How to Restore a Deleted File in Linux

If you’ve accidentally deleted a file in Linux, don’t worry, you can probably still restore it as long as that area of disk has not yet been overwritten. This post will show you how to easily restore a deleted file in Linux.

Foremost is able to search a disk or raw image file to recover files based on their headers, footers, and internal data structures.

Install Foremost

Foremost is available in many different distributions of Linux.

Mint/Debian/Ubuntu

We can install Foremost in Linux Mint, Debian, or Ubuntu by simply running the following command.

apt-get install foremost

CentOS/RHEL

By default Foremost is not available in any of the standard CentOS/RHEL repositories, so we’ll install it directly from the RPM.

yum install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm -y

This RPM is for el7, el6 can be found here.

Failing these options, you can download the Foremost source here.

In this example we are using CentOS 7, however once you’ve installed Foremost the rest of the steps should be the same in any Linux distribution.

Deleting a File

Now that Foremost is installed, let’s delete a file. It’s worth noting that Foremost does not need to be installed when the file was deleted, that’s just the order I happened to do things in.

In this example we will be removing the image.jpg file shown below.

[[email protected] ~]# file image.jpg
image.jpg: JPEG image data, JFIF standard 1.01
[[email protected] ~]# md5sum image.jpg
f2b6f5c9f3795363cddfd6aae6d1ba0d  image.jpg

We’ll use this information later to verify that the file has been successfully restored. Now we’ll delete the file using the rm command .

[[email protected] ~]# rm -f image.jpg

Restore a Deleted File

Next we’ll create a directory to restore our files to. Foremost requires an empty directory for this purpose, so we’ll make /root/restored/.

[[email protected] ~]# mkdir /root/restored

Now we are ready to run the Foremost command and restore our image file. The -i switch is used to specify the disk or image file that we want to search, while -t is used to restore files of the type specified. Foremost supports many different files, check the foremost man page for the full list. This is required as foremost searches the disk based on the headers which that type of file uses.

[[email protected] ~]# foremost -i /dev/sda3 -t jpg -o /root/restored/
Processing: /dev/sda3
|**************************************************************************************************************************************************************************************|

This took approximately 2 minutes to complete on an 18gb disk. This will find any .jpg files in /dev/sda3 and restore them into the /root/restored/ directory, as long as the space they are using on disk has not yet been overwritten by anything else.

If we look inside our /root/restored directory, we can see that our image file has successfully been restored. The md5 hash of the file is exactly the same as the file before we deleted it.

[[email protected] ~]# md5sum /root/restored/jpg/18608472.jpg
f2b6f5c9f3795363cddfd6aae6d1ba0d  /root/restored/jpg/18608472.jpg

As file names are not stored within the file itself it is not possible to restore the file with the original file name, however the data is all there.

Summary

We installed the Foremost tool on our CentOS 7 machine and used it to restore a deleted file. Using the md5 hash of the file before and after recovery, we can confirm that the exact same file has successfully been recovered.

Foremost is a pretty simple to use tool to perform data carving, I’ve used it with some success in a number of Capture The Flag (CTF) style challenges.

  1. Nice tool to install, because I have many clients who says I have deleted the file mistakenly and is there any quick way to restore it. Now this seems to be a better option for them.

  2. I tried to do this with an ascii text file (txt), but i dont know what type of file that i must specify when i use the argument “-t” on the foremost command.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>