how to recover accidentally deleted file from Linix

sudhirgoogle
sudhirgoogle used Ask the Experts™
on
Hello Experts,

I accidentally deleted one file using 'rm -rf' command from /tmp/<filename.iso> on  RHEL 5.6 server, how do i recover this file. Pls help.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
I am assuming /tmp is part of your root filesystem, and not mounted as a tmpfs. (Type 'mount' to check.)

You can use the "photorec" utility for this (yum install photorec, or apt-get install photorec). A step-by-step guide is here:

http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step

PhotoRec can recognise .iso files: http://www.cgsecurity.org/wiki/File_Formats_Recovered_By_PhotoRec

Author

Commented:
I am not suppose to install apps on production box without proper approval. is there any way to recover using Linux built in utilities ??
Commented:
There is no reliable way to recover a deleted file from an ext2 file system. All the methods are just best effort. The best suggestion is to do regular BACKUP on the important files before it is deleted.


For ext3 filesystem, you can recover the delete file using following steps(e.g.):

1. Create a test file

[root@madunix home]# touch test.txt
[root@madunix home]# cat test.txt
this is a test file

2. Check the i-node of this test file

[root@madunix home]# ll -li test.txt
579917 -rw-r--r-- 1 root root 20 Feb  3 02:52 test.txt

So the i-node of the test file is, 579917

3. Check the block of the data of this file

[root@madunix home]# debugfs -w /dev/hda3
debugfs 1.39 (29-May-2006)
debugfs:  logdump -i <579917>

    (inode block for inode 579917):
    Inode: 579917   Type: regular        Mode:  0644   Flags: 0x0   Generation: 2914279254
    User:     0   Group:     0   Size: 20
    File ACL: 603590    Directory ACL: 0
    Links: 1   Blockcount: 16
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4b68746c -- Wed Feb  3 02:52:28 2010
    atime: 0x4b687485 -- Wed Feb  3 02:52:53 2010
    mtime: 0x4b68746c -- Wed Feb  3 02:52:28 2010
    Blocks:  (0+1): 619053

Check the following line,

    Blocks:  (0+1): 619053

So the block of the data of this test file is 619053.

4. Delete this test file

[root@madunix home]# rm test.txt
rm: remove regular file `test.txt'? y

5. Recover this deleted test file

[root@madunix home]# dd if=/dev/hda3 of=/tmp/test.txt bs=4096 count=1 skip=619053
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.0010089 seconds, 4.1 MB/s

6. Check the content of the test file

[root@madunix home]# cat /tmp/test.txt
this is a test file


You could also try PhotoRec to recover your files: http://www.cgsecurity.org/wiki/PhotoRec
and check out the following
http://www.linux-magazine.com/w3/issue/71/Ask_Klaus!.pdf
http://www.linux-magazine.com/w3/issue/93/Foremost_Web.pdf
http://www.linuxjournal.com/content/how-recover-deleted-files
http://www.recoverdatatools.com/recover-deleted-files.html
http://www.linuxjournal.com/magazine/hack-and-when-disaster-strikes-attack-rm-command
http://www.ehow.com/how_2064953_recover-deleted-files-linux.html



Notice:

After rebooting the system, journal to the deleted file could not be found. So the deleted file could not be recovered.

So, if you want recover the deleted file, after deleting the file, system can not be rebooted.
Do
$ rpm -qa | grep testdisk
and if you see the testdisk package listed, you already have the PhotoRec program installed.

Note that if you cannot narrow down the search to the exact file type using PhotoRec's options, you'll be sorting through folders of recovered files approximately equal to your current free disk space.

Author

Commented:
Thanks for your suggestion

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial