Quick Links

Have you ever deleted a file and instantly regretted it? You need it back, and fast! But what if the file is so new, it hasn't yet been backed up? Fortunately, there's something you can do about it.

rm: Short for Remorse?

It's all too easy to use the

        rm
    

command and find yourself staring at a terminal window with a deepening sense of regret. One small mistake with wildcards, and you can wipe out a lot more than you intended to.

The default Linux file system, 

        ext4
    

uses inodes to hold data about each file and an inode table to keep track of the inodes. The inode contains metadata about the file, such as its name, who owns it, what the permissions are, and so on.

It also contains entry points to hard links that point to the file. Each file has at least one hard link. Each time you create a new hard link, the hard link count increases by one. Each time you remove a hard link, the hard link count in the inode is reduced by one.

When you delete a file the inode has marked as unused (and ready for reuse), the last hard link is removed. When this happens, the file won't appear in directory listings, and it cannot be used or accessed.

However, the data that made up the contents of the file is still present on the hard drive. If you could patch the inode so it contained the correct information, though, the file would be restored. Of course, this would only work if the data that makes up the file on the hard drive remains intact and isn't overwritten.

Alternatively, you could create a new inode, copy the surviving data from the old inode, and then replace the missing bits.

Those are nontrivial activities. Usually, when you delete a file by mistake, it's at the worst possible moment. It's always when you need that file, and you need it now. You don't have time to get down and dirty with sector editors and other utilities. Plus, if it's a file you just created, it likely hasn't yet been backed up, so those won't help you, either.

This where testdisk comes in. It's easy to use and doesn't require detailed, low-level knowledge of the filesystem. Let's take a look at how to use it!

Related: Everything You Ever Wanted to Know About inodes on Linux

Installing testdisk

To install testdisk on Ubuntu, use this command:

sudo apt-get install testdisk

sudo apt-get install testdisk in a terminal window

On Fedora, you need to type:

sudo dnf install testdisk

sudo dnf install testdisk in a terminal window

On Manjaro, you have to use pacman:

sudo pacman -Sy testdisk

sudo pacman -Sy testdisk in a terminal window

Using testdisk

Although it runs in a terminal window, testdisk does have a rudimentary interface. You use the arrow keys to navigate and Enter to make a selection. To keep things neat, it's best to create a directory for restored files.

We type the following to create a directory called "restored" for our restored files:

mkdir restored

mkdir restored in a terminal window

We type the following to switch to the new directory and start testdisk from there:

cd restored/

cd restored in a terminal window

We have to use sudo with testdisk, so we type the following:

sudo testdisk

sudo testdisk in a terminal window

The first question testdisk asks is about logging. It can create a new log file, use an existing one, or not log anything at all. It doesn't matter which option you choose; it won't affect the way testdisk operates.

The logging options in testdisk in a terminal window

You can just press Enter to accept the highlighted option and create a new log file. It will be created in the directory from which you started testdisk. When you make your selection, testdisk asks which hard drive holds the file system on which you want to work.

It lists the hard drives it can find, as well as the squashfs "/dev/loop" files. There'll be one of these for each application you've installed from a snap. They're read-only, so you shouldn't have managed to delete anything from these file systems.

Hard drive menu in testdisk in a terminal window

There's only one physical hard drive in this test computer, so we used the down arrow to highlight the "/dev/sda" option. We then used the right arrow to select "Proceed," and then pressed Enter.

The option selector moved tot he Proceed option in a terminal window

testdisk also needs to know the partition type. It presents a menu of options, along with the type of partition it's autodetected at the bottom.

Partition table type menu in testdisk in a terminal window

Unless you have a good reason not to, highlight the type of partition that's autodetected, and then press Enter.

In the function menu that appears, highlight "Advanced," and then press Enter.

Function menu in testdisk in a terminal window

The partition selection menu will appear.

Partition selection menu in testdisk in a terminal window

The files we're looking for are in the Linux filesystem partition. We only have one Linux partition on our hard drive, but you might have more.

Select the partition your files were on, use the left and right arrow keys to select "List," and then press Enter. The file-selection menu will appear.

File selection menu in testdisk in a terminal window

Use the up and down arrows or the PgUp and PgDn keys to navigate the list of files and directories. Press the right arrow or Enter to enter a directory, and the left arrow or Esc to exit a directory.

We're looking for files that were owned by dave. The files for all user accounts are in the "Home" directory. So, we highlight the "Home" directory, and then we can press either the right arrow or Enter to enter that directory.

All the user accounts are then listed for us. We highlight dave, and then press the right arrow or Enter to enter that directory.

home directory listed in testdisk in a terminal window

We can now see the files that belong to the dave account. The entries in red have been deleted. We navigate through the files and directories until we locate the files we want to recover.

deleted files highlighted in red in testdisk in a terminal window

To recover a file, just highlight it, and then press c (lowercase).

The display changes and tells you to choose a destination for the recovered file. Because we created a directory called "Restored" and started testdisk from it, the first entry in the list (.) is that directory. To recover this deleted file to that directory, we press C (uppercase).

File destination menu in testdisk in a terminal window

After you do this, you're returned to the file-selection display. If you want to recover more files, just repeat the process. Highlight a deleted file, press c (lowercase) to copy it, and then press C (uppercase) to recover it.

Working with Restored Files

After you restore a file, the directory tree to its original location is reconstructed, which is useful because it reminds you where on the hard drive the original file used to reside. This means if you need to copy it back, you know where to put it.

If you recover a number of files from different filesystem locations that happen to have the same file name, they'll need to be stored separately anyway.

You can type the following to see the contents of the "Restored" directory:

ls

If you asked testdisk to create a log file, it'll be in the "Restored" directory. Because our recovered files were located at "/home/dave," they've been copied to our "Restored" directory, nested in directories with the same name.

We can change into the copied "dave" directory using cd. Make sure you don't include a leading forward slash (/) on the path---you want to change into the local "home," not the system "/home."

We type the following:

cd home/dave

The recovered files are in that directory, so we type:

ls

ls in a terminal window

Let's take another look at the recovered files using the -l (long listing) option:

ls -l

ls -l in a terminal window

Because we used sudo to launch testdisk, the recovered files have been restored with "root" as the owner. We can change the owner back to "dave" using chown:

sudo chown dave.dave *

sudo chown dave.dave * in a terminal window

We type the following to make sure the correct ownership has been restored:

ls -l

ls -l in a terminal window

testdisk: Code for Relief

That feeling of relief after you recover an important file that, just a moment ago, felt irretrievably lost, is something you'll always appreciate.

That's why testdisk is such a handy utility. After you make it through the menus and can start restoring files, it's easy to fall into a rhythm of highlight, c, C, repeat.

Linux Commands

Files

tar · pv · cat · tac · chmod · grep ·  diff · sed · ar · man · pushd · popd · fsck · testdisk · seq · fd · pandoc · cd · $PATH · awk · join · jq · fold · uniq · journalctl · tail · stat · ls · fstab · echo · less · chgrp · chown · rev · look · strings · type · rename · zip · unzip · mount · umount · install · fdisk · mkfs · rm · rmdir · rsync · df · gpg · vi · nano · mkdir · du · ln · patch · convert · rclone · shred · srm · scp · gzip · chattr · cut · find · umask · wc · tr

Processes

alias · screen · top · nice · renice · progress · strace · systemd · tmux · chsh · history · at · batch · free · which · dmesg · chfn · usermod · ps · chroot · xargs · tty · pinky · lsof · vmstat · timeout · wall · yes · kill · sleep · sudo · su · time · groupadd · usermod · groups · lshw · shutdown · reboot · halt · poweroff · passwd · lscpu · crontab · date · bg · fg · pidof · nohup · pmap

Networking

netstat · ping · traceroute · ip · ss · whois · fail2ban · bmon · dig · finger · nmap · ftp · curl · wget · who · whoami · w · iptables · ssh-keygen · ufw · arping · firewalld

RELATED: Best Linux Laptops for Developers and Enthusiasts