It might have happened to you at one point or another that you deleted a file or an image by mistake & then regretted it immediately. So can we restore such a deleted file/image on a Linux machine?

In this tutorial, we are going to discuss just that i.e. how to restore a deleted file on a Linux machine.

To restore a deleted file on a Linux machine, we will be using an application called ‘Foremost’. Foremost is a Linux based program data for recovering deleted files. The program uses a configuration file to specify headers and footers to search for. Intended to be run on disk images, foremost can search through most any kind of data without worrying about the format.

Note:- We can only restore deleted files in Linux as long as those sectors have not been overwritten on the hard disk.

We will now discuss how to recover the data with foremost. Let’s start the tutorial by the installation of Foremost on CentOS & Ubuntu systems.

(Recommended Read: Complete guide for creating Vagrant boxes with VirtualBox)

(Also Read: Checking website statistics using Webalizer)

Linux restore deleted files

Install Foremost

To install Foremost on CentOS, we will download & install the foremost rpm from the official webpage. Open terminal & execute the following command,

$ sudo yum install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm –y

With Ubuntu, the foremost package is available with the default repository. To install foremost on Ubuntu, run the following command from the terminal,

$ sudo apt-get install foremost

 

Restore deleted files in Linux

For this scenario, we have kept an image named ‘dan.jpg ’ on our system. We will now delete it from the system with the following command,

$ sudo rm –rf dan.jpg

Now we will use the foremost utility to restore the image, run the following command to restore the file,

$  foremost –t jpeg –I /dev/sda1

Here, with option ‘t’ , we have defined the type of file that needs to be restored,

-I , tells the foremost to look for the file in partition ‘/dev/sda1’. We can check the partition with ‘mount’ command.

Upon successful execution of the command, the file will be restored in the current folder. We can also add an option to restore the file in a particular folder with the option ‘o’

$ foremost –t jpeg –I /dev/sda1 –o /root/test_folder

Note:- The restored file will not have the same file name as the original file as the filename is not stored with file itself. So file name will be different but the data should all be there.

With this, we now end our tutorial on how to restore deleted files in a Linux machine using Foremost. Please feel free to send in any questions or suggestions using the comment box below.

If you think we have helped you or just want to support us, please consider these :-

Connect to us: Facebook | Twitter

Linux TechLab is thankful for your continued support.