How to recover deleted file in Linux ?

 

Can you ever think of recovering deleted file in Linux ??????

Yes, this is possible and you don’t need to depend on any third party tool or expertise.

 

Following steps will explain you how to recover any deleted file using debugfs tool.

 

           Step 1 :- Create one text file in /var/ folder

           [root@afzalkhan~]# echo ‘test 123’ > /var/sid_test

 

           Step 2 :- Ensure sid_test file exist in /var/ 

           [root@afzalkhan~]# ll /var/sid_test

          -rw-r–r– 1 root root 9 Jun 28 17:47 /var/sid_test

 

          Step 3 :-  Delete /var/sid_test file using rm

          [root@afzalkhan~]# rm /var/sid_test

          rm: remove regular file `/var/sid_test’? y

          [root@afzalkhan~]#

 

          Step 4 :- In this example my /var/ folder is present on /dev/hda2

 I am using following debugfs command to find out content of Journal(Block Data)

          [root@afzalkhan~]# debugfs -w /dev/hda2

          debugfs 1.39 (29-May-2006)

          debugfs:

 

          Step 5 :- At debugfs: prompt type following command :-

          debugfs: ls -l <HIT ENTER>

     89232  100600    500    500   89891 26-Jun-12 13:40 test123
     96961  100777      0      0      17 27-Jun-12 18:21 sid_test

          Description of the fields.

1. Inode number.
2. First two (or one) numbers represents the kind of inode we got:
   2 = Character device
   4 = Directory
   6 = Block device
   10 = Regular file
   12 = Symbolic link
   Last four numbers are the usual Unix rights.
3. Owner in number representation.
4. Group in number representation.
5. Size in bytes.
6. Date (Here we can see the Y2K bug =)).
7. Time.
8. Filename.
   
   Step 6 :- Get block data information by entering following command :-
   debugfs: logdump -i <96961>
   Inode 96961 is at group 3, block 98591, offset 0
   Journal starts at block 22762, transaction 231282
   FS block 98591 logged at sequence 231643, journal block 1144
   (inode block for inode 96961):
   Inode: 96961 Type: regular Mode: 0644 Flags: 0x0 Generation: 987825357
   User: 0 Group: 0 Size: 9
   File ACL: 0 Directory ACL: 0
   Links: 1 Blockcount: 8
   Fragment: Address: 0 Number: 0 Size: 0
   ctime: 0x4fec4b49 — Thu Jun 28 17:47:13 2012
   atime: 0x4fec4b49 — Thu Jun 28 17:47:13 2012
   mtime: 0x4fec4b49 — Thu Jun 28 17:47:13 2012
   Blocks: (0+1): 99601
   FS block 98591 logged at sequence 231644, journal block 1181
   (inode block for inode 96961):
   Inode: 96961 Type: regular Mode: 0644 Flags: 0x0 Generation: 987825357
   User: 0 Group: 0 Size: 9
   File ACL: 0 Directory ACL: 0
   Links: 1 Blockcount: 8
   Fragment: Address: 0 Number: 0 Size: 0
   ctime: 0x4fec4b49 — Thu Jun 28 17:47:13 2012
   atime: 0x4fec4b51 — Thu Jun 28 17:47:21 2012
   mtime: 0x4fec4b49 — Thu Jun 28 17:47:13 2012
   Blocks: (0+1): 99601
   No magic number at block 3488: end of journal.
   debugfs: quit
   [root@afzalkhan ~]#

   Step 7 :- Copy & paste “Blocks: (0+1): 99601” block id

   Step 8 :- Use dd command to restore particular block id
   [root@afzalkhan ~]# dd if=/dev/hda2 of=sid_test bs=4096 count=1 skip=99601
   1+0 records in
   1+0 records out
   4096 bytes (4.1 kB) copied, 0.000471375 seconds, 8.7 MB/s
   [root@siddhesh ~]#
   [Note :- This will restore your deleted file in present directory]

   Step 9 :- Verify restored file using cat
   [root@afzalkhan ~]# cat sid_test
   test 123
   [root@afzalkhan ~]#