How to Recover a Deleted File in Linux?
Last Updated :
15 Sep, 2024
We all have often faced a problem where we have accidentally deleted some files in Linux, that we regretted deleting later on after we did not even find it in the trash. But what if we can recover them? Here, we will discuss How we can recover a Deleted File in Linux.
Whenever we delete something from our system, it does not actually get deleted, till that space gets overwritten by something else in the disk. You can also read about how to securely delete any files permanently.
Best Methods to Recover Deleted Files in Linux
The best way to Recover a Deleted File in Linux is as follows:
1. Unmounting the Drive:
Unmounting a device immediately after we realize we’ve deleted important files is the best option to prevent the data blocks of the deleted files from being overwritten with other data.
- At 1st Shut down the system, and do the recovery process by booting from a Live CD/USB
- Search the partition that contains the file you deleted, for example- /dev/sda1
- Recover the file (make sure you have enough space)
Sometimes an open file is deleted accidentally, in that case, lsof command is a life-saving command to recover that file.
A copy of the file is recreated with the help of lsof command before the file is being closed by the application holding it open. This happens because the inode is still active, so the data blocks are still on the disk until the application holding it open closes it.
Step 1: Make a test file inside the /tmp directory
touch /tmp/test
Step 2: Run something that will hold the file open:
tail -f /tmp/test &
Note: Here the number is 8561 but in your case, it might be different so use the commands accordingly.
Step 3: List the process for confirming the open process
ps -ef | grep 8561 | grep -v grep
Step 4: Manually just delete the file and try listing the file, you will be shown an error message because it has been deleted
$ rm /tmp/test
$ ls -l /tmp/test
So now we are sure that the file is actually deleted, lets now try to recover it with the help of lsof command.
Step 5: For displaying the open file descriptor of the process use lsof command
$lsof | grep -i test
The PID of the process that is holding that file open is displayed in the second column.
Step 6: Now we have to locate the open file descriptor in /proc directory
$ls -l /proc/8561/fd/3
Step 7: Now the open file (that was deleted but opened by some other process) can be copied back to its original location i.e., under /tmp. After that, you can also rename it by its original name
$ cp /proc/8561/fd/3 /tmp/
$mv /tmp/3 /tmp/test
$ ls -l /tmp/test
Now you are done recovering the file, that you thought to be lost forever.
Foremost is a forensic tool that comes more or less pre-installed in kali Linux but if it is not there, you can install it from the command line. The foremost tool is used to recover deleted files from hard disk, memory card, pen drive, etc.
This tool uses a process called File Carving for recovering data.
For recovering a deleted image use the following command:
sudo foremost -v -q -t png -i /dev/sda1 -o ~/test
Where '/dev/sda1' is the underlying partition where '/boot' resides and where '/home/tithi/Downloads/gg' is a directory on a separate disk where the recovered file will be located(don't recover the files on the same drive where the removed ones were located, it might fail to recover anything). A lot of files will be get recovered together and the recovered name file won't be similar to the original one.
Conclusion
Accidentally deleting files in Linux doesn't have to be a permanent loss. By using tools like unmounting, lsof, and Foremost, you can recover your files with a good chance of success, provided you act quickly and follow best practices to prevent overwriting. Here we have covered several methods to recover deleted files in Linux, offering detailed steps and examples to help you through the process. Whether you are dealing with critical data or just everyday files, these techniques can help you retrieve what you thought was lost forever.
Similar Reads
How to Delete Files in Linux?
Linux comes with several tools that can assist us in removing Directories and files. We always need to delete many files and folders based on a set of requirements. To complete our mission quickly, knowing a few basic commands and their variations is beneficial. Use caution when using the commands b
6 min read
How to Recover Deleted Files Using Foremost in Linux?
Foremost is a digital forensic application that is used to recover lost or deleted files. Foremost can recover the files for hard disk, memory card, pen drive, and another mode of memory devices easily. It can also work on the image files that are being generated by any other Application. It is a fr
3 min read
How to Open a File in Linux​
In Linux, a file is a fundamental unit of storage, representing everything from documents and images to system logs and program data. Unlike traditional operating systems, Linux treats almost everything—files, directories, devices, and processes—as a file. Whether you're accessing a simple text docu
6 min read
How to Run a File in Linux
The command line is one of the most powerful tools in Linux. It allows you to execute commands, manage files, and automate tasks all from a single terminal window. One common task you'll often need to do is run a file, whether it’s a script, a compiled program, or even a text file. In this article,
6 min read
How to Create File in Linux
Today, we're going to learn about something really important – how to create files in Linux. It's like creating a fresh piece of digital paper to write or store things. We'll explore different ways to do this using simple commands. Whether you're just starting out or have been using Linux for a bit,
7 min read
How to Recover Deleted Photos from an iPhone
In the computer age, we rely on our phones to capture and store precious memories. But what if you accidentally delete or lose your photos on your phone? It can be really depressing and annoying, isn't it? Well, you don't have to worry if you lose your photos on your iPhone as there are numerous way
7 min read
How to Move File in Linux | mv Command
The `mv` command in Linux is like a superhero tool that can do a bunch of cool stuff with your files and folders. Think of it as a digital moving truck that helps you shift things around in your computer. Whether you want to tidy up your folders, give your files new names, or send them to different
7 min read
How to Remove Deleted Files from a Git Repo?
Managing files in a Git repository often involves adding, modifying, and deleting files. However, sometimes files are deleted from the disk but remain tracked in the repository. To keep your repository clean and in sync with your working directory, you need to remove these files from the repository
3 min read
How to Create a VIM File in Linux CMD
In Linux, there are many ways to open and create files, but Vim stands out as a powerful and versatile text editor. It comes pre-installed on most Linux systems and allows you to create, edit, and manage files directly from the terminal.In this article, we will explain you, how to create a new file
3 min read
How to Remove Directory in Linux
In Linux, directories are used to organize files and other directories into a hierarchical structure. Just like folders in Windows, directories in Linux can contain files, other directories, and links. Removing directories in Linux is a common task that you might need to perform as you manage files
5 min read