using ntfsundelete
This might save your life one day (or the life of some files you removed bypassing the trash!)
In Linux it's easy (relatively, if you act quickly) to reclaim files that have been wiped from disk -because really they are still there but their names are gone and their inodes have been offered for new files to be stored in their place.
You can "undelete" wiped files from Linux partitions (ext3/ext4) and NTFS -so long as you haven't been using the partition and stored new files over the lost ones. So if something goes wrong you should make a rescue op immediately.
Today I managed to wipe 200Gb of very important data off an external drive. I couldn't believe it had happened. One thing I need to watch out for is when an external drive is not present and an app needs to access it, say for a DVD project, it will create the partition somewhere locally and carry on! Then inserting the external drive makes another entry with a _ after it in /media -it was when I tried removing the phony local version of the drive that it decided to take out loads of real data with it (but left some), and I still can't understand how because I had already unplugged the drive.
Fortunately I had just enough space around on different drives to rescue everything. The deleted files have to be copied to a different partition than the one they were on, and the one recovering from must be unmounted. My drive was NTFS so I'll show how that works.
note: ntfsundelete is installed with the package ntfs-3g
1. get device i.e. sdb1 etc with `lsblk`
2. unmount drive with e.g. `sudo umount /dev/sdb1`
3. list files available for undelete - might need the force option -f
(note: you might need to adjust the scroll lines of the Terminal to a few thousand to show long lists)
4. list files of certain type available for undelete
5. list files with something in the filename, available for undelete
6. combine the above two
7. undelete with file name
8. undelete with wildcard extension (will recover ALL files with the ext), to a destination dir with -d switch
or
9. undelete with inode range, to a destination dir
10. change permissions to user for undeleted files if necessary
Notes
- If you cancel the terminal with the process going, you can restart with exactly the same command and dir location and the process will skip all the files already recovered -it won't write over them, or it can't.
- If you try to split the process between different target directories it will be impossible using a wildcard extension, you'd have to use inode ranges, I'd say. combine them?
Undelete files on ext3/ext4 partitions
http://everydaylht.com/
http://extundelete.sourceforge.net/
Undelete files on NTFS from Linux
http://www.howtogeek.com/.../
http://linux.die.net/man/8/ntfsundelete
using photorec or testdisk
After recovering files from my removable drive (see on the left) I realised that there were some videos yet to be encoded from raw files -and I couldn't get those files after the restore as they were written over -luckily I remembered I hadn't used the SD card much since then, but I had just formatted it.
So in comes photorec, packaged with
testdisk, for recovering from FAT format disks -and also from ext3/ext4 and NTFS.
-
choose disk to rescue files from
- choose partition on disk (and also file options -search for extensions)
- choose format type
- choose rescue from freespace or whole disk
- select directory to rescue files to: use left/right arrows to go up/down dir tree
e.g. use left to get out of /home/username, then down to /media, right and down to reach dir
- enter the chosen dir and press C
tip: stop photorec in taskmanager if it's eating the cpu even after it's finished the process!
using
Testdisk is just as easy, it will list the deleted files and it works on NTFS, FAT (SD cards etc) and ext2
http://www.cgsecurity.org/wiki/TestDisk
- sudo testdisk
- choose log option
- choose disk to rescue files from
- choose partition table type (Intel) choose [Advanced] File System Utils
- select partition
- choose option [undelete] or [Image Creation]
- search for deleted directory or file and press C, select multiple files and press Shift-C
- select directory to copy files to: use left/right arrows to go up/down dir tree
- enter the chosen dir (e.g. Desktop), go down one to .. and press C
- cd to where the recovery dir has been copied to and run:
Using dd to make an image of a partition first
I had one SDHC card that photorec and testdisk couldn't see any deleted files on, even though I had recently had MTS files on it ..
So I made an image of the SD card with
remember that "of" stands for output file and it will wipe everything on the location it points to, so be careful!
then
but alas, no files were found either! duh, the card had been formatted.
Then there's extundelete
see here
gnutoolbox.com/extundelete/