Ever deleted an important file? I haven’t recently done this on Linux, but when I used Windows I had a utility for recovering deleted files. Ubuntu Unleashed reported on some data recovery methods on Ubuntu, so I decided to try one of them out.
Foremost is a command line utility for finding and recovering deleted files based on their type. It was origionally developed for the US Air Force Office of Special Investigations.
How is this type of data recovery possible? When you delete a file, the data is not really overwritten. The pointer in the filesystem to the file is simply removed so the disk area can be overwritten when necessary. The more the disk is written to after the file is deleted, the larger the chance it will be overwritten and become unrecoverable.
I decided to test out Foremost in a virtual machine. First, I created some JPEG images, deleted them, and emptied the trash. Next, I shutdown the system and booted up the Ubuntu 8.04 Beta live-CD. Live-CDs don’t write to the hard disk, so they work well for data recovery.
The universe repository needs to be enabled, I did this from
System->Administration->Software Sources. From the terminal I installed
sudo apt-get install foremost
You need to know your target partition’s path to recover from it. I simply
System-Administration->Partition Editor and saw the the home partition
Let’s recover some JPEG images:
sudo foremost -t jpeg -i /dev/sda1
This command causes Foremost to create a directory called output and put every file it can recover in. This could take a while.
Hopefully your images won’t look anything like this (they will if you are too
For more details on what file types you can recover, see the manpage for Foremost.
Foremost isn’t the greatest solution; it recovers every file it sees and doesn’t
support very many file types. It is possible to add types to the
/etc/foremost.conf file, but it doesn’t look an easy task. However, if you’ve
lost a bunch of photos or documents, Foremost could be just what you need.