When you delete a file on a Linux system, it may not disappear forever, especially if you have deleted it recently.
Unless you erase it with tools such as shred, the data will still be on your disk, and testdisk, one of the best tools to recover deleted files, can help you rescue it. Although testdisk has a wide range of functions, including recovering lost or damaged partitions and restarting non-bootable disks, it is often used to recover files that have been accidentally deleted.
In this article, we will take a look at how to use testdisk to recover deleted files and what each step in the process is like. Because this process requires a lot of steps, after you do it a few times, you may find it easier to run.
1. Install testdisk
Use commands such as apt install testdisk or yum install testdisk to install testdisk. Interestingly, it is not only a Linux tool, but also works on MacOS, Solaris and Windows.
2. Recovering files
First, you must log in as root or have sudo permission to use testdisk. If you don't have sudo access, you will be kicked out.
When you use testdisk to restore deleted files, you will eventually restore the files in the directory form where you started the tool, and these files will belong to root. For this reason, I like to start in a directory like /home/recovery. Once the files are successfully restored and verified, they can be moved back to where they belonged and their ownership restored.
Make sure you can write in the selected start directory.
$ cd /home/recovery
$ testdiskThe first page of information provided by testdisk describes the tool and shows some options. At least initially, creating a log file is a good idea because it provides information that may prove useful. Here is how to do it.
Use arrow keys to select, then press Enter key:
>[ Create ] Create a new log file
[ Append ] Append information to log file
[ No Log ] Don’t record anythingThe> on the left and the inversion of the font and background color you will see show the options that will be used after pressing the Enter key. In this example, we chose to create a log file.
You will then be prompted for a password (unless you have used sudo recently).
The next step is to select the disk partition (if not highlighted) where the deleted files will be stored. Use the up and down arrow keys to move to it as needed. Then click the right arrow twice and press Enter when "Continue" is highlighted.
Select a media (use Arrow keys, then press Enter):
Disk /dev/sda - 120 GB / 111 GiB - SSD2SC120G1CS1754D117-551
>Disk /dev/sdb - 500 GB / 465 GiB - SAMSUNG HE502HJ
Disk /dev/loop0 - 13 MB / 13 MiB (RO)
Disk /dev/loop1 - 101 MB / 96 MiB (RO)
Disk /dev/loop10 - 148 MB / 141 MiB (RO)
Disk /dev/loop11 - 36 MB / 35 MiB (RO)
Disk /dev/loop12 - 52 MB / 49 MiB (RO)
Disk /dev/loop13 - 78 MB / 75 MiB (RO)
Disk /dev/loop14 - 173 MB / 165 MiB (RO)
Disk /dev/loop15 - 169 MB / 161 MiB (RO)
>[Previous] [ Next ] [Proceed ] [ Quit ]In this example, the deleted file is in the main directory of /dev/sdb.
At this point, testdisk should have selected the partition type.
Disk /dev/sdb - 500 GB / 465 GiB - SAMSUNG HE502HJ
Please select the partition table type, press Enter when done.
[Intel ] Intel/PC partition
>[EFI GPT] EFI GPT partition map (Mac i386, some x86_64...)
[Humax ] Humax partition table
[Mac ] Apple partition map (legacy)
[None ] Non partitioned media
[Sun ] Sun Solaris partition
[XBox ] XBox partition
[Return ] Return to disk selection
在下一步中,向下箭头指向"[ Advanced ] Filesystem Utils"。
[ Analyse ] Analyse current partition structure and search for lost partitions
>[ Advanced ] Filesystem Utils
[ Geometry ] Change disk geometry
[ Options ] Modify options
[ Quit ] Return to disk selectionNext, view the selected partition.
Partition Start End Size in sectors
> 1 P Linux filesys. data 2048 910155775 910153728 [drive2]Then press the right arrow to select [List] at the bottom and press the Enter key. [ Type ] [Superblock] >[ List ] [Image Creation] [ Quit ]
Note that it looks like we started with /, but this is actually the basis of the file system we are working on. In this example, it is /home.
Directory / <== starting point
>drwxr-xr-x 0 0 4096 23-Sep-2020 17:46 .
drwxr-xr-x 0 0 4096 23-Sep-2020 17:46 ..
drwx——— 0 0 16384 22-Sep-2020 11:30 lost+found
drwxr-xr-x 1008 1008 4096 9-Jul-2019 14:10 dorothy
drwxr-xr-x 1001 1001 4096 22-Sep-2020 12:12 nemo
drwxr-xr-x 1005 1005 4096 19-Jan-2020 11:49 eel
drwxrwxrwx 0 0 4096 25-Sep-2020 08:08 recovery
...Next, we arrow to the specific home directory.
drwxr-xr-x 1016 1016 4096 17-Feb-2020 16:40 gino
>drwxr-xr-x 1000 1000 20480 25-Sep-2020 08:00 shsPress the Enter key to move to the directory, and then select the subdirectory with the down arrow as needed. Note that if you make a mistake, you can select... near the top of the list to make a backup.
If you can't find the file, you can press / (just like when you start searching in vi), and you will be prompted to enter the file name or part of it.
Directory /shs <== current location
Previous
...
-rw-rw-r— 1000 1000 426 8-Apr-2019 19:09 2-min-topics
>-rw-rw-r— 1000 1000 24667 8-Feb-2019 08:57 Up_on_the_Roof.pdfOnce you find the file you need to recover, press "c" to select it.
Note: You will see useful instructions at the bottom of the screen.
Use Left arrow to go back, Right to change directory, h to hide deleted files
q to quit, : to select the current file, a to select all files
C to copy the selected files, c to copy the current file <==At this time, you can select the location to restore the file in your home directory (see the previous instructions on starting to check in a good place before moving the file back to the original point). In this case, the /home/recovery directory has no subdirectories, so this is our recovery point.
Note: You will see useful instructions at the bottom of the screen.
Please select a destination where /shs/Up_on_the_Roof.pdf will be copied.
Keys: Arrow keys to select another directory
C when the destination is correct
Q to quit
Directory /home/recovery <== recovery locationOnce you see the green "Copy done! 1 ok, 0 failed", it means the file has been restored.
The files in this example are left in /home/recovery/shs (the starting directory, plus the selected directory).
Before moving the file back to its original location, you should probably verify that the restored file looks correct. Make sure you also restore the original owner and group, because the file will be owned by root at this time.
Note: For many points in the file recovery process, you can use quit (q or [Quit]) to back up one step. You can also choose the exit option to go back to the first step in the process, or choose ^c to exit immediately.
Recovering files with testdisk is relatively easy, but somewhat complicated. You can practice before this type of situation occurs, so as not to be rushed when there is a real problem. A5 interconnecthttps://www.a5idc.net/