Can I salvage data after rm?

[jedthehumanoid]

Ok, I won't bore you all with the details of how I did this but I deleted a bunch of files with the rm command that I really should not have gotten rid of. Is there a way to get it back or salvage it via another command or even third party software? (I feel completely retarded for asking this!)

[nuttron]

According to man page , lines 45-56 quote = Note that if you use rm to remove a file, it is usually possible to recover the contents of that file. If you want more assurance that the contents
are truly unrecoverable, consider using shred.

Unfortunately out of range of my "expertise" good luck

[LewRockwell]

just use your most recent clone(we use clonezilla...full clone, NOT the compressed image stuff) to copy the deleted stuff back in

.

[LewRockwell]

then there is always Testdisk and Photorec

.

[trilarian]

You can use grep to recover files as well. This is good if you just remove one file by mistake and don't want to dig through a whole backup. Usually good to drop to single user mode so that nothing/no one else is touching any files.

Code:

# init 1

Then do:
grep -a -B[size before] -A[size after] 'text' /dev/[your_partition] > file.txt

like:

Code:

# grep -i -a -B10 -A100 'deletedfilename' /dev/sda1 > filename.txt

where:
-i : Ignore case distinctions in both the PATTERN and the input files i.e. match both uppercase and lowercase character.
-a : Process a binary file as if it were text
-B : Print number lines/size of leading context before matching lines.
-A : Print number lines/size of trailing context after matching lines.

[irlandes]

Freeze! Don't do anything to that machine until you get it under control. Once you remove the pointers to a file, which is what rm does, it becomes available for re-use depending on circumstances.

It is late here, or I'd dig into it further, but hexedit, which I believe is available for Puppy linux allows you to look at and read and write the bits and bytes of a HD.

I think there are some security distros which also let you do it. That's how cops find disgusting stuff on HD.

But, once you start writing to HD, your deleted files are available for re-use which may mean overwrite.

One of the tricks we learned in Dos/Win95 days is to use a GUI for deleting files, do not ever do it from command line. If you want to remove something with higher permissions, sometimes you may need to open a file browser via kdesudo or something, but destructive commands from the command line should be on your Don't Do List.

I need you to understand finding a file not yet over-written can be daunting. Hexedit can do searches, but you would need to know some of the contents of the files to find them.

[irlandes]

I played around with hexedit in September before I went back to the States for a month. I made a Kate text file with a very unlikely combo of 8 letters not likely to occur by accident. When I saved it to HD, then did a hexedit search for that sequence of letters, it found it. And, that single cluster with only 8 bytes in it, and 4096 - 8 bytes slack space was stuck in a niche between two other files, so the one cluster went into a one cluster hole, not in the next available cluster on the HD as Win 98 did.

And, when I resaved it, hexedit search found it in two places, the old cluster "in a hole" which was not yet written over, and the new cluster, which was also shoved in a niche between two files, a hole exactly one cluster long.

This attempt to use an exact space for a file when saved, explains why Linux does not need a defragger.

So, there is always a possibility the deleted files may not be overwritten if the current saves do not fit in their holes, so to speak.

[loopback48]

I'm just wondering. I don't know every file name I have. If I delete one how will I be able to recover it without the name?

At my advanced age - hitting 62 in Jan. of '10 - if I remember to pull up my zipper after voiding my bladder I'm doing good. I see this as a lost cause.

If there was some way to 'view' all deleted file that would help. But does anyone really have committed to memory all file name?

Just consider it a file lost and move on. Better luck next time. And don't be so quick deleting things. Not that I''ve ever done such things. Oh no, not me.

[irlandes]

Being 62 is not an excuse. I remember when I was that old.

Linux takes time to learn. When you are older, it may take longer.

And, as you say, maybe you forget. Which is why I have a couple files on my computer. One is the various commands and the option letters for various tasks I do.

The other is instructions on how to things with GIMP. If I forget, I look up what I need.

[loopback48]

Being 62 is not an excuse. I remember when I was that old.

And I thought I was an old fart. Why you old codger! You make me feel young.

(Yes, us oldsters like Linux too.)

[trilarian]

I'm just wondering. I don't know every file name I have. If I delete one how will I be able to recover it without the name?

I'd have to do some digging around to see what the modern version is. For EXT2, it was 'lsdel'. So something along the lines of:

- Start debugfs (as root, debubfs /dev/xxx where xxx is your partition)
- Type 'lsdel' (get a list of all deleted inodes with deletiontime)
- Use 'undel' or 'undelete' to write the deleted inode to a new file

When EXT3 first came out you had to revert to EXT2 to do this process. I'm sure it has evolved since then. I just have regular backups now I can pull from or have been lucky enough to catch my error just as I did it so can use the grep method.

EDIT => On Debian Sid, debubfs is available by default so I think you are still good to try the above method.

[Wurd]

then there is always Testdisk and Photorec

.

Not always This is custom thing

[Ludootje]

When EXT3 first came out you had to revert to EXT2 to do this process. I'm sure it has evolved since then.

Not sure it has. Last time I looked into this (admittedly, that was a few years ago), all I found was references to ext2 tools, nothing for ext3.

Okay, just did some quick googling, seems there are at least 2 apps which could help: "aur" & "ext3undel".

I'm curious about ext4, though. Maybe that one finally has some good tools for it?

Okay, some more googling: https://ext4.wiki.kernel.org/index.p...les_in_Ext4.3F says it's not possible to undelete on both ext3 and ext4 :-/

ext3 filesystems can be mounted using ext2 drivers, just like ext2 filesystems can be mounted using ext3 drivers. But ext4 filesystems can't be mounted using either ext3 or ext2 drivers, so using ext2 tools on for ext4 filesystems isn't possible.

[cybertron]

(This is an old thread, but since it came up again here are my two cents)

It's been awhile since I've had to look into this (now I back up important stuff nightly so if I realize I deleted something I just go grab it from the backup), but at the time and on the filesystem I was using (Reiser, I think), the only way to recover deleted files was to fsck the filesystem with the appropriate options, but that would restore every deleted file that was found on the drive, which would be quite a mess. I never actually tried it because the thing I was trying to get back wasn't important enough to make me want to deal with cleaning out all of the other junk that would have come back.

There's also no guarantee that you'll be able to get anything back. If that part of the disk was overwritten after you did the rm then the data is essentially gone, unless it's important enough to send the drive to a specialized data recovery service, and even then there's no guarantee.

[retsaw]

Not always This is custom thing

I don't quite understand what you mean by this. When isn't it an option? I know it can't help if the data has physically been overwritten (but what can) and it doesn't work for fragmented files, but it works independently of the filesystem and will recover al files it recognises.