How to Restore a Deleted File in Linux

If you’ve accidentally deleted a file in Linux, don’t worry, you can probably still restore it as long as that area of disk has not yet been overwritten. This post will show you how to easily restore a deleted file in Linux.

Foremost is able to search a disk or raw image file to recover files based on their headers, footers, and internal data structures.

Install Foremost

Foremost is available in many different distributions of Linux.

Mint/Debian/Ubuntu

We can install Foremost in Linux Mint, Debian, or Ubuntu by simply running the following command.

apt-get install foremost

CentOS/RHEL

By default Foremost is not available in any of the standard CentOS/RHEL repositories, so we’ll install it directly from the RPM.

yum install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm -y

This RPM is for el7, el6 can be found here.

Failing these options, you can download the Foremost source here.

In this example we are using CentOS 7, however once you’ve installed Foremost the rest of the steps should be the same in any Linux distribution.

Deleting a File

Now that Foremost is installed, let’s delete a file. It’s worth noting that Foremost does not need to be installed when the file was deleted, that’s just the order I happened to do things in.

In this example we will be removing the image.jpg file shown below.

[root@centos7 ~]# file image.jpg
image.jpg: JPEG image data, JFIF standard 1.01
[root@centos7 ~]# md5sum image.jpg
f2b6f5c9f3795363cddfd6aae6d1ba0d  image.jpg

We’ll use this information later to verify that the file has been successfully restored. Now we’ll delete the file using the rm command .

[root@centos7 ~]# rm -f image.jpg

Restore a Deleted File

Next we’ll create a directory to restore our files to. Foremost requires an empty directory for this purpose, so we’ll make /root/restored/.

[root@centos7 ~]# mkdir /root/restored

Now we are ready to run the Foremost command and restore our image file. The -i switch is used to specify the disk or image file that we want to search, while -t is used to restore files of the type specified. Foremost supports many different files, check the foremost man page for the full list. This is required as foremost searches the disk based on the headers which that type of file uses.

[root@centos7 ~]# foremost -i /dev/sda3 -t jpg -o /root/restored/
Processing: /dev/sda3
|**************************************************************************************************************************************************************************************|

This took approximately 2 minutes to complete on an 18gb disk. This will find any .jpg files in /dev/sda3 and restore them into the /root/restored/ directory, as long as the space they are using on disk has not yet been overwritten by anything else.

If we look inside our /root/restored directory, we can see that our image file has successfully been restored. The md5 hash of the file is exactly the same as the file before we deleted it.

[root@centos7 ~]# md5sum /root/restored/jpg/18608472.jpg
f2b6f5c9f3795363cddfd6aae6d1ba0d  /root/restored/jpg/18608472.jpg

As file names are not stored within the file itself it is not possible to restore the file with the original file name, however the data is all there.


Summary

We installed the Foremost tool on our CentOS 7 machine and used it to restore a deleted file. Using the md5 hash of the file before and after recovery, we can confirm that the exact same file has successfully been recovered.

Foremost is a pretty simple to use tool to perform data carving, I’ve used it with some success in a number of Capture The Flag (CTF) style challenges.

Leave a comment ?

14 Comments.

  1. Nice tool to install, because I have many clients who says I have deleted the file mistakenly and is there any quick way to restore it. Now this seems to be a better option for them.

  2. I tried to do this with an ascii text file (txt), but i dont know what type of file that i must specify when i use the argument “-t” on the foremost command.

  3. do it supports all type of files..Whether there is a restriction regarding total size to be restored…

  4. That’s a wonderful tool. Thanks for the post. Does Foremost support wildcards for the type parameter? (e.g *.* for all file types), or there’s another way to pass such a parameter

    • The config file mentions this:

      # To match any single character (aka a wildcard) use a ‘?’. If you need to
      # search for the ‘?’ character, you will need to change the ‘wildcard’ line
      # *and* every occurrence of the old wildcard character in the configuration
      # file.

  5. You can try this script. Works nicely and meant to be used inplace of rm

    https://github.com/nateshmbhat/safe-rm

    ### Features :
    + meant to be used in place of rm
    + handles all arguments that rm can take
    + handles the file name collisions with the files already in trash
    + handles some permission issues automatically
    + if rm is called from any other script or indirectly then the system ‘rm’ command is used automatically
    + shows the appropriate error messages like those which arise in `rm`

  6. Hi how to restore for a specific date only. we are getting all the past deleted data also can any one kindly help us.

    • Not aware of a method to do that, as typically information such as date and file name metadata is stripped when restoring the raw data.

  7. I’ve installed the latest version: foremost.x86_64 0:1.5.7-13.1.el7 on CentOS7, and when I used the same command I got the syntax error menu…
    -i is reffered to specify input file and not a physical drive.

  8. Till how many days we can actually restore the data. Is there any limit on number the days the data can be restored.

  9. Do someone know any other method for non root users. Please help us.

  10. Hello folks, Can someone help me to recover deleted directories on certain date/period of time,
    Thanks in advance…

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>