How to recover deleted files in linux. Recovering data in Ubuntu Linux. How to recover data using the R-Studio utility

V. Kostromin (edited by Vanderboot)

The other day, during a small revision of the contents of my site, I came across a translation of the article "10 ways to recover deleted files in linux", the original version of which is dated June 21, 2007. After re-reading the article and trying to follow the links provided in it, I found that some of the links do not work at all (the developers' sites on the network have disappeared), and some of the utilities mentioned in the article have not been updated and are not supported for a long time.

The idea was to see what tools to recover accidentally deleted files exist at the moment. I believe that interest in the means of this kind has not disappeared over the past years. After all, novice Linux users (as well as other operating systems, by the way) often find themselves in a situation where, by mistake caused by inexperience, they delete some files and immediately realize that they did not delete what they wanted. Or maybe they didn’t want to delete something at all.

In addition to cases of erroneous deletion of data, situations are possible when the media turns out to be corrupted, bad sectors appear on the disk, and so on. In such situations, data recovery tools are also needed.

I want to warn you right away that everything stated below has not been personally verified by me and is based only on information published on the developers' websites or in articles with descriptions of the relevant products. And, of course, only freely distributed products are considered in the article. If you are interested in paid (proprietary) products, you can easily find them yourself.

So, here list of utilities for recovering lost data, which I managed to find (the data is current as of November 10, 2010).

unrm- a small console utility that, under certain conditions, can recover almost 99% of deleted data (similar to the undelete utility in DOS). Read the FAQ file carefully before using it, and preferably the Linux Ext2fs Undeletion Mini-HOWTO . Application:
unrm [-b (no block padding)][-e (every block)][-f fstype][-vW] device
(gET iT i sAY) - file recovery tool for Ext2/Ext3 file systems. After installation, the current files and newly created files in /root and /home can be restored. The utility allows users to recover all deleted files, recover files owned by a specified user, dump data from a file location, and recover files of a certain type, such as text or MP3. There is also an analyzer to help users during recovery.
ddrescue(in Ubuntu this utility is called gddrescue) This utility copies data from a file or hardware device containing the data to another location, while attempting to correct any read errors. The main operations ddrescue performs in automatic mode, filling in parallel the protocol file. If there are two or more copies of corrupted files, ddrescue is able to completely restore the file, eliminating all errors.
ddrescue sets the I/O buffer size to the sector size, so it can be used for sector-by-sector recovery of data from devices.
Test Disk is a powerful free data recovery software! It was developed primarily as a tool for recovering lost partitions and/or restoring disk bootability if the problem is caused by software, viruses, or human error (such as accidental deletion of the Partition Table). Restoring Partition Tables with TestDisk is very easy. But TestDisk can also repair deleted files on file FAT systems, NTFS and ext2; copy files from remote FAT, NTFS and ext2/ext3/ext4 partitions. (See the article by V.Simon, "Testdisk - restoring the disk partition table").
- a console program that allows you to search for files on disks or their images using hex data, characteristic headers and endings. The program combs files for matching predefined hex codes (signatures) corresponding to the most common file formats. After that, it extracts them from the disk/image and puts them in a directory, along with a detailed report on what, how much and from where it was restored. The types of files that foremost can recover immediately are: jpg, gif, png, bmp, avi, exe, mpg, wav, riff, wmv, mov, pdf, ole, doc, zip, rar, htm, cpp. It is possible to add custom formats (in the configuration file /etc/foremost.conf) that the program does not know about.
Articles: "Recovering deleted files with foremost", "Recovering deleted files in Linux OS".
R Linux is free program to recover Ext2/Ext3/Ext4 FS file systems used in Linux and some Unix systems. The Scanning Technology used in R-Linux and the easy-to-set program interface give the user absolute control over the data recovery process. R-Linux allows you to copy information and create an image of a whole disk or part of it, and only then work with the image file saved on another medium as with the original disk. R-Linux searches for files of known types using the typical characteristics of their structures, which allows the user to search and recover files from devices where the file system is unknown - HD, CD, DVD, floppy disks, USB disks, ZIP disks and flash memory devices ( Compact Flash Card, Memory Sticks). However, the program lacks the ability to recover data over the network, as well as the functionality for reconstructing disk arrays and recovering data from them.
DMDE- DM Disk Editor and Data Recovery Software. Disk editing and data recovery software. IN free version all functions of the disk editor, partition management and file recovery are available, with the exception of the possibility of group recovery of files and directories; full version allows you to restore groups of files and directories while maintaining the directory structure.
PhotoRec is a utility included in the TestDisk package. Designed to recover corrupted files from digital camera memory cards (CompactFlash, Secure Digital, SmartMedia, Memory Stick, Microdrive, MMC), USB flash drives, hard drives and CD/DVD. Recovers files of most common image formats including JPEG, audio files including MP3, document files in formats Microsoft office, PDF and HTML, as well as archives, including ZIP. Can work with ext2, ext3, FAT, NTFS and HFS+ file systems, and is able to recover graphic files even if the file system is corrupted or formatted.
Can run Linux, DOS, Windows, FreeBSD, NetBSD, OpenBSD, Mac OS X and SunOS operating systems
Mondo Rescue. The main purpose of this program is to create backup copies of data. She can create backups on magnetic tapes, CDs, on remote media via NFS or as ISO images on local drives. But in case of data damage, the program allows you to restore them in whole or in part, even if your HDD inaccessible by conventional means.
Mondo runs on all major Linux distributions, supports LVM, RAID, ext2, ext3, JFS, XFS, ReiserFS, VFAT and other file systems. Can restore disk geometry, migrate data to RAID arrays, check integrity file system computer. In addition, it allows you to restructure the disk, reduce / increase partitions, reassign devices, add hard drives.
is a data recovery tool that tries to extract data from accessible but problematic media (with bad sectors). The data source can be external devices(such as CD, DVD, and Blu-ray) and hard drive partitions. The program has the advantage of continuing to run even when other tools terminate it due to I/O errors. Conventional copy tools such as cat, cp, or dd do not allow you to create an image of a disk or removable media if a sector read fails.
The Sleuth Kit(TSK) - a set of programs (fls, icat, ffind, ifind, mmls, fsstat, etc.) for forensic analysis of file systems. TSK - set of UNIX tools command line, which can parse file NTFS systems, FAT, FFS, EXT2FS, and EXT3FS. TSK reads and processes file system structures on its own, so there is no need for file system support by the operating system.
Articles: Recovering Hidden or Lost Data.
scalpel is a quick file recovery tool. The uniqueness of this software lies in the fact that it does not depend on the file system. The program searches the database for the beginning and end of files of known formats and tries to find them on the disk. Therefore, recovery is possible both from FATx, NTFS, ext2/3, and from "bare" (raw) partitions.
Articles: Recover deleted files with Scalpel

In addition to those listed in some articles, utilities are also mentioned. Magicrescue And ntfsundelete from the ntfstools package.

This list can be very useful if you find yourself in a situation where you need to recover data from a damaged media. And it is desirable to master at least some of these tools before there is an urgent need for their use. To do this, it makes sense to test them on artificial examples deleting files, as done in one of the notes in the list of sources.

In conclusion, a few tips, maybe trivial, but certainly useful, on how to try to avoid getting into an unpleasant situation when the use of the above means is required. First, you can make it harder to accidentally delete a file or directory. To do this, make sure that instead of the command rm the command was called rm-i. You can do this with the alias command like this:

Alias rm="rm -i" Then you will be asked an additional question before performing the removal if you really want it.

Second tip: back up your data as often as possible, every day or even every hour. If you follow this advice, then in the worst case, you will lose only the results of your work that you received during the last hour. And the data recovery procedures in this case will be much easier to perform. You can automate the execution of these procedures using cron and the utility rsync by arranging periodic copying of important files and directories to another disk or partition. Or you can use the Mondo Rescue utility mentioned above. By the way, you will learn how to use it, which can be useful in case you need to recover data in an emergency.

And third: before you start trying to recover deleted files, make a copy of the partition in which these files were located, and work with it, and not with the original partition. If you make a mistake again during the recovery process, you can start all over again. If you work with the original partition, you can damage the data irrevocably. You can make a copy of a partition using the command dd(You can read about the use of this command in A. Dmitriev's article "dd: A command that is not like the others").

It is also worth recalling that there are special Linux distributions that run from CD or other removable media and contain a bunch of administration utilities, including data recovery tools. Examples of such distributions include SystemRescue CD and Trinity Rescue Kit.

I believe that the above list will also become obsolete after some time, as happened with the list given in the article mentioned at the beginning of this note. But there will be new means, maybe more advanced. Check back occasionally at the Linux Software Catalog to keep up to date, or better yet, help keep this catalog up to date. Then in any emergency or regular situation, you or another Linux user will be able to find the necessary means and tools to solve their problems.

ABOUT data recovery from file systems Linux didn't write only
lazy. To accomplish this task, there are many different
tools, including the debugfs utility, which easily retrieves any shabby
files from ext2. But what about other FS? How to recover a lost file from
a flash keychain or a nearby NTFS partition? Even the most silent about it
hardworking bloggers. And meanwhile, everything is very simple and prosaic.

It is not always convenient to reboot into another operating system to perform
actions to check file systems, restore files, resize
partitions and perform other data operations. Imagine that there are several
two years have been installed on your computer OS: Windows and Linux. the first
you upload very rarely and only in emergency cases, the second you use
every day and you are already thinking about the complete transition to Linux and the removal of Windows, here
only an NTFS partition that stores data accumulated over the years should be converted to ext3
not possible with any tools. You have to keep two operating systems, because
even though the NTFS partition is accessible from Linux (using ntfs-3g), to solve problems
the file system will still have to be rebooted into Windows.

And if the FAT file system on the Flash drive is covered? Again
reboot into Windows? Or you accidentally deleted a file in the UFS file system,
belonging to a nearby installed FreeBSD? Maybe you are a system
administrator, and disk for Windows recovery didn't show up at the right time
at hand? I will answer all questions at once: almost all actions upon returning from
non-existence of FAT, NTFS, UFS file systems, recovery of files stored in them,
diagnostics and much more can be done without leaving Linux. From this article
you will know how to do it.

Set of tools

Before proceeding directly to the description of the recovery process,
diagnostics and return of dead files to life, I consider it my duty to acquaint
you with a list of tools used. First, we will need
tools for working with file systems (creating, checking, receiving
information). All of them are distributed in three packages:

1. dosfstools- Utilities for working with FAT file systems.
The package contains only two programs: mkfs.vfat (mkfs.dos) for creating a file
system and fsck.vfat (fsck.dos) to perform a file system check.

2. ufutils- a set of utilities for working with UFS and derivatives (for example,
FFS used by FreeBSD). Contains eight utilities, including mkfs.ufs,
fsck.ufs, tunefs.ufs (FS tuning), growfs.ufs (resizing) and others.

3. ntfsprogs- various utilities for working with NTFS. Does not contain
programs to create or complete check (basic check is possible) file
system, but includes a mass most useful tools, such as ntfscp for
copying files without mounting a partition, "reincarnation" of files ntfsundelete,
ntfsresize partition resizing tool, cloning tool
ntfsclone partitions and others.

We may also need tools for working with hard disk partitions.
disk. There are three most advanced programs of this type:
parted,
designed to create partitions, resize them, move them,
creating and checking file systems;
gpart-
program-recoverer of the erased partition table and
Test Disk-
analogue of gpart with pseudo- GUI and several useful features.

It should be noted that parted is just a good wrapper on top of the described utilities.
to work with filesystems, so pretty much anything that parted can do can and
They. Moreover, there is another wrapper around parted itself, called
. She
just creates a user-friendly GTK GUI in the style of Partition Magic.

In the TestDisk package you will find the PhotoRec utility for
recovery various types files from the partition, regardless of the used
file system. The principle of its work is to find and restore files
by their metadata without analyzing the structure of the file system. PhotoRec is capable
recover images (bmp, jpg, png, tiff, raf, raw, rdc, x3f, crw, ctg,
orf, mrw), audio files (wav, au, mp3, wma), video files (avi, mov, mpg), archives
(bz2, tar, zip), documents (doc, pdf, html, rtf), source code files (c,
pl, sh). A number of programs of the same type can be found in the package
Sleuth Kit for which
there is an autopsy web interface.

Use cases

In the following sections, we'll look at a few common scenarios.
using the described utilities. First, this detailed description process
file recovery using three different approaches, secondly, fixing
file systems after a crash, thirdly, cloning a partition to multiple machines,
fourthly, a description of the process of transferring data to a smaller partition.

Casting ressurection

To revive dead files on NTFS, the already mentioned
ntfsundelete from the ntfsprogs package. It is very easy to use and extremely
neat. If you accidentally wiped a file and immediately unmounted the partition, be
sure - ntfsundelete will be able to return it to its place safe and sound.

First you need to view a list of all deleted files:

# ntfsundelete /dev/sda1

The third column of the output will indicate the percentage of file safety. If he
equal to 100% - everything is OK, the file can be brought back to life safe and sound;
a lower value indicates that some of its parts have already been overwritten
new data, so after recovery the file will be, as they say,
broken. In some cases, the possibility of restoring even a half-killed
file can make the weather, but for now let's focus on completely whole copies.
To do this, run the following command:

# ntfsundelete -p 100 /dev/sda1

Wow, how many of them! We will force the program to display only files,
deleted in the last 2 days:

# ntfsundelete /dev/sda1 -p 100 -t 2d

That's better. Restore the file whose inode number (first column of the output)
is 11172, to the /undeleted directory:

# ntfsundelete /dev/sda1 -u -i 11172 -d /undeleted

Files can be restored by mask:

# ntfsundelete /dev/sda1 -u -m "*.doc"

Filter by length:

# ntfsundelete /dev/hda1 -S 5k-6m

Or you can recover all deleted files, and only then figure out
what is what:

# ntfsundelete /dev/sda1 -u -m "*" -d /undeleted

The program extracts files with all attributes, including name and creation time.
It is a pleasure to use it.

To recover data from all other file systems, including FAT, UFS,
EXT3, and any other, it is most convenient to use PhotoRec. We launch
program:

In the main menu, select the experimental device (for example, / dev / sda). Click
and select the type of partition table (for PCs, this is Intel). Next, select
partition, and on the next screen the file system type (ext2/ext3 or other).
Set the directory where we want to put the recovered files and press "Y".
The directory must be on a different partition/disk, otherwise you run the risk of aggravating
situation, overwriting deleted files with new data.

Everything, the recovery process has begun, it can last from 10 minutes to
several hours, depending on the "old age" of the file system and the number of
deleted files. You can stop the process at any time by clicking , And
resume it from where it left off by restarting PhotoRec.

In the directory of your choice, you will find a lot of subdirectories with names like
recup_dir.1, recup_dir.2, each containing a large number of files
different type. PhotoRec does not restore names, so you have to tinker with
raking this whole heap.
PhotoRec also has other disadvantages:

Quite often it crashes, and files can be damaged,
therefore, they should be checked for "brokenness" without fail.
The program searches for files by patterns. If you have deleted a file whose format
PhotoRec is not supported - write wasted.

Therefore, in addition to photorec, it is necessary to have other means at hand.
analysis and recovery of lost data. The best in this field is
Sleuth Kit utilities,
containing a huge number of a wide variety of tools that love
use in their work various services for investigating incidents of hacking and
advanced system administrators. We are far from it, and we are interested in
only two utilities from the whole set: fls and icat, designed to search and
extracting files (both existing and deleted).

Let's view the list of deleted files using the fls utility:

# fls -rd /dev/sdb1
r/r*117: dsc0005.jpg
r/r*119: dsc0006.jpg
r/r*122: dsc0007.jpg
r/r*125: dsc0008.jpg
r/r*128: dsc0009.jpg

The "-r" flag causes the program to recursively go through all directories, and "-d"
- show only deleted files.

Most likely, the listing will be very long, and it will also contain a list
inodes that have already been given to other files (the realloc line in the third
column), so we filter it and send it to less:

# fls -rd /dev/sda1 | grep -v "(realloc)" | less

In the third column you will see the inode numbers, and in the fourth - their names.
To extract a file from the FS, use the icat command (the "-r" flag is for
to recover a deleted file):

# icat -r /dev/sda1 1023 > /home/vasya/tmp/my_file

To restore all files, you can use the following command:

# for i in `fls -rd /dev/sda1 | grep -v "(realloc)" |\
awk("print $3")|tr -d [:]`; do icat -r -f fat /dev/sdb1 $i >\
/home/vasya/tmp/inode-$i ;done

If you want to find a specific file, then the output of fls can simply be "warmed":

# fls -rd /dev/sda1 | grep -v "(realloc)" | grep my_file.jpg

The great thing about the Sleuth Kit utilities is that they use
a wide variety of methods for searching for deleted files and their parts. This and
analysis of file system control structures, and various heuristic methods,
and pattern matching. In fact, with the Sleuth Kit it is possible to return to
life, even files overwritten on ext3 (despite the fact that the ext3 developers themselves talk about
the impossibility of carrying out such an operation).

Fixing file systems

Repairing a broken file system is very easy. Enough
use the standard fsck.vfat utilities (for FAT12 file systems,
FAT16 and FAT32), fsck.ufs (for UFS, UFS2, FFS), and ntfsfix (for NTFS).

Unfortunately, ntfsfix is unable to completely fix NTFS. She only fixes
some of its problems and sets the forced file check flag.
system, so that the next reboot into Windows will launch
chkdsk for full FS check.

Using virtual machine, we can avoid the need to reload in
Windows. For this:

We start the virtual machine and install Windows on the virtual
HDD.
Unmount the partition containing the NTFS file system.
We start the virtual machine, as the first hard disk of which
indicate virtual disk with Windows, and the second one is our real hard
disk.
With the help of standard Windows tools we start checking the NTFS partition.

Partition copying

Let's say you bought a new hard drive and want to move some partitions
from the old disk to the new one. If you start doing it the standard way,
through creating a new partition and manually copying files, then you risk having
a lot of problems related to filename encodings, special files,
protected files, and you will lose a lot of time. It is better to use the method
partition cloning.

UNIX users clone partitions with standard utility dd, which
can be used in conjunction with any file system. To do this on a new disk
a partition is created that is identical in size to the source, and the command "dd if=partition1
of=partition2 bs=1m". In the same way, you can copy an NTFS partition, but in a package
ntfsprogs is a better utility for this purpose.

The ntfsclone program is identical in functionality to the dd command except for
two features. First, it does not copy unused portions of the file
system, and the movement is faster, and the partition image (if you create
image) takes up less space. Secondly, ntfsclone is able to store the image in
special compressed file which is convenient to transfer to other machines.

To clone a partition, just run the following command:

# ntfsclone --overwrite /dev/hda1 /dev/hdb1

And to create an image:

# ntfsclone --save-image --output backup.img /dev/hda1

The ntfsclone utility is especially handy if you decide to copy the installed
Windows on a whole fleet of other machines (classroom or office). For this
it is enough to install Windows on one machine and create an image, which then
can be laid out in a ball and with using Linux LiveCD pour on other machines. To
they were able to boot, you will also have to copy the disk's MBR record:

# sfdisk -d /dev/sda > /share/sda-sfdisk.dump
# dd if=/dev/sda bs=512 count=1 of=/share/sda-mbr.dump

And then write it to the disk of all machines:

# sfdisk /dev/sda< /share/sda-sfdisk.dump
# dd if=/share/sda-mbr.dump of=/dev/sda

Data transfer

What to do if you decide to completely switch to Linux, but do not want to
use various tricks and ntfs-3g to access your old data,
located on an NTFS partition? After all, this section can occupy most of the
disk, and there is no way to simply copy its contents to a new
partition formatted in ext3/ext4. In this case, they will come to your aid again
utilities from the ntfsprogs package, or rather one of them - ntfsresize, which will allow
copy data in small portions to a new file system, and then
reducing the size of the NTFS partition and increasing the ext3 / ext4 partition. For this you
you will need some kind of LiveCD containing ntfsprogs and e2fsprogs at least version
1.41 (for ext4 support, if you are going to transfer data to
her). It is also very desirable that the LiveCD contains a fresh gparted, because
that manually resizing is difficult and dangerous (other than resizing the file system itself,
have to resize the partition using fdisk, one mistake and the whole operation
will have to start over).

So, we boot from the LiveCD and mount the hard disk partitions. Let's say it
the size is 120 GB. Of these, 80 GB is a fully stuffed NTFS partition, and
the remaining 30 GB (yes, exactly 30, after the transfer of marketing gigabytes to
the real volume of the disk turns out to be approximately 111 GB) - this is a partition with
installed Linux, which is occupied by 5 GB. So our window
equals approximately 25 GB. Move files from NTFS partition to ext3/ext4 partition
until their combined size is equal to the size of the window. As a result
the latter is completely filled, and the first "loses weight" by 25 GB.
Unmount both partitions and run gparted. Select the NTFS partition, click the second one
mouse button, select Resize/Move and reduce the section to the size of the window, select
ext3/ext4 partition and increase it by the same window size (the partition will have to
move to the beginning of the disk, and then increase). So we get another 25 GB
freed space, which will allow us to copy some of the files, and then again
resize. Four such passes, and we completely delete the NTFS partition, and
the ext3/ext4 partition is expandable to the entire disk.

conclusions

As you can see, Linux can not only work with many third-party
file systems, but is also equipped with a mass of utilities for modifying them, carrying out
diagnostics and other operations. You will never find yourself in a hopeless
situations, keeping a LiveCD at hand on Linux-based, which is just that
the most holy grail of any system administrator and user.

www

Foremost, another popular software for
restoring files by templates.

www.sysresccd.org -
The System Rescue CD contains all the programs mentioned in the article.

If the data is extremely important to you, and you doubt your abilities / knowledge, immediately turn off the media and carry it to service center. Attempts to solve the problem on your own can aggravate the situation, up to the complete impossibility of restoring anything.

First of all, it is very important to minimize work with a damaged drive, otherwise the probability of data recovery is significantly reduced.

If you accidentally delete a file from a partition, you should set the partition to read-only mode as soon as possible and prevent any attempts to write to it.

If you mistakenly installed the operating system on a disk/partition with important data, then it is strongly not recommended to boot the system from this disk/partition. For further work, you should use a LiveCD/USB or a system booted from another disk/partition.

In addition, to save the recovered data, you will need another drive with a capacity no less than the original one.

To reduce possible information loss during an unsuccessful recovery attempt, you should make a full dump of the damaged volume (FS, partition, or the entire disk, depending on how the source data was located) via dd or ddrescue to a separate medium and then experiment with this dump:

sudo dd if =/ dev/ sdXY of =/ path/ to/ dump.img

testdisk

Often, fate throws us something that the day after tomorrow to pass a diploma, and today the hard drive with all the information has died. On Linux, the de facto standard for data recovery is the testdisk utility. However, often a person, encountering it for the first time, finds it obscure for himself and refuses it, because. it does not have a graphical interface.

Many Linux newbies who are accustomed to Windows GUI programs are intimidated by the use of console programs, requiring the input of the necessary commands with little-known arguments and switches. Often, manuals for such software are either on English language, or complex enough to understand at a glance, and the person retreats from his goal. Often he has to turn to Windows again, looking for a “reliable and understandable” (GUI) program there, spending a lot of time on it, instead of removing his taboo on using the console.

Especially for writing an article, I found an old unnecessary flash drive, recorded some music and video on it. After that, the size and position of the partition changed in GParted (while the flash drive was pulled out of the computer at the very climax), and finally, everything was finished by creating a new partition table.

Bottom line - when connected, the flash drive is not detected by the computer, important information is on it, we will restore it.

1. First you need to install testdisk. To do this, run the following in the console:

sudo apt-get install testdisk

2. Run testdisk with administrator rights

sudo testdisk

The testdisk welcome window appears, we are invited to log the work. IN this case I do not see the point in this, but you can do otherwise. Select the desired menu item and confirm the choice: No Log → Enter.

3. Available media appear, select the desired one, confirm by pressing Proceed.

4. It is proposed to choose the type of partition table, I think that in most cases there will be a type Intel/PC Partition.

5. A menu appears with the choice of operation. To begin with, we analyze by choosing Analyze.

6. Section Analyze Choose Quick Search.

7. The last question before starting the analysis “Should testdisk look for partitions created with using Windows Vista? In my case, no, so I choose N.

Analysis ran...

Analysis completed. Warning. Either some partitions were not found, or the partition table could not be written because the partitions overlapped.

8. Now you can start restoring information. In this case, we are interested in 2 options.

Get a list of files contained in this section by pressing P with further restoration of the files of interest from the list

Try to load a backup copy of the partition table by pressing L , this will bring the media to its original state before the crash

Display the list of files by pressing R.

From here you can also try to copy especially important files and folders, especially if you are afraid that the data will not be restored, but on the contrary, you will lose the last, even broken information. For example, I will copy a music album. Highlight the desired cursor, press WITH to copy. A file manager appears, where you can choose where we will copy. In the home directory, a folder has been specially created for this purpose. restored.

We go into it and confirm copying by pressing Y.

We open the folder in Nautilus, we see that all the files are in place and you can listen to them.

9. So, especially important information saved just in case, however, our goal is to bring the media into a normal working condition. From each testdisk menu item, you can return to the previous one using the Q key. Thus, we return to point 8.

Let's try to return everything to its original state before the breakdown by downloading a backup copy of the partition table. Press L. In the window that appears, select load…

…and confirm our intentions Y .

Everything, the recovery process is over, disconnect and reconnect the damaged media. Now it is detected, all files are in place, safe and sound.

I wish you good luck with your recovery!

extundelete

You can install extundelete by running the command:

sudo apt-get install extundelete

As soon as you understand that you have deleted the necessary files, you need to unmount the partition:

mount /dev/< partition>

or remount in read-only mode

mount -o remount,ro /dev/< partition>

You should also create a backup copy of the partition before starting work on restoring files with it:

dd bs=4M if=/ dev/< partition>of=partition.backup

Go to the directory where the deleted data will be restored. It must be located on a partition different from the one on which the data being recovered was stored:

cd /< путь_к_каталогу_куда_восстанавливать_данные>

Run extundelete, specifying the partition to be restored from and the file to be restored:

sudo extundelete /dev/< partition>--restore-file/< путь к файлу>/< имя_файла>

You can also restore the contents of directories:

sudo extundelete /dev/< partition>--restore-directory/< путь_к_директории>

You can set the recovery time frame for the deletion of the recovered files, for example:

sudo extundelete --after< дата>/dev/< partition>--restore-directory/< путь_к_директории>

The date must be specified in UNIX time:

date -d "March 28 19:34" +%s

Some files may be restored under a different name and extension, although this will not affect the contents of the file.

first

Well suited for recovering photos and screenshots from broken memory cards and flash drives.

first - search and recovery of data by signatures.

Installation:

sudo apt-get install ahead

Usage example for restoring images from /dev/sdb to ~/out_dir:

sudo first -t jpg,gif,png,bmp -i / dev/ sdb -o ~/ out_dir

GUI for Foremost, can be downloaded from a friendly forum.

R-studio

The utility is paid. However, judging by several forum threads, in severe cases it can give better results than testdisk.

R-Studio allows you to recover lost data from damaged, formatted, reformatted or remote drive(partition) of a local or remote computer, regardless of the system (platform) used.

scalpel

Installation:

sudo apt install scalpel

Scalpel analyzes files by header and footer specified in the template

/etc/scalpel/scalpel.conf

To set file types for recognition, you need to uncomment the corresponding lines in the above template. However, be careful: often the header and footer of your files may differ from those specified in the template for this type of file (for example, sony jpg). In this case, we need to independently find out the header and footer of the files we are looking for using the example of an existing similar file:

Xxd -l 0x04 filename; xxd -s -0x04 filename

and add them to the config file.

Using scalpel:

sudo scalpel input.iso -o outputdir

The source path can be either the path to the real device /dev/… or the path to the disk image. The outputdir directory for saving files must be empty.

Have you often encountered situations when you needed to recover data?

You accidentally deleted the file, but when it was too late you changed your mind, but did not know how to restore it, as an option you installed the operating system and, out of ignorance of the disk layout, formatted the disk with all data, music, movies, home photos and other other data. You are in despair not knowing whether it is possible to restore everything bit by bit, but this is only the smallest part of solving the consequences of the problem that arose, data in Linux can be restored and there are utilities for this, both paid and free, and today we will discuss 7 utilities that will help in recovery data in ubuntu linux.

In addition to cases of erroneous deletion of data, situations are possible when the media is damaged, bad sectors appear on the disk, the CD is scratched, and so on. In such situations, data recovery tools are also needed.

In part, of course, this all helped, but most of the data was still lost, but imagine the situation, you are a student, preparing a term paper, there is a week or two left before the deadline, and your hard drive on which your course paper was, flew, what to do in this situation.

I know that many users are accustomed to working with a graphical interface from the time they worked on the system, but today we will also discuss console utilities, since many of them help in recovery no worse, and in some situations even better.

How to recover data and what applications to use?

How to Recover Lost Data with TestDisk

Test Disk is a powerful free data recovery software! It was designed primarily to help recover lost partitions and/or restore disk bootability if the problem is caused by software, viruses, or human error (such as accidental deletion of the Partition Table). Recovering Partition Tables with TestDisk is very easy.

What can TestDisk do:

Fix partition table, recover deleted partitions;
Restore FAT32 boot sector from backup;
Rebuild (reconstruct) FAT12/FAT16/FAT32 boot sector;
Fix the FAT table;
Rebuild (rebuild) the NTFS boot sector;
Restore NTFS boot sector from backup;
Restore MFT using MFT mirror;
Define standby SuperBlock ext2/ext3/ext4;
Recover deleted files on FAT, NTFS and ext2 file systems;
Copy files from remote FAT, NTFS and ext2/ext3/ext4 partitions.
TestDisk is suitable for both beginners and experts. For those who know little or nothing about data recovery methods, TestDisk can be used to collect detailed information about non-bootable drives which can then be used for further analysis. Those who are already familiar with such procedures should find TestDisk handy tool when performing a restore.

To try to recover the data, first of all, install the testdisk utility, open the terminal Ctrl + Alt + T and run the following command:

sudo apt-get install testdisk

the utility takes something a little more than 300 kb, very little, after installation, run it in the same place in the terminal with the command:

sudo testdisk

1. Launched, we see the first window where we are offered to keep logs, select the item " NO Log"and press the button" Enter".

2. Next, it prompts you to select the required disk, select it, go through the items using the up and down arrows and confirm the entry using the " Enter". Select the desired disk, then switch to the " Proceed" and press the key " Enter".

3. After you are prompted to select the type of partition table, in most cases this is the first item" Intel/PC Partition" and it is selected by default, click " Enter".

5. After that, the analysis ran very quickly, since I chose a 14 GB flash drive for analysis, the analysis ended and we see a window with the results. To see a list of found files, click the button with the letter " P" of course, with the English layout p.

6. We see, as it were, a list of files and folders that can be restored, using the arrows on the keyboard, we switch and select the necessary folders and files for copying.

We decided, chose a folder for copying, press the button with the letter "C", after which you will see a file manager where we are prompted to which folder on the computer to copy the files. I selected the "Downloads" directory, then once again press the "C" button confirming that the file is copied to this directory. That's probably all for the testdisk utility, very easy to learn, nothing complicated, the main thing is attentiveness.

How to recover data using the Extundelet utility

A good utility that allows you to recover deleted files in ext3/ext4 file systems.

First of all, install the extundelete utility, run the command in the terminal:

sudo apt-get install extundelete

First of all, after you have deleted important files from a flash drive or hard drive, in this case it is important to immediately unmount the partition by running the command in the terminal:

Umount /dev/sda

where instead of id there should be the number / identifier of your disk, to find out it you need to look at the list of partitions in the system, run the command in the terminal:

Sudo fdisk -l

in the end we will see a lot of text, but we wind it to the very bottom where you will see something like this:

Device Boot Start End Sectors Size Id Type /dev/sda1 4094 394020863 394016770 187.9G f W95 ext. (LBA) /dev/sda2 * 394020900 488391119 94370220 45G 7 HPFS/NTFS/exFAT /dev/sda5 4096 14335 10240 5M 17 Hidden HPFS/NTFS /dev/sda6 2199552 299649023 297449 472 141.9G 7 HPFS/NTFS/exFAT /dev/ sda7 299651072 310134783 10483712 5G 82 Linux swap / Solaris /dev/sda8 310136832 394020863 83884032 40G 83 Linux

here we are looking for your flash drive or disk, as a result I get the following command:

Umount /dev/sdb1

if the flash drive is not defined in this list, you can see it by running the utility GParted.

As well as the option to remount the media in read-only mode

Mount -o remount,ro /dev/sda

You should also create a backup copy of the partition before starting work on restoring files with it:

Dd bs=4M if=/dev/sda of=partition.backup

It is also worth adding that you must have a separate disk in which you will recover deleted data. It must be located on a separate partition, not on the one on which we will try to restore the data, go to the directory on this new disk where we will restore the files:

CD /<путь_к_каталогу_куда_восстанавливать_данные>

After the manipulations above, we will run the extundelete utility, where we will specify the partition from which we will restore the file that was deleted, but it is very important and needs to be restored:

sudo extundelete /dev/sda --restore-file /<путь к файлу>/<имя_файла>

The extundelete utility also allows you to restore the contents of directories:

sudo extundelete /dev/sda --restore-directory /<путь_к_директории>

You can set the recovery time frame for the deletion of the recovered files, for example:

sudo extundelete --after<дата>/dev/ restore directory /<путь_к_директории>

The date must be specified in UNIX time:

Date -d "March 28 19:34" +%s

Restoring data using the GParted utility

Yes, this is a powerful disk management utility, similar to Acronics, it is no worse and also allows you to recover data from disks so that you can recover, first of all, let's install the GParted utility itself, run the command in the terminal:

sudo apt install gparted

after you need to install an additional utility for GParted so that you can use the data recovery functionality, run the following command in the terminal:

sudo apt install gpart

ready. Let's start GParted, go to ubuntu menu - System Utilities - Administration - GParted, or search using Dash search. After starting, you will see your current drives, select the one you need, then go to the menu Device - Try to recover data:

press the button " Ok and wait for the scan to complete.

After the scan is completed, you will see a new window in which we are invited to click the "Browse" button, and copy the recovered, found files that are temporarily moved to the "TMP" directory, after closing GParted the folder will remain empty and the files will disappear, so copy all the necessary files while the application open.

How to recover photos using the Foremost utility

Foremost is a console utility that does a very good job of recovering files from broken memory cards, flash drives and disks. The program searches for files by such parameters as matching certain hex codes (signatures) that correspond to certain file formats. Then it copies them from the disk/image and moves them to the directory, making a detailed report on how much and where and from where it was restored. The types of files that foremost can recover are: jpg, gif, png, bmp, avi, exe, mpg, wav, riff, wmv, mov, pdf, ole, doc, zip, rar, htm, cpp. It is also possible to replenish this list with your own formats, but for this you need to edit the config (/etc/foremost.conf), and add formats that the program does not yet know anything about.

To use the Foremost utility, first of all you need to install it, open the terminal Ctrl + Alt + T and run the following commands:

sudo first -t jpg,gif,png,bmp -i /dev/sdb -o ~/dir_recovery"

separated by commas, we listed the photo file formats to be searched for "jpg,gif,png,bmp", then indicate where to look for "/dev/sdb" as you can see, this is a flash drive, usually it looks like "/dev/sdb1" and then indicate where restore the found files "~/dir_recovery" is like an example of a directory that is in the user's home directory, of course you specify your existing folder.

You can read more about using the utility in the Russian-speaking community Runtu -. Articles: "Recovering deleted files using foremost", "Recovering deleted files in Linux OS".

How to recover data using the Scalpel utility

Scalpel is a set of tools for fast file recovery. A unique utility, its uniqueness lies in the fact that it does not depend on the file system in any way. The utility searches the database for files of all known formats and tries to find them on the disk according to its own patterns, looking at the beginning and end of the file. It can help in recovery in such file systems as FATx, NTFS, ext2/3, also from "RAW" partitions.

Install the utility, run the command in the terminal:

sudo apt install scalpel

the utility works according to its internal template /etc/scalpel/scalpel.conf, if you want to restore files of a certain format, you should open the config and uncomment the corresponding lines for this file type. When editing a config template, you need to be very careful not to break it and not delete anything superfluous.

Scalpel example:

sudo scalpel file.iso -o dir_recovery

recovery directory" dir_recovery"must be empty, file.iso this is an example of the data that we need to restore, we know that we had such an image with exactly the same name, we can specify not only the file directly, but we can also specify the full path to the device from where we need to restore, like /dev/sdb1/directory_name/directory_name2/filename.

How to recover data using R-Linux

R-Linux is a free program for recovering Ext2/Ext3/Ext4 FS file systems used in Linux and some Unix operating systems (OS). Used in R Linux The Scanning technology and easy-to-set parameters interface of the program gives the user absolute control over the data recovery process. The program recovers data from existing logical drives even if the file records are lost. However, the program lacks the ability to recover data over the network, as well as the functionality for reconstructing disk arrays and recovering data from them.

There are two options R-Linux utilities: for Linux OS and for Windows OS. They have the same functionality, the difference is only in the host OS.

R-Linux restores the following files:

Removed as a result of a virus attack, power failure or system damage;
From damaged or deleted partitions, after partition formatting, even to a partition with a different file system;
When the structure of a partition on a disk has been changed or corrupted. In this case, R-Linux can scan the hard disk, find a previously deleted or damaged partition, and only then recover data from the found partition.
From hard drives that have a large number of bad sectors. R-Linux allows you to copy information and create an image of a whole disk or part of it, and only then work with the image file saved on another medium as with the original disk. This is especially useful and effective when the number of bad sectors on the disk is constantly growing, and the remaining information needs to be saved immediately.

What can R-Linux do:

Operating system (OS) of the host:
Linux OS option: any Linux OS based on kernel 2.6+
Windows OS option: Win2000, XP, 2003, Vista, Windows 7, Windows 8/8.1, Windows Server 2008/2012
Supported file systems: Ext2/Ext3/Ext4 FS (Linux) only.
Recognition and analysis of schemes of Dynamic (Windows 2000/XP/2003/Vista/Win7), Basic, BSD (UNIX) partitions and APM partition scheme (Apple Partition Map). Support for dynamic partitions on GPT as well as MBR.
Create an IMAGE FILE for an entire physical disk, partition, or part of it. Disk image files can be treated by the program like a normal disk. Two types of images are possible: 1) Images that are an exact byte-by-byte copy of an object (Uncompressed images) - such images are compatible with the previous ones. R-Linux versions; 2) Compressed images - can be compressed, split into multiple files and password protected. Such images are fully compatible with images created by the R-Drive Image program, but are incompatible with previous versions r-linux.
The recovered files can be saved to any drive, including a network drive, accessible by the local operating system.
Monitoring S.M.A.R.T parameters R-Linux can display S.M.A.R.T parameters. (Self-Monitoring, Analysis and Reporting Technology) for hard drives that show the state of their hardware and predict their possible failures. Any additional load on such disks should be avoided if warnings from the S.M.A.R.T system appear.
Search for deleted versions of files. R-Linux can search remote versions files using their sizes, names, extensions, and recognized file types as search parameters.

If you do not understand something about the application, you can read reference guide the links / manual is quite extensive, you will find answers to many questions.

How to install R-Linux

Install R-Linux

After the installation is completed, we are looking for an application in ubuntu menu - System Utilities - R Linux, after the first launch you will see an English-language application, do not be alarmed, support for "Russian" is also present. Go to Help menu - Interface Language, and select Russian, done.

If you need to restore files, connect a flash drive as an example, you saw that the flash drive was detected, on the Ubuntu sidebar, click the refresh button in the application to see your media. Next, select the section of our flash drive with the mouse cursor and click the " Scan".

As you can see, we are offered to configure scanning parameters in more detail, whether to search for known file types, whether to keep a log, where to specifically search, you can specify from which byte segment you should start scanning, from 0 according to the standard, or you can specify your data.

Scanning has been started, we wait until it is completed, we do not cancel in any case, sometimes it can end badly for a flash drive. The scan is completed, then we see the following picture:

below our flash section there is an area called " Found by signatures", click on this section with the mouse cursor and you will see a new window:

click on the line " Files found by information about typical features of their data structure". After clicking on this link, we will see something like this:

select the directories you need and click the button " Restore Marked", I checked for the sake of the test, the utility works well, try it and unsubscribe according to the result as it is in practice in a real situation when data is lost, files are deleted, and so on.

How to recover data using the R-Studio utility

Paid utility, but it's worth it as it will help out even from the most difficult situations.

Install R-Studio you can from our repository at the link - .

Advanced utility, the best among data recovery utilities, works with NTFS, NTFS5, ReFS, FAT12/16/32, exFAT, HFS/HFS+ (Macintosh), Little and Big Endian variants of UFS1/UFS2 (FreeBSD/OpenBSD/NetBSD) /Solaris) and Ext2/Ext3/Ext4 FS (Linux). R-Studio also uses file recovery by signatures (search when scanning files of known types) for badly damaged or unknown file systems. The program allows you to recover data both locally and on remote computers over the network, even if disk partitions have been formatted, damaged or deleted.

R-Studio includes:

RAID reconstruction module
Versatile text/hexadecimal editor with a wide range of features
Separate module Reserve copy system and data (disk copying), which allows us to consider R-Studio the most optimal and complete solution for creating workstation for data recovery.

R-Studio restores files:

Deleted outside the Recycle Bin or when the Recycle Bin has been emptied;
Removed by virus attack or computer power failure;
After the file partition has been reformatted, even to a partition with a different file system;
When the partition structure on the hard drive has been changed or damaged. In this case, using the R-Studio program, you can scan the hard drive, find a deleted or damaged partition, and only then recover data from the found partition.
From hard drives that have a large number of bad sectors. The R-Studio recovery program can first copy the information and create an image of the whole disk or part of it, and only then work with the image file saved on other media as with the original disk. This is especially useful and effective when the number of bad sectors on the disk is constantly growing, and the remaining information needs to be saved immediately.
By order of the Ministry of Justice of the Russian Federation dated November 26, 2015 No. 269, R-STUDIO was included in the list of requirements for the minimum configuration of the material and technical base for several types of forensic examinations conducted in federal budgetary forensic institutions of the Ministry of Justice of the Russian Federation.

What R-Studio utility can do:

Standard user interface"Windows Explorer".
Host operating system (OS): Windows 2000, XP, 2003 Server, Vista, 2008 Server, Windows 7, Windows 8/8.1/10, Windows Server 2012.
Data recovery over the network. Files can be recovered over the network from remote computers running Win2000/XP/2003/Vista/2008/Windows 7/8/8.1/10/Windows Server 2012, Macintosh, Linux and UNIX.
Supported file systems: FAT12, FAT16, FAT32, exFAT, NTFS, NTFS5, ReFS (new local file system introduced by Microsoft in Windows 2012 Server), HFS/HFS+ (Macintosh), Little and Big Endian variants of UFS1/UFS2 (FreeBSD) /OpenBSD/NetBSD/Solaris) and Ext2/Ext3/Ext4 FS (Linux).
Searching for Files of Known Types when Scanning (recovering files by signatures): if the file system on the disk is badly damaged or unknown, then R-Studio looks for data patterns (file signatures) characteristic of certain file types ( Microsoft documents office, jpgs, etc.). If necessary, the user can add new types of files to R-Studio.
Recognition and analysis of schemes of Basic (MBR), GPT and BSD (UNIX) partitions, as well as Apple partition schemes. Support for Dynamic Volumes (Windows 2000-2012/8.1/10) on MBR and GPT.
Support for Windows Storage Spaces (Windows 8/8.1 and 10/Threshold 2), software Apple RAID and Linux Logical Volume Manager (LVM/LVM2). R-Studio can automatically recognize and assemble the components of these disk managers even if their databases are slightly damaged. Their components with severely corrupted databases can be added manually.
Reconstruction of damaged disk arrays (RAID). If the OS does not recognize the disk array (RAID), you can create a virtual RAID from its components. Such a virtual array can be processed by the program as a regular physical array. Support for standard RAID levels: 0, 1, 4, 5, 6. Support for nested and non-standard levels: 10(1+0), 1E, 5E, 5EE, 6E. Parity delay support for all relevant RAID levels. Support for custom RAID schemes.
Automatic recognition of RAID parameters.R-Studio is able to recognize all parameters for RAID 5 and 6. This allows the user to solve one of the most difficult tasks in RAID recovery - determining its parameters.
Creating an IMAGE FILE for an entire Physical Disk (HD), Partition or part of it. These image files can be compressed and split into multiple files for storage on CD/DVD/Flash or FAT16/FAT32/exFAT. Disk image files can be treated by the program like a normal disk.
Data recovery from damaged or deleted partitions, encrypted files (NTFS 5), alternative data streams (NTFS, NTFS 5).
Data recovery after:
running FDISK or similar utilities;
virus attack; FAT corruption; destruction of the MBR.
Recognition of localized names.
The recovered files can be saved to any drive, including a network drive, accessible by the local operating system. The recovered files can be saved on another drive of the connected remote computer without being downloaded over the network to the local computer.
View the contents of files to assess the chances of recovery. The contents of most file types (formats) can be viewed even if the corresponding application for the file is not installed.
Files or disk contents can be viewed and edited using the built-in hex editor. The editor supports editing the properties of NTFS files.
Monitoring of S.M.A.R.T parameters. R-Studio can display S.M.A.R.T. (Self-Monitoring, Analysis and Reporting Technology) for hard drives that show the state of their hardware and predict their possible failures. Any additional load on such disks should be avoided if warnings from the S.M.A.R.T system appear.
Integration with DeepSpar Disk Imager, a professional hard drive imaging device specifically designed to recover data from failed drives. This integration gives low-level thin access to disks with a certain level of hardware failures. Moreover, it allows you to create a disk image and analyze at the same time. That is, any sector accessed by R-Studio on the source disk will be immediately copied to the clone disk, and all subsequent data recovery operations will be performed on the clone disk to prevent further deterioration of the source disk and significantly reduce the time processing.

In conclusion, a couple of videos about R-Studio:

There are also other utilities for data recovery:

is a data recovery tool that tries to extract data from accessible but problematic media (with bad sectors). Data sources can be external devices (such as CDs, DVDs, and Blu-rays) and hard disk partitions. The program has the advantage of continuing to run even when other tools terminate it due to I/O errors. Conventional copy tools such as cat, cp, or dd do not allow you to create an image of a disk or removable media if a sector read fails.
PhotoRec is a utility included in the TestDisk package. Designed to recover corrupted files from digital camera memory cards (CompactFlash, Secure Digital, SmartMedia, Memory Stick, Microdrive, MMC), USB flash drives, hard drives and CD/DVD. Recovers files of most common image formats including JPEG, audio files including MP3, document files in Microsoft formats Office, PDF and HTML, as well as archives, including ZIP. It can work with ext2, ext3, FAT, NTFS and HFS + file systems, and is able to restore graphic files even if the file system is damaged or formatted.
Can run Linux, DOS, Windows, FreeBSD, NetBSD, OpenBSD, Mac OS X and SunOS operating systems
ddrescue(in Ubuntu this utility is called gddrescue) This utility copies data from a file or hardware device containing the data to another location, while attempting to correct any read errors. ddrescue performs the main operations automatically, filling in the log file in parallel. If there are two or more copies of corrupted files, ddrescue is able to completely restore the file, eliminating all errors.
ddrescue sets the I/O buffer size to the sector size, so it can be used for sector-by-sector recovery of data from devices.
unrm- a small console utility that, under certain conditions, can recover almost 99% of deleted data (similar to the undelete utility in DOS). Read the FAQ file carefully before using it, and preferably the Linux Ext2fs Undeletion Mini-HOWTO . Application:
unrm [-b (no block padding)][-e (every block)][-f fstype][-vW] device
(gET iT i sAY) - file recovery tool for Ext2/Ext3 file systems. After installation, the current files and newly created files in /root and /home can be restored. The utility allows users to recover all deleted files, recover files owned by a specified user, dump data from a file location, and recover files of a certain type, such as text or MP3. There is also an analyzer to help users during recovery.
DMDE- DM Disk Editor and Data Recovery Software. Disk editing and data recovery software. In the free version, all the functions of the disk editor, partition management and file recovery are available, with the exception of the possibility of group recovery of files and directories; the full version allows you to restore groups of files and directories while maintaining the directory structure.
Mondo Rescue. The main purpose of this program is to create backup copies of data. It can create backups on tapes, CDs, remote media via NFS, or as ISO images on local drives. But in case of data damage, the program allows you to restore them completely or partially, even if your hard drive is inaccessible by conventional means.
Mondo runs on all major Linux distributions, supports LVM, RAID, ext2, ext3, JFS, XFS, ReiserFS, VFAT and other file systems. It can restore disk geometry, migrate data to RAID arrays, check the integrity of the computer's file system. In addition, it allows you to restructure the disk, reduce / increase partitions, reassign devices, add hard drives.
The Sleuth Kit(TSK) - a set of programs (fls, icat, ffind, ifind, mmls, fsstat, etc.) for forensic analysis of file systems. TSK is a set of UNIX command-line tools that can parse NTFS, FAT, FFS, EXT2FS, and EXT3FS file systems. TSK reads and processes file system structures on its own, so there is no need for file system support by the operating system.
Articles: Recovering Hidden or Lost Data.

In addition to those listed in some articles, utilities are also mentioned. Magicrescue And ntfsundelete from the ntfstools package.

This list can be very useful if you find yourself in a situation where you need to recover data from a damaged media. And it is desirable to master at least some of these tools before there is an urgent need for their use. To do this, it makes sense to test them on artificial examples of deleting files, as done in one of the notes given in the list of sources.

Alias rm="rm -i"

Then, before performing the deletion, you will be asked an additional question whether you really want it.

I believe that the above list will also become obsolete after some time, as happened with the list given in the article mentioned at the beginning of this note. But there will be new means, maybe more advanced. Check back occasionally at the Linux Software Catalog to keep up to date, or better yet, help keep this catalog up to date. Then, in any emergency or regular situation, you or another Linux user will be able to find the necessary tools and tools to solve their problems.

Sometimes it so happens that we delete, as it would seem junk files(images, videos, text documents etc.), and then suddenly we regret it, because among the remote, turned out to be needed. It's good if we delete files in shopping cart, from where it is very easy to restore by pressing a keyboard shortcut ctrl+z and then all the files that are in basket will be restored to their previous folders, or you can selectively by clicking right click to the desired file in basket and in context menu - Restore.

But what to do when we removed the files with the function - Delete permanently? Many people think that data is lost forever. But it is not. In this case, the console utility will help us scalpel.

scalpel is a simple, highly efficient file recovery tool.
scalpel is a fast file recovery tool that reads the beginning and end of files of known formats from the database and tries to find them on the disk. The uniqueness of this software lies in the fact that it does not depend on the file system. Therefore, recovery is possible with FATx, NTFS, ext2/3, so with "naked" (raw) sections. The tool can be used for both digital information retrieval and file recovery.

scalpel available in the repositories of almost all distributions linux. IN ubuntu and derivatives you can install it from App Center or run the command in the terminal to install:

sudo apt-get install scalpel

After installation, you will not find in the system menu scalpel, because I mentioned above, this tool is launched from the terminal with a specific command. But before you run the command to search for irretrievably deleted files, you must in the configuration file scalpel.conf uncomment the line (remove the pound sign) with the desired file extension (All types of files are "commented out" by default). Run command in terminal to open configuration file scalpel.conf:

sudo gedit /etc/scalpel/scalpel.conf

Note. In a team gedit(Ubuntu; Linux Mint Cinnamon) change to the name text editor your distribution installed by default.

For example, I chose to search for lost image files with the extension JPG and uncommented given line in the opened editor with the file scalpel.conf:

You can choose any other file. Save the modified file ( ctrl+s) and close the editor.

And now you need to execute the terminal command with the tool
scalpel to search for lost files:

sudo scalpel /dev/sda8 -o /home/vladimir /JPG /output/

sda8 is a partition on the hard drive of my current system. In order for you to define your partition and change it in a command, run the command:

The terminal should display all sections of the w / disk. As shown in the picture, the arrow, slash or slash marks the mount point of my partition - sda8, which I entered into the command. You must have yours marked.

/home/vladimir is my name home folder. Change Vladimir on your own.

/JPG is the name of the folder in the command that will be created on your home folder, where all recovered files will be saved, which you can also change to your own.

So, we execute the command and wait for the end of the recovery:

As you can see in the picture, the process of finding and restoring image files with the extension JPG on my computer will take place in two steps, as well as time, depending on the size of the specified partition (GB) and the number of images located on it.
I want to say right away that the process is not fast.

When the restore is complete, open home folder with administrator rights:

sudo nautilus

Instead of nautilus name file manager your distribution (for example: Linux Mint - nemo or saja; and so on.).

Open the folder with the recovered files, select and save the files you need, and then you can permanently delete the folder, because. it will only take up precious space in the partition on the hard drive.

Conclusion. I would like to note that the instrument scalpel finds all files with the specified extension, even those that were previously on this partition when other operating systems were once installed on it. This utility also used by intelligence agencies different countries to search for compromising evidence of the user by the computer, if necessary. So no matter how we delete files irrevocably, they still leave their mark on the w / disk.

Only the physical destruction of the hard disk will save the computer user from compromising files .

Thematic materials: