How to recover deleted files in Linux with testdisk


If you’ve had files deleted by a hacker or you’ve accidentally removed them, Jack Wallen shows you how to recover that missing data with a handy tool called testdisk.

linuxhero.jpg

Image: Jack Wallen

It’s cybersecurity awareness month. Do you know where your deleted files are? If you’re on a Linux server, those magically vanished files might be quite the elusive little gremlins. 

There are a number of ways files get deleted. You might have accidentally used the rm command or maybe a hacker gained access to your system and deleted any number of files. No matter why or how they vanished, you need them back. What do you do?

First off, you don’t panic. This is Linux and there’s always a tool to help you out–one such tool is testdisk. Although this particular piece of software has a few tricks up its sleeve (such as recovering entire partitions), one of the really handy aspects is its ability to recover deleted files.

I’m going to show you how to do just that. I’ll demonstrate on Ubuntu Server 20.04. That alone should give you an indication that testdisk is a command line tool. Fear not, those of you who aren’t exactly comfortable with the command line, testdisk is quite easy to use once you know your way around it.

SEE: Linux file and directory management commands (TechRepublic Premium)

What you’ll need

How to install testdisk

Since testdisk is found in the standard repositories, the installation is quite easy. For example, on our Ubuntu Server 20.04 instance, the installation command would be:

sudo apt-get install testdisk -y

If you’re on a CentOS machine, that command would be:

sudo dnf install testdisk -y

That’s all there is to the installation.

How to recover files with testdisk

The one tricky part to using testdisk is that it not only requires sudo or root privileges, it will recover files in a new directory with the same name as the directory they were found in. Because of that, it’s probably best that you create a new directory to house the recovered files. First create a recovery directory with the command:

mkdir ~/recovery

Change into that newly-created directory with the command:

cd ~/recovery

Now run the testdisk command like so:

sudo testdisk

In the first window you must select if you want to create a new log, append to a previous log, or skip the log process (Figure A). This choice is up to you and will not impact testdisk’s ability to recover your files.

Figure A

testdiska.jpg

To create a log or not to create a log, that is the question.

Use your arrow keys to make your selection and hit Enter on your keyboard. 

In the next window, you must select the drive for the tool to search (Figure B).

Figure B

testdiskb.jpg

Select the drive that once housed those files.

Make your selection and hit Enter.

In the resulting screen, select the type of partition map for the drive–most likely this will be an EFI GPT partition table (Figure C).

Figure C

testdiskc.jpg

Selecting the partition type for your drive.

Make your selection and hit Enter on your keyboard.

Next, select Advanced and hit Enter on your keyboard (Figure D).

Figure D

testdiskd.jpg

We need to access the advanced testdisk tools.

In the Advanced screen, make sure to first select the partition to be used, and with your arrow keys, select List (Figure E). 

Figure E

testdiske.jpg

The testdisk Advanced screen.

In the resulting window, navigate to the directory that originally housed the deleted file and you’ll finally see said file listed in red (Figure F). Select that file and hit c on your keyboard to copy the file.

Figure F

testdiskf.jpg

Any deleted file will show up in red.

Once you copy the file, you’ll find yourself in a new window where you can select where to locate the copied file (Figure G).

Figure G

testdiskg.jpg

Locating a new house for the recovered file.

Select the top entry and in the next window, use your arrow keys to select the recovery directory and hit C (notice the cap C) on your keyboard (Figure H).

Figure H

testdiskh.jpg

Selecting the recovery directory to house the recovered files.

Once the files have copied, hit q three times and, using your arrow keys, select Quit and hit Enter on your keyboard (Figure I).

Figure I

testdiski.jpg

Time to quit testdisk and relocate the recovered file.

You’ll have to once again select Quit to finally exit the testdisk program (Figure J).

Figure J

testdiskj.jpg

The final testdisk screen and you’re out.

One last Quit and you’re done (Figure K). 

Figure K

testdiskj.jpg

Testdisk really wants you to be sure it’s time to leave the application.

In that recovery directory, you’ll see a newly created directory (named after the directory that originally housed the deleted file) that contains your recovered files. Because you had to use sudo (or the root user), the recovered files will now belong to the root user. To fix that, you’ll need to change the ownership of the file(s) with a command like:

sudo chown USER.USER filename

Where USER is the name of the user and filename is the name of the file.

And that’s it. You’ve recovered that deleted file and can now return it to its rightful home. 

Also see



Source link




Leave a Reply

Your email address will not be published. Required fields are marked *