Data Recovery Techniques on Linux

When one of my friends called telling me that he had accidentally deleted some important files from his drive, his exasperation was understandable. It happens to everyone at some point of their computer-using lives. Unfortunately, in his case, those were some extremely important documents that, had he not recovered them, could have proven very costly.

Fortunately, I managed to guide him through the process of recovery, and now, I'm going to guide you too.

What happens when a file is deleted?

Data stored in files has a table of contents which indicates the storage location for each file on the drive. When we remove or delete a file the file goes into the trash. Files removed using rm command can be easily recovered.

Removal/Deletion of a file leads to the removal of only of the table of contents. This states that now the space from which the file is removed is ready for new data to be stored; so while in the case of new data having been written over that space the recovery of the old data becomes difficult. But, if there is no new data written there, we can still recover it.

First, let's go through a few Dos and Don'ts .

DO's and Don'ts when a file is lost

Don'ts:

  • Do not write any data on the device.

  • Do not mount or use any random recovery software

  • Do not use any software to recover the data if you don't have a complete understanding of it.

Do's:

  • Shutdown the system immediately.

  • Reboot the system with a CD or with a live version of Linux running on a thumb device.

  • Do use the below mentioned tools.

There are various tools which can be used for data-recovery.

Here are some trusted tools that can be used:

  • Extundelete

  • PhotoRec

Extundelete Utility:

The extundelete utility is used for the recovery of an ext3 and ext4 linux partition. The utility uses the information stored in the partition journal to recover the data.

Recovering the File :

Prerequisites : Install the binary and development packages for e2fsprogs and e2fslibs.

Download the latest version of extundelete.

Copy the package to the /opt .

tar –zxjf extundelete-version.tar.bz2
cd extundelete-version
./configure
make install

  • Steps how to use extundelete to recover a file :

  1. We need to recover a file /home/jack/important/file1.

  2. The output of the mount command shows the below output.

/dev/sda4 on /home type ext3 (rw)

  1. Now use the command as below

umount /dev/sda4

  1. Now run the below extundelete command as follows.

extundelete /dev/sda4 –restore-file jack/important/file1

PhotoRec Sotware :-

This software is used to restore files with extensions such as ZIP, Office, PDF, HTML, JPEG and 390 other file extensions. Photorec completely ignores the partition but it does focus on the underlying data. This states that it does work even if the device has been damaged . It works only with read only access.

While using photorec you may restore the data at the following locations.

  • Recovering files to a separate hard-drive.

  • Recovering data to a network drive

  • Recovering data to a separate partition on the same hard drive.

Installation of the PhotoRec Software:

  1. Download the software from the mentioned link http://www.cgsecurity.org/wiki/TestDisk_Download

  2. Unpack the software to the directory where it has copied to .

  3. Untar the software.

  4. Use the below command to install the software

sudo ./photorec_static

This will help you launch PhotoRec and retrieve the data then.

In the end, there are many data recovery tools. Various other companies have developed tools to recover the data. But you should use them only if have a good knowledge of how they work and the process of using them.

If you are novice please do your research, or consider getting some professional help (such as in the case of my friend) so that you may not lead into any other disasters with your system. Data recovery can be dangerous, and as with anything, prevention is the best cure ? so back-up!

Share this page:

3 Comment(s)