Linux Recover Deleted Files

Occasionally, we accidentally delete certain files. Delete this could mean performing deletion, or overwrite (overwrite) or delete some file content intentionally or unintentionally. Well, it turns out there is a way to do recovery on those files.

There is little background story of this writing. Coincidence indeed today, a colleague of mine who is also a web developer is aware that there is an important text files suddenly size to 0 bytes, alias becomes an empty file. Sad again, this file does not get into the git repository, so there is no backup of that file. Actually, we also tried sincere and plan to repeat the work on the file from the beginning. Thank God, after the one-two time googling, I found one thread on the Stack Exchange is quite helpful. This tutorial I've tried and it works well on Ubuntu Server and Linux, and undue Manjaro goes well in a variety of other UNIX computers.

Basically, there are two basic linux commands are used, i.e. grep and dd.

First, we need to do a search with search certain key using the command grep. Try search key used is found in the last version of the file so you can find the files with the latest revision. In the following example, the orders:
sudo grep -a -b "search-key-here" /dev/sda1

  • Parameter "-a" means that the search conducted with the assumption that the type of file you're looking for is a text file.
  • The second Parameter "-b" is used to display the byte offset to be used in the next command.
  • The third Parameter is the search key you have to customize the search with key that you do.
  • Last, "/dev/sda1" is the name of the disk file partition is located.
As a side note, to know the list of hard disk partitions, you can use the command "fdisk-l". In this tutorial, I used the hard drive partition "/dev/sda1", please customize with your partitions.

Furthermore, if successfully found, execute the grep command will result in a block that has a list of search key to search, his output example is as follows:
20199612669:         <div class="search-key-here">
20199633149:         <div class="search-key-here">
20199653629:         <div class="search-key-here">
20199682301:         <div class="search-key-here">

"Block offset" is shown in the format "number" which is located on the left is which we will use in the next step. There will be some search results are shown. Can be, there are two (or more) different files on the results of this search. Therefore, try using the "search key" specific and will only be found on the file you wish to-recover.

Once you get the "block" is sought, the next step is the opening of "block-block" by using the "block". "Block" latest I mean is "the last block" displayed on the search results. In the example above, the "block" what I mean is "20199682301".

The next stage is rather "tricky", because you need to do a search along the block of the file. First, run the following command:
dd if=/dev/sda1 count=1 skip=$(expr 20199682301 / 512) > file.txt

The command will copy the contents of the "block 20199682301" all one "block" and enter into ".txt". Now, if we see the result ".txt", then we only get one piece of that file. Therefore, you need to modify the parameter "count and skip". The parameter "count" will determine how much of a "block" to be "copied". Try Fox being 2, 3 and so on and let me see the results on the ".txt". Whereas, the parameter "skip" will pass through "n block" a certain match your input. There is a simple way to ' outsmart ' this parameter by adding "+ x" or "-x" to "skip x blocks" afterwards as well as x previous block. So, you can change the above commands into.
dd if=/dev/sda1 count=1 skip=$(expr 20199682301 / 512 + 1) > file.txt, or
dd if=/dev/sda1 count=1 skip=$(expr 20199682301 / - 1) > file.txt,

or any number according to your needs. The goal, you can get back the file as a whole. Essentially, the ' play ' the parameter count and skip. Do not skip one space even if from the above command.

Click here for Comments