Hack97.Recover Deleted Files

Hack 97. Recover Deleted Files

Deleting a file doesn't make it lost forever. Here's a quick method for finding deleted text files.

Sooner or later everyone has an "oh no second" when they realize that they've just deleted a critical file. The best feature of old Windows and DOS boxes was that they used a simplistic File Allocation Table (FAT) filesystem that made it easy to recover deleted files. Files could easily be recovered because they weren't immediately deleted: deleting a file just marked its entries as unused in the file allocation table; the blocks that contained the file data might not be reused until much later. Zillions of utilities were available to undelete files by reactivating their FAT entries.

Linux filesystems are significantly more sophisticated than FAT filesystems, which has the unfortunate side effect of complicating the recovery of deleted files. When you delete a file, the blocks associated with that file are immediately returned to the free list, which is a bitmap maintained by each filesystem that shows blocks that are available for allocation to new or expanded files. Luckily, the fact that any Linux/Unix device can be accessed as a stream of characters gives you the chance to recover deleted files using standard Linux/Unix utilitiesbut only if you act quickly!

This hack focuses on explaining how to recover lost text files from partitions on your hard drive. Text files are the easiest type of file to recover, because you can use standard Linux/Unix utilities to search for sequences of characters that you know appear in the deleted files. In theory, you can attempt to undelete any file from a Linux partition, but you have to be able to uniquely describe what you're looking for.

10.10.1. Preventing Additional Changes to the Partition

As quickly as possible after discovery that a critical file has been deleted, you should unmount the partition on which the file was located. (If you don't think anyone is actually using that partition but you can't unmount it, read "Find Out Why You Can't Unmount a Partition" [Hack #92].)

In some cases, such as partitions that are actively being used by the system or are shared by multiple users, this will require that you take the system down to single-user mode and unmount the partition at that point. The easiest way to do this is cleanly is with the shutdown command, as in the following example:

 # shutdown now "Going to single-user mode to search for deleted files…" 

Of course, it would be kindest to your users to give them more warning, but your chances of recovering the deleted file decrease with every second that the system is running and users or the system can create files on the partition that holds your deleted file. Once the system is in single-user mode, unmount the partition containing the deleted file as quickly as possible. You're now ready to begin your detective work.

10.10.2. Looking for the Missing Data

The standard Linux/Unix grep utility is your best friend when searching for a deleted text file on an existing disk partition. After figuring out a text string that you know is in the deleted file, execute a command like the following, and then go out for a cup of coffee while it runsdepending on the size of the partition you're searching, this can take quite a while:

 # grepaB10A100i fibonacci /dev/hda2 > fibonacci.out 

In this case, I'm searching for the string "fibonacci" in the filesystem on /dev/hda2, because I accidentally deleted some sample code that I was writing for another book. As in this example, you'll want to redirect the output of the grep command into a file, because it will be easier to edit. Also, because of the amount of preceding and trailing data that is actually incredibly long lines of binary characters, you will need to have several megabytes free on the partition where you are running the command.

The options I've used in my grep command are the following:

-a treats the device that you're searching as a series of ASCII characters.

-BN Saves N lines before the line that matches the string that you're looking for. In this case, I'm saving 10 lines before the string "fibonacci."

-AN Saves N lines after the line that matches the string you're looking for. In this case, I'm saving 100 lines after the string "fibonacci" (this was a short code example).

-i Searches for the target string without regard to whether any of the characters in the string are in upper- or lowercase.

After the command finishes, start your favorite text editor to edit the output file (fibonacci.out, in our example) to remove preceding and trailing data that you don't want, as shown in Figure 10-3. Some such data will almost certainly be present.

Figure 10-3. Recovered file shown in emacs

When the time it takes to edit and clean up the recovered file is weighed against the time needed to recreate the deleted file, you'll usually find it's worth the effort to attempt recovery. Once you're satisfied that you have recovered your file, you can remount the partition where it was formerly located and make the system available to users againand be more careful next time!

10.10.3. See Also

• "Recover Lost Partitions" [Hack #93]

• "Recover Data from Crashed Disks" [Hack #94]

• "Repair and Recover ReiserFS Filesystems" [Hack #95]

• "Recover Lost Files and Perform Forensic Analysis" [Hack #100]