File Recovery
Restoring Deleted Files in Linux
![© Gernot Krautberger, Fotolia © Gernot Krautberger, Fotolia](/var/linux_magazin/storage/images/online/features/restoring-deleted-files-in-linux/restore_deleted_files/755139-1-eng-US/Restore_Deleted_Files_medium.jpg)
© Gernot Krautberger, Fotolia
If you thought that you couldn’t restore deleted files in Linux, you didn’t get the whole truth. The truth will set you free and possibly recover those deleted files.
Special Thanks: This article was made possible by support from Linux Professional Institute
It is common knowledge that once you remove a file on a *nix filesystem, it’s gone—gone forever, and you can’t get it back. Well, that’s not exactly true anymore, and I’m not 100 percent convinced that it ever was true, but that’s a whole separate discussion. There are some effective methods for recovering files on all filesystems, including *nix ones. This article covers one of the methods using the forensics tool, Foremost. That’s right, we have to turn to one of the “pro” methods for restoring files. Foremost can restore certain files based on their headers, footers, and data structures. Foremost is a forensics tool used by law enforcement to restore deleted files, but it is freely available for anyone to use.
Foremost restores a somewhat limited list of files that includes some document types, zipped files, sound files, graphics images, C source, OLE files, and some movie formats. These types of files are the ones that are most targeted by law enforcement and associated with illegal activity.
Installation
Red Hat, CentOS, and Fedora users will have to first add the RepoForge repository and then install it with:
$ sudo rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/ rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm $ sudo yum –y install foremost
This also installs the necessary dependencies for Foremost.
On Debian-based systems, the installation is easy:
$ sudo apt install foremost
Note: On my Ubuntu 18.04 system,
apt install foremost
didn’t work, so I had to work around the issue by doing the following:
$ wget http://launchpadlibrarian.net/205815060/ foremost_1.5.7-6_amd64.deb $ sudo dpkg –i foremost_1.5.7-6_amd64.deb
Usage
To demonstrate how Foremost works, I have removed (deleted) one of my files (MAZ1.jpg) from my home directory:
$ rm MAZ1.jpg
Before you run Foremost, you should have a separate partition or external disk to use for file recovery. If you don’t, then there’s a chance that your recovered files will be overwritten, and you won’t be able to recover anything. This is also why you should attempt recovery as soon as you realize (or the file’s owner realizes) that a file has been errantly removed. A very busy filesystem that is also low on available disk space might yield no results, although it’s worth a try.
In the following command, I run foremost on the partition containing the deleted file, which is /dev/sda2. I designate /recover as the output location. My /recover directory is actually an additional disk (1GB) that I setup specifically for file recovery.
$ sudo foremost –t jpg /dev/sda2 –o /recover Processing: /dev/sda2 |**************************************************************************|
You can now browse the /recover directory that contains two files: audit.txt and a jpg directory. In the JPG directory, you find a listing of all the JPG type files recovered from /dev/sda2. In my case, there are 244 of them, which is unfortunate because ordinarily I’d have to look at each file individually to find the one I’m interested in recovering. This time I know the approximate size of the file, which is 2.4MB. You have to list these files using sudo because the jpg directory is only executable by root, meaning that regular users cannot cd into it (Listing 1).
Listing 1
Listing Files with sudo
$ sudo ls –lS /recover/jpg ls -lS total 44096 -rw-r--r-- 1 root root 9659197 Sep 3 17:24 15564800.jpg -rw-r--r-- 1 root root 3613391 Sep 3 17:24 15613952.jpg -rw-r--r-- 1 root root 3563772 Sep 3 17:24 15593472.jpg -rw-r--r-- 1 root root 3085681 Sep 3 17:24 15556608.jpg -rw-r--r-- 1 root root 2975375 Sep 3 17:24 15585280.jpg -rw-r--r-- 1 root root 2880578 Sep 3 17:24 15540224.jpg -rw-r--r-- 1 root root 2794666 Sep 3 17:24 15622144.jpg -rw-r--r-- 1 root root 2463714 Sep 3 17:24 19415032.jpg -rw-r--r-- 1 root root 2313724 Sep 3 17:24 15601664.jpg -rw-r--r-- 1 root root 1977539 Sep 3 17:24 15609856.jpg
The file, 19415032.jpg, is the one of interest and has been recovered. I can copy this file back to its original location and change its permissions so that the original file owner has access to it.
I then removed a document file, ATP.doc, and attempted recovery:
$ rm ATP.doc $ sudo foremost –t doc /dev/sda2 –o /recover Processing: /dev/sda2 |**************************************************************************|
However, this time, there was no doc directory under /recover. The audit file output is shown in Listing 2.
Listing 2
Audit File Output
$ sudo cat /recover/audit.txt Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus Audit File Foremost started at Tue Sep 3 19:27:07 2019 Invocation: foremost -t doc /dev/sda2 -o /recover Output directory: /recover Configuration file: /etc/foremost.conf ------------------------------------------------------------------ File: /dev/sda2 Start: Tue Sep 3 19:27:07 2019 Length: 9 GB (10734272512 bytes) Num Name (bs=512) Size File Offset Comment Finish: Tue Sep 3 19:27:52 2019 0 FILES EXTRACTED ------------------------------------------------------------------ Foremost finished at Tue Sep 3 19:27:52 2019
So, you see that Foremost is not always successful in file recovery using certain file types. But, certain file types are better recovered in OLE format, such as Microsoft Office files:
$ sudo foremost –t ole /dev/sda2 –o /recover Processing: /dev/sda2 |**************************************************************************|
This time recovery was successful. Knowing the approximate file size is a big help in determining the file of interest that was successfully recovered. My file was approximately 6MB in size; of the 39 extracted files, only one fits that profile: 19611640.ole. I renamed the file as ATP.doc and opened it to see that the file had indeed been recovered.
More Information
Check SourceForge and the Foremost man page for more information for usage and examples. My examples are generic but very useful. There are a few extra switches (options) that you can use, such as -v for verbose mode, which is recommended. You can also simply perform an audit without extracting any files with the -w switch.
Also note that you can customize the /etc/foremost.conf file to include other file types for recovery. Many of the ones included in the configuration file are default recoverable files. Using the current entries as templates, you can add new entries to the configuration file.
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.