Again, bear in mind that Testdisk is a multi-function tool. Most of these options deal with groups of files; we only want our damn resume back! So hit “c”.
As you can see from the scoreboard, we’ve won 1-0. After hitting “c” there are options about where you might want to recover the file to, but it defaults to your home folder. And again this is generally the best thing to do. Navigating in Testdisk is a little tricky, whereas dragging and dropping after the fact is a breeze.
A few tips on recovering deleted files in Linux using TestDisk
First, if you find yourself somewhere you don’t want to be, hit “q” for quit. This won’t close the program, instead, it will act like the “back” button on a program with a full blown GUI, and put you back a page. And just like a “back” button repeating will eventually lead you back to the beginning.
Second, as with anything, the fewer the distractions, the easier it is to find what you’re looking for. In other words, physically detach all other storage drives. In graphically simple environments simplicity is your friend.
Finally, Testdisk can also help you retrieve files that have become inaccessible for other reasons. In fact, this is why I started using the program in the first place. I was trying to save files from a corrupted drive that could not be made to boot. Normally it’s simply a matter of removing said drive any hooking it up to a USB adapter. You can then mount it on another PC and copy the files where ever you want.
But what if the drive is formatted to LVM? This was my problem because a mounted LVM drive looks nothing like a normal Linux OS. None of the usual files appear, and hunting around simply doesn’t help. This, among other reasons, is because most Linux file managers can no longer read ext.2 file systems.
Nevertheless, after a few false starts, I was able to find and save the missing files. Note, however, that the sequence of steps here will be a little different, you may need to use the “analyze” option for Testdisk to make sense of the drive and you may have to poke around a little to find the “home” folder once you do. Furthermore, the files you’re looking for will not appear in red since they were never deleted in the first place. But once you do find them, the copying procedure is basically the same.
With Testdisk and a little luck, you may never lose your resume again as you can always recover deleted files in Linux.
Disclaimer: This tutorial is a reader submission.
Dave Merritt
I’m a 59 years old, fulltime landscaper and parttime PCmedic. I’ve been an avid Linux user for over ten years. In that time, I do not claim to have made every possible mistake, only most of them. I’m a big fan of prog rock, avant jazz and J S Bach, and enjoy reading Neal Stevenson and anything to do with the foundational problems in modern physics.
Like what you read? Please share it with others.
How to recover deleted files with foremost on Linux
In this article we will talk about foremost , a very useful open source forensic utility which is able to recover deleted files using the technique called data carving . The utility was originally developed by the United States Air Force Office of Special Investigations, and is able to recover several file types (support for specific file types can be added by the user, via the configuration file). The program can also work on partition images produced by dd or similar tools.
In this tutorial you will learn:
- How to install foremost
- How to use foremost to recover deleted files
- How to add support for a specific file type
Software Requirements and Conventions Used
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Distribution-independent |
| Software | The «foremost» program |
| Other | Familiarity with the command line interface |
| Conventions | # — requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command $ — requires given linux commands to be executed as a regular non-privileged user |
Installation
Since foremost is already present in all the major Linux distributions repositories, installing it is a very easy task. All we have to do is to use our favorite distribution package manager. On Debian and Ubuntu, we can use apt :
In recent versions of Fedora, we use the dnf package manager to install packages, the dnf is a successor of yum . The name of the package is the same:
If we are using ArchLinux, we can use pacman to install foremost . The program can be found in the distribution «community» repository:
Basic usage
The foremost utility tries to recover and reconstruct files on the base of their headers, footers and data structures, without relying on filesystem metadata . This forensic technique is known as file carving . The program supports various types of files, as for example:
The most basic way to use foremost is by providing a source to scan for deleted files (it can be either a partition or an image file, as those generated with dd ). Let’s see an example. Imagine we want to scan the /dev/sdb1 partition: before we begin, a very important thing to remember is to never store retrieved data on the same partition we are retrieving the data from, to avoid overwriting delete files still present on the block device. The command we would run is:
By default, the program creates a directory called output inside the directory we launched it from and uses it as destination. Inside this directory, a subdirectory for each supported file type we are attempting to retrieve is created. Each directory will hold the corresponding file type obtained from the data carving process:
When foremost completes its job, empty directories are removed. Only the ones containing files are left on the filesystem: this let us immediately know what type of files were successfully retrieved. By default the program tries to retrieve all the supported file types; to restrict our search, we can, however, use the -t option and provide a list of the file types we want to retrieve, separated by a comma. In the example below, we restrict the search only to gif and pdf files:
Specifying an alternative destination
As we already said, if a destination is not explicitly declared, foremost creates an output directory inside our cwd . What if we want to specify an alternative path? All we have to do is to use the -o option and provide said path as argument. If the specified directory doesn’t exist, it is created; if it exists but it’s not empty, the program throws a complain:
To solve the problem, as suggested by the program itself, we can either use another directory or re-launch the command with the -T option. If we use the -T option, the output directory specified with the -o option is timestamped. This makes possible to run the program multiple times with the same destination. In our case the directory that would be used to store the retrieved files would be:
The configuration file
The foremost configuration file can be used to specify file formats not natively supported by the program. Inside the file we can find several commented examples showing the syntax that should be used to accomplish the task. Here is an example involving the png type (the lines are commented since the file type is supported by default):
The information to provide in order to add support for a file type, are, from left to right, separated by a tab character: the file extension ( png in this case), whether the header and footer are case sensitive ( y ), the maximum file size in Bytes ( 200000 ), the header ( \x50\x4e\x47? ) and and the footer ( \xff\xfc\xfd\xfe ). Only the latter is optional and can be omitted.
If the path of the configuration file it’s not explicitly provided with the -c option, a file named foremost.conf is searched and used, if present, in the current working directory. If it is not found the default configuration file, /etc/foremost.conf is used instead.
Adding the support for a file type
By reading the examples provided in the configuration file, we can easily add support for a new file type. In this example we will add support for flac audio files. Flac (Free Lossless Audio Coded) is a non-proprietary lossless audio format which is able to provide compressed audio without quality loss. First of all, we know that the header of this file type in hexadecimal form is 66 4C 61 43 00 00 00 22 ( fLaC in ASCII), and we can verify it by using a program like hexdump on a flac file:
As you can see the file signature is indeed what we expected. Here we will assume a maximum file size of 30 MB, or 30000000 Bytes. Let’s add the entry to the file:
The footer signature is optional so here we didn’t provide it. The program should now be able to recover deleted flac files. Let’s verify it. To test that everything works as expected I previously placed, and then removed, a flac file from the /dev/sdb1 partition, and then proceeded to run the command:
As expected, the program was able to retrieve the deleted flac file (it was the only file on the device, on purpose), although it renamed it with a random string. The original filename cannot be retrieved because, as we know, files metadata is contained in the filesystem, and not in the file itself:
The audit.txt file contains information about the actions performed by the program, in this case:
Conclusion
In this article we learned how to use foremost, a forensic program able to retrieve deleted files of various types. We learned that the program works by using a technique called data carving , and relies on files signatures to achieve its goal. We saw an example of the program usage and we also learned how to add the support for a specific file type using the syntax illustrated in the configuration file. For more information about the program usage, please consult its manual page.