This article is mostly valid for all Ubuntu versions.
To understand this article, the following pages are helpful:
- Prevent
- Delete
- Backup copies
- ext3/ext4
- lost+found
- debugfs
- grep
- ddrescue
- tsk_recover
- PhotoRec
- recoverjpeg
- safecopy
- Internal
- External
- Windows programs
By careless proceeding it happens unfortunately occasionally: One deletes a directory or a file, although one did not intend this actually. This article explains how to recover deleted files and what to do to prevent this from happening more often. Furthermore it is described how to recover data from damaged partitions.
Data recovery on the ReiserFS file system is not covered.
prevent¶
delete¶
With the deletion the following consider:
Check, which files one deletes
when deleting only move to the recycle bin
before emptying the recycle bin look at it again
backup copies¶
Creating backups on a regular basis is not difficult nowadays. There are a number of programs that create backups manually or automatically.
Rescue data¶
Attention!
First of all, the partition on which the deleted files were located should be unmounted immediately (e.g. with the key combination Alt + press + U which immediately removes all write permissions). Any subsequent write access could render the files permanently unrecoverable, so this is also true if you subsequently install the data recovery programs mentioned below.
For the data recovery the concerning partition should be mounted from now on only with read rights. If this is not possible (because z.B. also the system is on the same partition) you can fall back to a live system [4].
In case of (possibly) defective external writable media, it is a good idea to check the media before connecting or disconnecting it. To be on the safe side, deactivate the automount – at least temporarily – and test this with another data medium.
For data recovery, data or partitions on the disk must be recovered by z.B. If you want to restore the partitioning, you should first create an image of the data medium. This is especially for defective disks. Afterwards you should only work from images created with safecopy or ddrescue or 1:1 copies of the readable data.
Of course there are not only the programs explained here. Here only programs are presented together with a guidance. Further programs can be found on the pages mentioned under Links.
ext3/ext4¶
According to Wikipedia and other sites ext3 and ext4 no or only with difficulty data rescue. Both file systems overwrite the block pointers of the inodes with zeros during deletions. This makes it comparatively difficult to restore files after a requested deletion, but improves the probability that the integrity of the file system can be restored without data loss after a software error or hardware failure (source: Wikipedia).
The program ext3rminator, the z.B. included in the live Linux distribution grml&& however, offers a good way to recover lost files that were larger than 48 KB. To do this, boot from the live CD and from there access the corresponding ext3-partition to [4] . In addition, some programs mentioned under ext2 are also available under ext3 to use. This way there is at least the possibility to partially recover files. A somewhat extensive, but promising tutorial can be found here: HOWTO recover deleted files on an ext3 file system&&.
extundelete&& is also a program to delete accidentally deleted files under ext3 and ext4 recover. The website describes in detail how to use the program. Found or. Recovered files are added to the directory RECOVERED_FILES filed that is created in the current directory. Works also fine with a LiveCD and an external medium.
Another interesting program is Ext4magic&&. Further information can be found in the detailed documentation&&.
lost+found¶
The folder /lost+found/ (in case of an own partition for /home/ also /home/lost+found/) may still contain files that can be recovered after an automatic file system repair (without any guarantee of success!). More details can be found in the blog post Recover files from lost+found&&.
Tip:
The file system ext2 is not used in current Ubuntu versions. The following section is therefore more of a historical nature, but can still be useful in some cases.
In order to have access to the corresponding file system with the tools mentioned above, you have to unmount it first. If you want to work with the root partition, the use of a live CD or a live USB stick is mandatory!
In addition to the following approaches, it may be worthwhile to use the following commands. a look at giis&&.
debugfs¶
The program debugfs&& is included with the package
e2fsprogs
already installed by default. Who does not understand the English man page, can fall back to the German translation&&.
Start the program in the terminal [2]:
Then change to the drive with the following command:
Replace sda3 with the drive where data is to be recovered. First, use the following command to display all deleted files:
The program uses the following display:
| Inode number | User ID | file size | Deletion date and time | |
| 4711 | 1000 | 93678 | 6/ 6 | Sat Aug 12 20:43:55 2006 |
Now you can search for the file to be recovered using user ID, file size and deletion date (if known). Then you can recover the file with the following command:
The created file can be viewed in an editor [3]. Exit with:
Recovery of multiple data¶
If not only one, but several files have been deleted by mistake, it is of course tedious to have to run the dump-Execute command. In order to get to the deleted files comfortably, you can proceed similar to the procedure described above for a single file.
Instead of outputting the list of deleted files in debugfs, they are output to a text file. To do this, use the following command:
replace sda3 with the drive on which data is to be recovered. lsdel lists all the data that was deleted from the volume. The -R parameter causes the lsdel command to be passed to debugfs (alternatively, you can type the command directly into debugfs). > put the list, instead of debugfs, into the text file
/deletedfiles.txt in the home directory from. This list is now modified (as root) with an editor. The list looks something like this:
| Inode number | User ID | File size | deletion date and time | |
| 4711 | 1000 | 93678 | 6/ 6 | Sat Aug 12 20:43:55 2006 |
| . | . | . | . | . |
| . | . | . | . | . |
| . | . | . | . | . |
| . | . | . | . | . |
| . | . | . | . | . |
| 1000 deleted inodes found. |
Deletes the first and last line. If you have inodes that you do not want to recover, simply delete the whole line. Now you should save the customized list.
A folder will be created where the recovered data will be collected.
The created list is now passed to debugfs with the help of a loop.
Replace sda3 , as always, with the drive on which data is to be recovered.
The process may take several hours. All files should now be saved in /home/USERNAME/restored – unfortunately not with the original filename, but at least the data is there again!
grep is also already installed by default. Enter the following in the terminal [2]:
This command saves all data that are 200 lines before and 600 lines after the string doctoral thesis on /dev/sda3 found in the file /tmp/recovered. The file can be viewed in an editor [3]. Finally, the previously unmounted file system must be remounted, of course.
(FAT, FAT12/16/32, exFAT)
Hint:
Programs like TestDisk or PhotoRec can also help with problems with FAT partitions.
Errors in the FAT file system can be fixed under Windows with chkdsk. Example of a FAT partition with the letter D:
Hint:
Programs like TestDisk or PhotoRec can also help with problems with NTFS partitions.
Errors in the NTFS file system can be repaired under Windows with chkdsk (see FAT).
To ask Windows to repair an NTFS file system at the next boot, there is the Linux command ntfsfix . This requires the package ntfsprogs (until Ubuntu 11.04) must be installed. As of Ubuntu 11.10 is ntfsprogs by merging 2 projects and thus a newer version in the package ntfs-3g contain.
Example of an NTFS partition on a dual-boot hard drive. sda3 stands for the 3. Partition on the first hard disk which is usually the data partition for Windows on a dual-boot system.
For Windows there are some other useful programs on the Internet, see Links.
Open files¶
With the help of the command lsof (stands for list open files) it is possible to recover accidentally deleted data if they are opened by another program at the time of deletion. The rescue operation must be done immediately after deletion, because the file is still open for the system, although it has just been deleted. Since this case occurs probably rather rarely, at this point a further explanation is renounced and referred instead to the very good explanation on this side&&.
tricks¶
In some cases no recovery program is needed because a folder is either unimportant or can be recreated by a program.
Very often only a few files are irreparably damaged on a disk within a considerable amount of data, z.B. after a headcrash. In this case it is possible to quickly and easily restore the partition table with the tool rsync using the option –ignore-errors copy the still readable files of a directory. Unreadable data is simply ignored without aborting the copy process.
On a second run, you can have a logfile created and then get a list of corrupted files via this detour.
foremost¶
foremost is a command line program that can reconstruct deleted data based on the remaining header and footer data.
Rescue partitions¶
Rescue deleted/defective partition table¶
Attention!
Changing the partition table is always very risky! A repair attempt can possibly. do more damage than good. Therefore it is better to clone the disk completely with dd and try to repair the copy!
If, for whatever reason, the partition table is damaged or partition entries have been deleted, you can try a rescue with TestDisk&&. You install the program with the package of the same name [1] :
testdisk (universe)
Command to install the packages:
Or install with apturl, link: apt://testdisk
Just start the program:
It offers an intuitive text menu. To apply TestDisk to a disk image, add it to the end of the command:
Another variant is described in the article Hard disk troubleshooting (section "Defective partition table"). More information can also be found in the official TestDisk documentation&&.
Have main partition repaired if read-only¶
If suddenly messages of the following kind appear:
"Process creation of the input/output module not possible: Read-only file system cannot be started."
"Setup file /home/USERNAME/.kde/share/config/systemsettingsrc cannot be saved."
"/dev/sda3: Unexpected inconsistency fsck died exit status 4" (when trying to reboot)
then the main partition contains a write error and has been automatically set to read-only provided.
The workaround is to check for the main partition (the mostly sda1 is called and is of type ext3 ). In addition one starts by KNOPPIX&& or another live CD and can now the main partition in order, because the partition may not be mounted. To do this, enter the following command in the terminal [2]:
If a lot of questions with" j" must be answered, you can cancel with Ctrl + C and start the command again with the following parameter:" -y".
Rescue partitions when repair is no longer possible¶
If a complete partition is no longer readable because z.B. If parts of the file system are damaged, there is also the possibility to save the "good" parts of the file system recover data with the help of the program ddrescue. An alternative is safecopy.
If the boot partition is defective, you have to use ddrescue or. run safecopy from a live CD of course.
Hint:
ddrescue and safecopy are meant for defective partitions, not for partitions that have been formatted by accident! For the latter case. but TestDisk.
ddrescue¶
gddrescue is a program for recovering data from defective disks. The functionality is described in the article. The program in the package of the same name is called ddrescue. So to use it you need to install the following package [1] :
gddrescue (universe)
Command to install the packages:
or install with apturl, link: apt://gddrescue
Notice:
Attention, danger of confusion: In addition to the program included in the package gddrescue There is also the older program dd_rescue&& (WITH underscore), which is only available up to Ubuntu 12.04 gave a package. To justify the removal, it was pointed out that the newer program had a much wider range of functions and that it lacked only a few features of the older one. The use of dd_rescue is relatively simple and is described in detail on linux-user.de&& beschrieben.
Extract files from image¶
After installing an image with safecopy or. ddrescue has been created, you can now start extracting files from the image. There are several tools for this.
tsk_recover¶
The program tsk_recover&& is included in the following package [1] :
sleuthkit (universe)
command to install the packages:
Or install with apturl, link: apt://sleuthkit
After installation, you can immediately start extracting files from the image:
Whereby the output folder must have been created beforehand by yourself. The -a option causes only undeleted files u. folder can be copied to the output folder, with -e everything is copied, and completely without options only the deleted contents are copied. tsk_recover also recovers filenames.
More information can be found u.a. in a detailed Linux Magazine article&&, this YouTube video, and in the manpage.
| PhotoRec |
PhotoRec¶
PhotoRec recovers from intact and damaged file systems (not only from images) lost files of more than 180 file formats from over 100 file families (images, videos, office, archives, and many more: List of recoverable file formats&&).
The program PhotoRec&& is included in the following package [1] :
testdisk (universe)
Command to install the packages:
Or install with apturl, link: apt://testdisk
Application: z.B. Data recovery from ddrescue image mentioned above:
For use on other file systems
One must now shimmy through the text menu and start the extraction. More information can be found in the official PhotoRec documentation&& and in a detailed step-by-step guide&&.
Hint:
PhotoRec basically recovers only file contents, but no file names.
For processing (filtering and sorting) the numerous recovered files the script solution sort_recovered may be helpful. However, there is also the official tutorial Reprocessing and sorting files after use of Photorec&&, which also covers finding and renaming images, opening broken MS Office documents and recovering broken MS Outlook emails.
If you want to recover office files from Open Office or Libre Office in the default format ODT wants to save, you can find them again using search words of the document contents:
Root rights are necessary, and odt2txt will be installed.
The yellow markers need to be adjusted: Search folder, file extension, search term(s). The file extension of recovered text documents could be different.
DOC-Files can be searched by keywords as follows to retrieve your most important documents from the plethora of recovered files:
Root rights are necessary, and antiword will install.
Again, the yellow markers must be adjusted: Search folder, file extension, search term(s). The file extension of recovered text documents could be different.
For searching PDF-Files you can use pdfgrep, provided they are based on text files and not scans or photos resp. Images.
Other applications¶
recoverjpeg¶
recoverjpeg&& is used exclusively to recover JPEG files on removable media or hard disks. It is therefore very suitable for recovering deleted images from the memory chip of a digital camera. The program is included in the package sources of Ubuntu and can be installed via the following package [1]:
recoverjpeg (universe)
Command to install the packages:
Then it can be applied to a whole disk or partition via a terminal [2].
recoverjpeg now tries to find deleted images on the disk and saves them as a image<number>.jpg in the current directory from.
| safecopy |
safecopy¶
safecopy&& offers the possibility to recover data from defective data carriers. It reads floppy disks block by block and writes the error free data to an output file. The program tries to read out defective blocks – if no recovery is possible, safecopy skips the defective block and continues with data recovery.
It is to be installed via the following package [1] :
safecopy (universe)
Command to install the packages:
Or install with apturl, link: apt://safecopy
It is called via the terminal [2].
In order to be able to use the program in all possibilities, one should read the man page&&.
links¶
Internal¶
Emergency What to do in emergencies?
External¶
Data Recovery&& – in the English Ubuntu documentation
safecopy&& – data recovery program, included in the official package sources
Datarecovery&& – extensive link list, data recovery under Linux u.a.
Windows programs¶
Linux Ext2/Ext3 data recovery for Windows&& – Convenient recovery of deleted files/directories
Data recovery&& – Giga Software (formerly Winload.en)
This revision was released on 10. April 2021 01:13 created by chris34.
The following keywords have been assigned to the article: disk, emergency, data recovery, security