How to restore deleted files in Linux
When a user accidentally deletes a file that is still needed, in most cases, there is no easy way to retrieve or recreate the file. Fortunately, files can be recovered through some methods. When a user deletes an object, the object does not disappear, but is hidden for a period of time.
Here we will explain how it works. In a file system, there is something called a file allocation table, which tracks the position of a file in a storage unit (such as a hard disk, MicroSD card, flash drive, and so on. When a file is deleted, the file system will execute one of the following two tasks in the file allocation table: the entries in the file allocation table are marked as "Free Space" or the entries in the file allocation table are deleted, and the corresponding space is marked as free space. Now, if a new file needs to be placed on a storage unit, the operating system will place the file to a location marked as a vacant space. After a new file is written to this blank space, the deleted file disappears completely. When you need to restore a deleted file, you cannot operate on any file any more, because if the corresponding "space" of the file is occupied, this file will never be restored.
How does the recovery software work?
Most file systems (When deleting files) only mark the space as blank. In these file systems, restore the software to view the file allocation table, and then copy the deleted file to another storage unit. If the file is copied to another deleted storage unit to be restored, the user may lose the deleted file.
The file system rarely erased entries in the file allocation table. If the file system does this, the recovery software is restoring the file. The recovery software scans the file header in the storage unit. All files have a special encoding string located at the beginning of the file, also known as magic numbers. For example, the magic number of a compiled JAVA class file is "CAFEBABE" in hexadecimal notation ". Therefore, if you want to restore a file of this type, the recovery software searches for "CAFEBABE" and copies the file to another storage unit. Some recovery software can find some special file types. If you want to restore a PDF file, the recovery software will find the hexadecimal magic number "25504446", which is exactly the "% PDF" in ASCII code ". The recovery software searches for all magic numbers and then you can choose which deleted file to recover.
If a part of a file is overwritten, the entire file will be damaged. This file can be recovered normally, but the content may be useless. For example, restoring a damaged JPEG file will be meaningless, because the image Viewer cannot generate an image from this damaged file. Therefore, even if the user owns the file, the file will be useless.
Device location:
Before we proceed, the following information will help guide the recovery software to find the correct storage unit. All devices are mounted to the/dev/directory. The name assigned to each device by the operating system (not the name assigned to each partition or device by the Administrator) follows certain naming rules.
The name of the second partition of the first SATA hard disk will be sda2. The first letter of the name implies the storage type. Here it refers to SATA, but the letter "s" may also refer to SCSI, FireWire (FireWire port), or USB. The second letter "d" refers to disk (hard disk ). The third letter refers to the device sequence number, that is, the letter "a" refers to the first SATA and "B" refers to the second. The last number indicates the partition. The device name without a partition number indicates all the partitions in this setting. For the above example, the corresponding name is sda. The first letter of the name may also be "h", which corresponds to the PATA hard disk (IDE ).
The following are examples of naming rules. If a user has a SATA hard drive (sda), the device has four partitions: sda1, sda2, sda3, and sda4. The user deleted the third partition, but the fourth partition name sda4 remains unchanged until the fourth partition is formatted. Then the user inserts a usb memory card (sdb) with a partition-sdb1-, and adds an IDE hard disk with a partition-hda1, then the user adds a SCSI hard drive-sdc1. Then the user removed the USB memory card (sdb ). Now, the SCSI hard disk name is still sdc, but if the SCSI is removed and inserted again, its name will be changed to sdb. Although there are other storage devices, the name of the IDE Hard Disk still has a "a" because it is the first IDE hard disk, the names of IDE devices are counted separately from those of SCSI, SATA, FireWire, and USB devices.
Use TestDisk for restoration:
Each recovery software has different functions, features, and support for different file systems. Below are some guidelines for restoring files in various file systems using TestDisk.
FAT16, FAT32, exFAT (FAT64), NTFS, and ext2/3/4:
TestDisk is an open-source free software running on Linux, * BSD, SunOS, Mac OS X, DOS, Windows, and other operating systems. TestDisk can be found at http://www.cgsecurity.org/wiki/testdisk. You can also type sudo apt-get install TestDisk to install testdisk. TestDisk has many functions, but this article will only focus on restoring files.
Use the root permission to open TestDisk from the terminal. You can run the sudo testdisk command.
Now, the TestDisk command line application will be executed. The display of the terminal will change. TestDisk asks the user whether the log can be retained, which is entirely determined by the user. If a user is recovering files from the system storage, logs do not need to be retained. Optional options include "generate", "APPEND", and "no log ". If you want to keep the log, the log will be stored in the user's home directory.
On the next screen, the storage devices are listed in/dev/* mode. For my system, the storage unit of the system is/dev/sda, which means that my storage unit is a SATA hard disk (sd) and it is the first hard disk (). The capacity of each storage unit is displayed in the unit of Gigabyte. Use the up/down key to select a storage device and click to enter.
The next screen shows a list with a partition table (also called a partition ing table. Just as the file has a file configuration table, the partition has a partition table. Partitions are segments on storage devices. For example, in almost all Linux systems, there are at least two partition types: EXT3/4 and Swap. Each partition table is briefly described below. TestDisk does not support all types of partition tables, so this is not a complete list.
- Intel-this type of partition table is common in Windows and many Linux systems. It is also called MBR partition table.
- Efi gpt-this type of partition table is usually used in Linux. For Linux systems, this Partition Table is the most recommended because the concept of logical Partition or extended Partition is not applicable to GPT (GUID Partition Table) Partition tables. This means that if there is one Linux system in each partition, a Linux User can start multiple times from multiple types of Linux systems. Of course, using GPT partitioned tables has other advantages, but those are beyond the scope of this article.
- The Humax-Humax partition ing table is applicable to devices produced by Humax, a Korean company.
- Mac-Apple partition ing table (APM) is applicable to Apple devices.
- None-some devices do not have partition tables. For example, many Subor game consoles do not use partition ing tables. If a user tries to restore files from such devices as other partition tables, the user will be troubled by why TestDisk locates any file system or file.
- The Sun-Sun Partition Table is applicable to the Sun system.
- Xbox-Xbox is applicable to storage devices that use the Xbox partition ing table.
If you select "Xbox", although his system uses a GPT Partition Table, TestDisk cannot find any partition or file system. If TestDisk is executed according to the user's choice, it may be guessed wrong. (The following figure shows the output when the Partition Table type is incorrect)
When the user selects the correct option for their device, select the "advanced" option in the next screen.
For more details, please continue to read the highlights on the next page: