How to Restore a Deleted File in Linux

Last update at 6/8/2020 by

How to Restore a Deleted File in Linux 
How to Restore a Deleted File in Linux

If you have accidentally deleted a file in Linux, no worries; you should be able to restore it, as long as that area of disk has not yet been overwritten. This post will show you how you can easily restore a deleted file in Linux.
First, make sure that you are able to search a disk or raw image file to recover files based on their headers, footers, and internal data structures.

Install Foremost

Foremost is usually available on every distribution of Linux.


We should be able to install Foremost in Linux Mint, Debian, or Ubuntu by executing the command below:


By default, Foremost will not be available in any of the standard CentOS/RHEL repositories, so we are going to be installing it directly from the RPM.
This RPM is for el7, while el6 can be found here.
Failing these options, you can download the Foremost source here.
For instance, we will be using CentOS 7, but after you are done installing Foremost, the rest of the steps will be the same as in any other Linux distribution.

Deleting a File

Now that Foremost is installed, we will delete a file. It’s worth remembering that Foremost does not have to be installed once the file is removed, it’s just the order that we happen to do things in.
In this example, we are going to remove the image.jpg file shown below.

file image.jpg
image.jpg: JPEG image data, JFIF standard 1.01
md5sum image.jpg
f2b6f5c9f3795363cddfd6aae6d1ba0d  image.jpg

We are going to use this information later to confirm that the file was successfully restored. Now we are going to remove the file with the rm command.

rm -f image.jpg

Restore a Deleted File

Now, we will be creating a directory to restore our files to. Foremost needs an empty directory for this purpose, so we will create /root/restored/.

mkdir /root/restored

We should now be ready to run the Foremost command and restore our image file. The –I switch will be used to specify the disk or image file that we would like to search, since –t is used for restoring files of the type specified. Foremost will support a big variation of files; check the foremost man page for the full list. This is needed because Foremost searches the disk based on the headers which the type of file uses.

foremost -i /dev/sda3 -t jpg -o /root/restored/
Processing: /dev/sda3

This should take approximately 2 minutes to finish on an 18gb disk.
This is going to find any .jpg files in /dev/sda3 and restore them to the /root/restored directory, as long as the space they are using on the disk has not yet been overwritten by anything else.

If we look within our /root/restored directory, we will notice that our image file has successfully been restored. The md5 hash of the file should be the same as it was before we removed it.

md5sum /root/restored/jpg/18608472.jpg
f2b6f5c9f3795363cddfd6aae6d1ba0d  /root/restored/jpg/18608472.jpg

Since file names will not be stored inside the file itself, it is not possible to restore the file with the original file name; however, the data should still be there.

Final Thoughts

We installed the Foremost tool on our CentOS 7 machine and used it to restore a deleted file. Using the md5 hash of the file before and after recovery, we can confirm that the exact same file has successfully been recovered.
Foremost is a very easy to use tool to perform data carving; we’ve used it before with some success in a number of Capture the Flag (CTF) style challenges.
One more thing..
Share this tutorial with your hosting administrators and networking experts friends, as it will help them and make my countless hours of work count.

No comments right now... Feel free to be the first one

Was this tutorial helpful?