Recovering removed files
January 2019, Ottawa
Back to HOMEPAGE
So, you're working late in the night and for some mysterious reason you type in the terminal:
$ rm *
Disaster.
Right, I know, you should always use a version control system like Git and bla bla bla.
But the point here is: you just removed your files.
Is there any way to get them back?
May be.
So, first of all, if you can unmount the partition where you just removed files, that would be great.
By any means, avoid writing stuff in that partition: don't save files, don't create new files and stuff like that.
The reason is that when you remove a file with rm, you are not necessarily erasing the memory.
It depends on the system, but it's likely that rm has only removed the pointer to the memory location,
and then has tagged the space as "free".
But it didn't overwrite it with zeros or nothing.
In other words, the info may still be there.
So avoid overwriting it accidentally by saving something on top of it.
At this point there are a number of methods to try to recover your data.
A very powerful one is photorec.
In Debian for example, it's available in the testdisk package.
$ sudo apt-get install testdisk # in Debian
$ sudo photorec
Once you install and open it, you'll get an interactive menu where you can pick which hard drive to
scan.
You can ask to scan for "Free Space only" or for a full scan.
In our scenario, we need to scan the free space (our file was "removed" and tagged as free space).
Note that it can take a lot of time on large drives.
In my case, I have an SSD hard drive with only some 2 GB of free space left, so it took just a few minutes.
Photorec will ask you where to write the output, and will create a series of folders full of the stuff that
it could find.
Names for the files in the folders are quite cryptic.
If like me you have lost some source code, you will most likely find it saved as a ".txt" file.
You can look for some keywords (say, "ADVECT_BORIS"), using a command like:
$ grep -R -win --include='*\.txt' '' * | grep ADVECT_BORIS > file_grep.txt
The result may look like:
recup_dir.4/f50650640.txt:3904: SUBROUTINE ADVECT_BORIS
recup_dir.4/f50650640.txt:3964: END SUBROUTINE ADVECT_BORIS
Hey, there it is!
Next time, I may be less lucky...
This story also tells us a lot about the stuff that we intentionally want to cancel from the hard drive,
and how easy it can be for people with average computer skills to retrieve them.
If you want to be a bit more sure, a common strategy consists in overwriting your disk with bites, not just removing stuff.
Cheers,
Stefano
Back to HOMEPAGE