How to restore deleted files in Linux with Foremost
It might have happened to you at one point or another that you deleted a file or an image by mistake & than regretted it immediately. So can we restore such a deleted file/image on Linux machine. In this tutorial, we are going to discuss just that i.e. how to restore a deleted file on Linux machine.
To restore a deleted file on Linux machine, we will be using an application called ‘Foremost’. Foremost is a Linux based program data for recovering deleted files. The program uses a configuration file to specify headers and footers to search for. Intended to be run on disk images, foremost can search through most any kind of data without worrying about the format.
Note:- We can only restore deleted files in Linux as long as those sectors have not been overwritten on the hard disk.
We will now discuss how to recover the data with foremost. Let’s start tutorial by installation of Foremost on CentOS & Ubuntu systems.
(Recommended Read: Complete guide for creating Vagrant boxes with VirtualBox)
(Also Read: Checking website statistics using Webalizer)
To install Foremost on CentOS, we will download & install the foremost rpm from official webpage. Open terminal & execute the following command,
$ sudo yum install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm –y
With Ubuntu, the foremost package is available with default repository. To install foremost on Ubuntu, run the following command from terminal,
$ sudo apt-get install foremost
Restore deleted files in Linux
For this scenario, we have kept an image named ‘dan.jpg ’ on our system. We will now delete it from the system with the following command,
$ sudo rm –rf dan.jpg
Now we will use the foremost utility to restore the image, run the following command to restore the file,
$ foremost –t jpeg –I /dev/sda1
Here, with option ‘t’ , we have defined the type of file that needs to be restored,
-I , tells the foremost to look for the file in partition ‘/dev/sda1’. We can check the partition with ‘mount’ command.
Upon successful execution of the command, the file will be restored in current folder. We can also add option to restore the file in a particular folder with option ‘o’
$ foremost –t jpeg –I /dev/sda1 –o /root/test_folder
Note:- The restored file will not have the same file name of the original file as the filename is not stored with file itself. So file name will be different but the data should all be there.
With this we now end our tutorial on how to restore deleted files in Linux machine using Foremost. Please feel free to send in any questions or suggestion using the comment box below.