HOW TO RECOVER DELETED FILES IN LINUX

Have you ever gotten that horrible feeling? The one you get when you realize that you accidentally deleted files and it’s not even in the trash? Often it is immediately preceded by denial: I know I have another copy of it somewhere.

But rather than going through all the stages of grief, don’t worry. And remember you’re not alone; sooner or later everyone does this.

“Don’t worry?” you counter, “I just erased the only copy of my resume!”

No really, don’t worry. All that’s happened is that it’s been bumped off a list. So long as you don’t write onto the drive, it absolutely still exists. In fact, depending on the size of the file and the free space on your drive deleted files can persist indefinitely—even if you do write on the drive.

“Yes, fine” you say, “I’ll rest easy knowing my resume ‘exists’ in some abstract sense. But so far as I’m concerned if I can’t open, edit or print from it, it doesn’t exist in any practical sense. What would really help would be a way to ‘un-delete’ files. And one that doesn’t require an IT forensics lab.”

Really, don’t worry—you don’t need a lab to recover the deleted files. Furthermore, if you can get past using a primitive GUI, it’s actually easy to do! I’ll show you how to use TestDisk to recover deleted files.

HOW TO RECOVER DELETED FILES IN LINUX USING TESTDISK

How to recover deleted files in Linux

Let me present a simplified example: I took a clean thumb drive added some files, then deleted one. Now, my system has a feature which will directly delete files from removable media, by-passing the “trash” altogether; that is if I choose to “right” click on a file and then choose “delete”. It still presents a warning, but one click on the “yes” button and the file is gone forever. Or appears to be.

But this time I didn’t get that horrible feeling. And no, not because this is a cooked up scenario. I knew that all I had to do was open the terminal type “testdisk” and hit “enter”. When I did this for the first time I had one of my “Linux moments”. Because if you don’t have it—and I didn’t—it tells you how to get it! Just type “sudo apt install testdisk” and enter and you’ll have it in about 10 seconds.

STEP 1

You need to install TestDisk tool first. Most Linux distributions already have this tool in their official repository. In Ubuntu and other Ubuntu based Linux distributions such as Linux Mint, elementary OS etc, you can use the command below to install TestDisk:

sudo apt install testdisk

Arch Linux users can install it from AUR. You can download it for other Linux distributions from the link below:

Download TestDisk

Though I am using Ubuntu in this tutorial, this doesn’t mean it is only to recover deleted files in Ubuntu Linux. The instructions presented here works for other distributions as well.

STEP 2

Run TestDisk in the terminal using the command below:

testdisk

STEP 3

When you open it, you’ll see something that looks like this. Be patient! The interface is actually straightforward but you do have to carefully read the text. Use the arrow keys to navigate and “enter” to select.

How to recover deleted files in Linux using TestDisk
Select ‘Create a new log file’

Screens that have extra commands will tell you so. Also note that TestDisk 7.0 tends to highlight the next reasonable step. It’s almost always right but do read the screen, since it can’t read your mind. In any case, when it wants you to let it create a log file, indulge it. It’s about to pull you out of a hole.

STEP 4

Now, at this point, if you’re lucky, you should see your drive. And you can proceed to the last steps. But let’s assume you’re not, that you have, say, a multi-boot machine. In this case, ownerships can get blurry, and Testdisk needs your permission to open them. You’ll see something like this:

How to recover deleted files in Linux using TestDisk
Sometimes you may need sudo rights

Select “sudo” and enter your password. Hit “enter” and “enter” again on the next screen to create another log file.

STEP 5

This time Testdisk displays all your drives. Arrow key to the drive in question and hit enter.

How to recover deleted files in Linux using TestDisk
You’ll have to select the drive where you are looking for files

STEP 6

Testdisk has again selected the correct setting. This makes sense since a simple storage device is seldom partitioned. Again hit enter:

How to recover deleted files in Linux using TestDisk

STEP 7

And finally we have to do a little thinking to do. If you read the first screen—and I’ll bet you didn’t—this program isn’t just for recovering deleted files. It’s a powerful disk utility. But if we remember what we’re trying to do the choice is fairly obvious: we’re not trying to fix a disk, we’re trying to recover a file. Select “Advanced” and hit “enter”.

How to recover deleted files in Linux using TestDisk
Select Advanced

STEP 8

At the bottom of the page choose “Undelete” and get ready to see a ghost!

How to recover deleted files in Linux using TestDisk
Select Undelete

STEP 9

Testdisk will scan for files and produce a list of deleted files highlighted in red. Arrow down to it and carefully read the choices at the bottom.

How to recover deleted files in Linux using TestDisk

STEP 10

Again, bear in mind that Testdisk is a multi-function tool. Most of these options deal with groups of files; we only want our damn resume back! So hit “c”.

How to recover deleted files in Linux using TestDisk
Hit C to copy and thus recover the deleted file

As you can see from the scoreboard, we’ve won 1-0. After hitting “c” there are options about where you might want to recover the file to, but it defaults to your home folder. And again this is generally the best thing to do. Navigating in Testdisk is a little tricky, whereas dragging and dropping after the fact is a breeze.

A FEW TIPS ON RECOVERING DELETED FILES IN LINUX USING TESTDISK

First, if you find yourself somewhere you don’t want to be, hit “q” for quit. This won’t close the program, instead, it will act like the “back” button on a program with a full blown GUI, and put you back a page. And just like a “back” button repeating will eventually lead you back to the beginning.

Second, as with anything, the fewer the distractions, the easier it is to find what you’re looking for. In other words, physically detach all other storage drives. In graphically simple environments simplicity is your friend.

Finally, Testdisk can also help you retrieve files that have become inaccessible for other reasons. In fact, this is why I started using the program in the first place. I was trying to save files from a corrupted drive that could not be made to boot. Normally it’s simply a matter of removing said drive any hooking it up to a USB adapter. You can then mount it on another PC and copy the files where ever you want.

But what if the drive is formatted to LVM? This was my problem because a mounted LVM drive looks nothing like a normal Linux OS. None of the usual files appear, and hunting around simply doesn’t help. This, among other reasons, is because most Linux file managers can no longer read ext.2 file systems.

Nevertheless, after a few false starts, I was able to find and save the missing files. Note, however, that the sequence of steps here will be a little different, you may need to use the “analyze” option for Testdisk to make sense of the drive and you may have to poke around a little to find the “home” folder once you do. Furthermore, the files you’re looking for will not appear in red since they were never deleted in the first place. But once you do find them, the copying procedure is basically the same.

With Testdisk and a little luck, you may never lose your resume again as you can always recover deleted files in Linux.

Advertisements

Access Control Lists RHEL 7

Files and directories have permission sets for the owner of the file, the group associated with the file, and all other users for the system. However, these permission sets have limitations. For example, different permissions cannot be configured for different users. Thus, Access Control Lists (ACLs) were implemented.
The Red Hat Enterprise Linux kernel provides ACL support for the ext3 file system and NFS-exported file systems. ACLs are also recognized on ext3 file systems accessed via Samba.
Along with support in the kernel, the acl package is required to implement ACLs. It contains the utilities used to add, modify, remove, and retrieve ACL information.
The cp and mv commands copy or move any ACLs associated with files and directories.

4.1. Mounting File Systems

Before using ACLs for a file or directory, the partition for the file or directory must be mounted with ACL support. If it is a local ext3 file system, it can mounted with the following command:
mount -t ext3 -o acl device-name partition
For example:
mount -t ext3 -o acl /dev/VolGroup00/LogVol02 /work
Alternatively, if the partition is listed in the /etc/fstab file, the entry for the partition can include the acl option:
LABEL=/work      /work       ext3    acl        1 2
If an ext3 file system is accessed via Samba and ACLs have been enabled for it, the ACLs are recognized because Samba has been compiled with the --with-acl-support option. No special flags are required when accessing or mounting a Samba share.

4.1.1. NFS

By default, if the file system being exported by an NFS server supports ACLs and the NFS client can read ACLs, ACLs are utilized by the client system.
To disable ACLs on NFS shares when configuring the server, include the no_acl option in the /etc/exports file. To disable ACLs on an NFS share when mounting it on a client, mount it with the no_acl option via the command line or the /etc/fstab file