Have you ever found yourself wishing you could bring a deleted file back from the dead? If not, then you haven’t worked in IT very long. It’s an unwritten law of the universe that, no matter how often you back up your data and how careful you are not to delete sensitive files by mistake, sooner or later you’ll find yourself in a situation where you lose data that was not backed up.
Fortunately, the universe offers solutions to this problem in the form of undelete tools. In this article, we look at three such tools that you can use to undelete files on Linux. We’ll explain how to undelete files in Ubuntu as an example, although the tools and methods should work on any mainstream Linux distribution.
How File Undeletion Works in Ubuntu
First, let’s discuss why and how it’s possible to undelete files in Ubuntu.
By default, most Linux-based operating systems, including Ubuntu, use journaling file systems, such as ext4. A journaling file system is so-named because it keeps a “journal” of which files are stored in which parts of your disks.
To use an analogy here, you can think of your file system as a neighborhood, and the journal as an address book. When you delete a file on Linux, it’s like removing the entry for that file from your address book.
The interesting thing, however, is that deleting the file from your journal doesn’t actually remove the data from the disk itself. The data stays in place until some other data comes and overwrites it.
So, deleting a file is like crossing an address out of your address book without actually demolishing the building to which it corresponds. The building remains there until someone comes and builds a new building in its place. If you were to go and drive around the neighborhood, you’d be able to find the “deleted” building easily enough, unless someone has already built over it.
That’s essentially how undelete tools work in Ubuntu: They cruise around your file system, looking for signs of data that has been removed from the file system journal but that remains intact on the disk itself. As long as you’re lucky enough to deploy the tool before the data gets overwritten by something else, there is a very decent chance that you’ll be able to undelete the deleted data.
Oh, and if you’re wondering how likely it is that the data is still in place after you delete it, the answer is that it’s very hard to say. Data could be overwritten milliseconds after you delete it, or it could stay there for weeks. Your ability to recover a deleted file on Linux really boils down to a combination of luck and how many applications and processes you have running on your system: The more stuff you have operating, the greater the likelihood that something will decide to write data in the place where your deleted file lives.
There is also a greater chance that undeleted files will remain intact if they reside on partitions that are not part of your core system, because system partitions see higher levels of data activity from background processes. In other words, an external disk drive that you use to store videos and photos is more likely to have your deleted data intact than is the partition where your operating system stores all of its constantly changing logs and application data.
3 Ways to Recover Deleted Files on Ubuntu
There are several open source data-undeletion tools available for Ubuntu and other Linux distributions. Below is an overview of three of the best ones. Although all of these tools work in the same general way--scanning file systems for signs of files that were removed from the journal but remain extant--the heuristics they use to identify undeleted files vary. Thus, if one of these tools doesn’t work for you, another may.
Extundelete is easy to install from the software repositories of most mainstream Linux distributions. On Ubuntu, you can grab it with a simple:
sudo apt-get install extundelete
Using extundelete is also simple, which is one of the reasons why I typically try this tool first when I have to undelete data on Ubuntu.
First, if possible, unmount the partition where your deleted file was stored. In my experience, extundelete works with mounted partitions, but the tool complains loudly if you do so because it could lead to permanent loss not just of your deleted files, but of other files. So, proceed at your own risk if you choose to use the tool on a mounted partition. (Pro tip: If your deleted file is on a system partition that you can’t unmount, and you don’t want to live dangerously by running extundelete on a mounted partition, you can always shut off the system, boot to a live CD or USB, and run extundelete from there.)
Next, run extundelete with a command like:
extundelete /dev/sdb1 --restore-file deletedfile.txt
Here, /dev/sdb1 is the partition where the file lived, and deletedfile.txt is the name of the file you deleted.
If you don’t know the name of the file you’re trying to recover, or you want to recover multipel files, you can use the --restore-all flag instead:
extundelete /dev/sdb1 --restore-all
Another handy tool for undeleting files in Ubuntu is TestDisk, a tried-and-true application that has been bringing undeleted Linux files back from the dead for well over a decade.
TestDisk is easy to install on Ubuntu with:
sudo apt-get install testdisk
Run it by simply typing the program’s name in your terminal:
From there, testdisk will ask you how you want to manage the testdisk logs (it’s fine to create a new log file), then what you want to do. Select the Advanced option.
Next, TestDisk will display a list of disk partitions that it detects on your device. Choose the one where your deleted data was stored. Select it, then choose the Undelete option at the bottom of the screen.
From there, follow the directions on the screen for listing deleted files and choosing which ones you want to recover.
In addition to recovering deleted files, TestDisk can repair damaged partition tables and boot sectors, which makes it handy if you find yourself in a situation where your disk structure has been so badly damaged that you either can’t boot or the system can’t find all of the partitions. Using these features is beyond the scope of this article, but they’re a lifesaver for those situations where you really screw up your disk.
The TestDisk developers provide another tool, PhotoRec, that can also recover deleted data on Ubuntu with aplomb. (Despite its name, PhotoRec can cover data of various types, not just photos.) On Ubuntu, the PhotoRec app is part of the TestDisk package, so you can install PhotoRec with:
sudo apt-get install testdisk
Run it with a simple:
Like TestDisk, PhotoRec will ask you to select the partition where you deleted files are located. It will then walk you through the discovery and recovery process.
Extundelete vs. TestDisk vs. PhotoRec
With so many ways to recover deleted files on Ubuntu, which option is the best?
Personally, I like extundelete the most, for two reasons. One is that it is less interactive: You simply enter a command, and it does the rest. TestDisk and PhotoRec require you to navigate through multiple screens before you can begin the file recovery process. That makes them more user-friendly, but also more tedious to work with, in my opinion.
I also like extundelete because its data recovery methodology centers on using the file system journal records to identify deleted files. That means it can find virtually any type of file within the file systems it supports.
In contrast, TestDisk and PhotoRec primarily look for remnants of file metadata in order to identify deleted files. They can only find the types of files whose metadata structure is known to them. That approach works well for widely used types of files, like Word Documents or JPEG images. It doesn’t work if you have an obscure or specialized type of file to recover. (You can add custom metadata types to TestDisk and PhotoRec, but it’s a complicated process that requires you to know a lot about how files work.)
On the other hand, the major advantage of TestDisk and PhotoRec is that they both support a variety of file systems, including those used on Windows and macOS. Extundelete works only with ext2, ext3 and ext4, so it’s pretty useless if you need to undelete files from a system other than Linux. The fact that TestDisk can perform recovery operations beyond file recovery is a selling point, too.
The next time you type the wrong rm command and feel a cold shudder shoot down your spine as you realize you deleted a critical file, fret not. Several tools are available on Ubuntu to help you get the deleted file back. You just need to know which tool is best based on the file system you are using and the file type you have to recover.