Archive

Archive for the ‘Linux tools’ Category

Recovering Deleted Files on a Linux System

February 4, 2011 2 comments

Sometimes you loose files on a system, loose them as in DELETE them. Many people think its no way to get the files back OR they would have to use some expensive software to do so. But in linux this can be achieved very easily. I will enlist two ways here, and I will ask two questions from the Linux community too. Lets start:

First Way:
1- In root you have /proc directory which contains the process IDs of your processes. Each file you create has an iNode in which it resides, and a reference. The reference to the file is actually the file/folder/directory which you delete. So you never delete the actual iNode, you only delete the reference, but it looks to you that you have deleted it from your system altogether.
2- Each iNode gets a process ID and a file description which can be used to recover the file. So how do you know the process ID of the file you just deleted. Here is the command for it

less lsof | grep “your_deleted_file_name_with_location”

This will list the following as output:

less 14675 zombie 4r REG 8,1 21 5127399 /home/zombie/test_file (deleted)

The second column is your Process ID i.e. 14675 in my case. The fourth column lists the file-descriptor i.e. 4 in my case.

3- Now you know the Process ID and file-descriptor, lets copy the file from the iNode to your preferred location by running the following command

cp /proc/14675/fd/4 recovered_file

So you just created a new file called recovered_file which contains the contents of the file that you deleted.

Now I have a question for Experts that is it possible to recover the files without zombie-ing it?

Second Way (Easy):
1- You can use SCALPEL utility to recover your files. It can scan upto 16 EB (Exabytes) of disks, in one go.
2- I will use Ubuntu 10.04 to download it by using

sudo apt-get install scalpel

3- Now open its configuration file located in /etc/scalpel/scalpel.conf
4- Uncomment i.e. remove the # charater from the start of the line for extensions that you want scalpel to search for in DELETED domain. OR simply read the whole configuration file (small one) in order to know what i am saying.
5- Now create a directory somewhere and name it RECOVERED. This directory will hold all the recovered files i.e. scalpel will save all the files that were deleted in this directory.
6- Now use the following command to reclaim/recover all the deleted file of the extension that you wanted

sudo /dev/sda -o RECOVERED

7- After the scanning process is over, open the RECOVERED directory and check to see your recovered files.

Some Questions for Experts:
1- If I delete a file in windows and try to recover it in linux, would I be able to do that?
2- How scalpel and recovery of files will work in a Virtuallized Environment e.g. Amazon EC2 Cloud?

Have a nice time.
Cheers

Categories: Amazon AWS, Linux, Linux tools