Fatmawati Achmad Zaenuri / Shutterstock
Have you ever deleted a file and immediately regretted it? You need it back, and fast! But what if the file is so new that it hasn’t been backed up yet? Fortunately, you can fix it.
rm: Abbreviation of Remorse?
It is too easy to use the rm command and you find yourself staring at a terminal window with a growing sense of regret. A little mistake with the wildcards, and you can erase a lot more than you expected.
The default Linux file system, ext4 uses inodes to contain data about each file and an inode table to keep track of inodes. The inode contains metadata about the file, such as its name, owner, permissions, etc.
It also contains entry points to hard links that point to the file. Each file has at least one hard link. Each time you create a new hard link, the number of hard links increases by one. Each time you delete a hard link, the number of hard links in the inode is reduced by one.
When you delete a file that the inode marked as unused (and ready to be reused), the last hard link is deleted. In this case, the file will not appear in the directory listings and cannot be used or accessed.
However, the data that makes up the contents of the file is still present on the hard drive. If you could patch the inode to contain the correct information, the file would be restored. Of course, this will only work if the data that makes up the file on the hard drive remains intact and is not overwritten.
You can also create a new inode, copy the remaining data from the old inode, and then replace the missing bits.
These are non-trivial activities. Usually, when you delete a file by mistake, it’s at the worst possible time. Always when you need this file, and you need it now. You don’t have time to mess with sector editors and other utilities. Also, if this is a file you just created, it probably hasn’t been backed up yet, so that won’t help you either.
This is where testdisk comes in. It is easy to use and does not require detailed, low level file system knowledge. Let’s see how to use it!
RELATED: Everything you always wanted to know about inodes in Linux
Installing testdisk
To install testdisk on Ubuntu, use this command:
sudo apt-get install testdisk
On Fedora, you have to type:
sudo dnf install testdisk
On Manjaro, you must use pacman:
sudo pacman -Sy testdisk
Using testdisk
Although it works in a terminal window, testdisk has a rudimentary interface. You use the arrow keys to navigate and Enter to make a selection. To keep things tidy, it is best to create a directory for the restored files.
We type the following to create a directory called “restored” for our restored files:
mkdir restored
We type the following to switch to the new directory and start testdisk from there:
cd restored /
We need to use sudo with testdisk, so we type the following:
sudo testdisk
The first question asked by testdisk is about logging. It can create a new log file, use an existing file, or save nothing at all. It doesn’t matter which option you choose; this will not affect the operation of testdisk.
You can simply press Enter to accept the highlighted option and create a new log file. It will be created in the directory from which you started testdisk. When you make your selection, testdisk asks you which hard drive contains the file system you want to work on.
It lists the hard drives it can find, as well as the squashfs “/ dev / loop” files. There will be one for every app you installed in the blink of an eye. They are read-only, so you shouldn’t have successfully removed anything from these file systems.
There is only one physical hard drive in this test computer. So we used the down arrow to highlight the “/ dev / sda” option. We then used the right arrow to select “Continue” and hit enter.
testdisk must also know the type of partition. It presents a menu of options, as well as the partition type automatically detected at the bottom.
Unless you have a good reason not to, highlight the type of partition that is automatically detected, then press Enter.
From the function menu that appears, highlight “Advanced” and then press Enter.
The partition selection menu will appear.
The files we are looking for are in the Linux file system partition. We only have one Linux partition on our hard drive, but you could have more.
Select the partition where your files were located, use the left and right arrow keys to select “List,” then press Enter. The file selection menu will appear.
Use the up and down arrows or the PgUp and PgDn keys to browse the list of files and directories. Press the right arrow or Enter to enter a directory, and the left arrow or Esc to exit a directory.
We are looking for files owned by Dave. The files for all user accounts are located in the “Home” directory. So, we highlight the “Home” directory, and then we can press the right arrow or Enter to enter that directory.
All user accounts are then listed for us. We highlight dave, then press the right arrow or enter to access that directory.
Now we can see the files that belong to the dave account. Entries in red have been deleted. We navigate through files and directories until we find the files we want to recover.
To recover a file, simply highlight it, then press c (lowercase).
The display changes and tells you to choose a destination for the recovered file. Because we’ve created a directory called “Restored” and started testdisk from it, the first entry in the list (.) Is this directory. To recover this deleted file in this directory, we press C (upper case).
When this is done, you will return to the file selection display. If you want to recover more files, just repeat the process. Highlight a deleted file, press c (lowercase) to copy it, then press C (upper case) to recover it.
Work with restored files
After you restore a file, the directory tree to its original location is rebuilt, which is useful as it reminds you where on the hard drive the original file was located. This means that if you need to copy it back, you know where to put it.
If you are recovering a number of files from different file system locations that have the same file name, they will need to be stored separately anyway.
You can type the following to see the contents of the “Restored” directory:
ls
If you asked testdisk to create a log file, it will be in the “Restored” directory. Since our recovered files were located in “/ home / dave”, they were copied to our “Restored” directory, nested in directories of the same name.
We can change to the copied “dave” directory using cd. Make sure you don’t include a forward slash (/) in the path. You want to switch to the local “home” and not to the “/ home” system.
We type the following:
cd home / dave
The recovered files are in this directory, so we type:
ls
Let’s take another look at the files recovered using the -l (long list) option:
ls -l
Because we used sudo to run testdisk, the recovered files were restored with “root” as the owner. We can change the owner to “dave” using chown:
sudo chown dave.dave *
We type the following to make sure the correct property has been restored:
ls -l
testdisk: Emergency code
That feeling of relief after recovering an important file that just a moment ago felt hopelessly lost is something you will always enjoy.
This is why testdisk is such a handy utility. Once you’ve gone through the menus and can start restoring files, it’s easy to fall into a rhythm of highlight, c, C, repeat.