Recover deleted images with standard Linux tools from the command line
 

Intro: On my quest to master the Linux command line I enrolled in a Linux class. Assistance provided will aid me in answering this Linux challenge.

I am a firm believer in teaching how to fish vs. get a fish. So I researched for two days. Unfortunately all the stuff I found did not quite address my unique problem or I am not understanding a concept; hence me being here.

Problem: A user copied some image files to ~/Image/folder. After she transferred the images the user deleted the files. I am to recover the deleted files. I was not told any other information like the name of the files/folder.

Research: Upon research I read about the following downloaded applications that would make this task a no-brainier:
- Testdesk
- Photorec
- etc

BUT the problem is I am required to use tools that came with the distro.
It didn't look like extundelete or ext3undel was install; no man page found. I did however find 'dd' and 'debugfs' but I am not sure how those would be helpful.

I tried using 'debugfs' but couldn't get it to work. I could find /dev mount point. After running the 'df' on the distro the following is the output:

Filesystem Size Used Available Use% Mounted On
rootfts 908.9M 457.7M 451.2M 50% /
tmpts 908.9M 457.7M 451.2M 50% /
tmpts 504.9M 0 504.9M 0% /dev/shm

{Can someone explain this?}

Attempts:

- Then I tried running the following command {Not sure if this is could help}: 'debugfs /usr/kayt' and got the following error: 'Attempt to read block from filesystem resulted in short read while opening filesytem'

Then I tried: grep -b 'search-text' /dev/partition > file.txt
but again there is no /dev to umount.

I am not sure whatelse to do so please help. I am a newbie to Linux so please keep your comments straight forward. I have a very basic knowledge of the OS so please provide example of syntax when replying. Thanks for your help.

What distro are you using?

TestDisk and PhotoRec can be installed on Linux - http://www.cgsecurity.org/wiki/TestDisk_Download

Linux 2.6.30.6 - SLITAZ i686

For the purpose of the assignment I am not allowed to install any tools. I must use the tools it came pre-installed with.

Sounds like your tutor is a plonker! Although you could suggest looking in the recycle bin since most graphical interface tools do a soft delete and move the deleted files there. Since your assignment didn't say that the files were deleted from the command line you should be good to go.

No Trash Can
 

My day just seems to be getting better. I just spend 30 mins looking for the trash can/recycle bin following the this with no luck. However, I was able to find /root/.local/share, but no trash.

grep is a standard command and is installed on many linux systems.

Since you are not allowed to install anything for your assignment, you can try this:

Recovering Deleted Files with Grep

This video is from Kris Occhipinti, a well known linux expert. I learned a lot of linux tips and tricks from his channel. The instructions starts in 7 mins of the video.

BUT! If it were me, I would use testdisk/photorec over the method above.

BTW, the usual steps to insure recovery of files is to stop writing to the disk immediately. Rebooting the system with a livecd or liveUSB and then run testdisk/photorec from the livecd/liveUSB and writing the recovered files to another partition or drive.

Testdisk/photorec can also be filtered to recover only certain files eg. images.

Anyway, good luck

No /dev to umount
 

I did watch is video. But in his video he demo using a USB that was mounted and umounted. I am using a distro that is a VM and no /dev (see my out from running 'df'). I am not sure if I can umount the filesystems on the distro (see my output from running the 'df' command). I also read about the tools you mentioned but not allowed to use them.

I just wanted to emphasise this
As soon as the system removes a file, the relevant disk blocks are marked as available for (re-)use.
Hence, even in a test env, you need to stop using that partition asap.

I understand that. The problem I'm having is I do not know how to do exactly that; that is if that is the way to get back the files.

Basically you need to unmount the partition (umount cmd as root user), but this only works if nothing is using it, else it'll say 'filesystem busy...' or similar.

Its good for you to learn about tools that theoretically can recover files, but in the real world you'd normally rely on backups, especially for a shared or server system.
Unmounting and/or shutting down a system may not be an option.

(PS that's not a typo; the umount cmd really does not have an 'n' in the name ;) )

If your only access is through the VM running on that filesystem, your options are very limited. You could try "debugfs -w rootfs", use "ls -d" on likely directories to find deleted files, and then "undel <inode_number> pathname" to attempt recovery. However, "undel" can leave the filesystem in an inconsistent state requiring fsck, and could cause major problems if done on a filesystem that is currently mounted.

In a real-world scenario, you would not be doing this on the mounted filesystem for a running system.

I should add that "major problems" could include anything up to and including a system crash with permanent loss of data.

It is probable that the files were deleted as a normal user. Each user will have a .local/share/trash in their home directory

Slitaz actually is a live system running in RAM.

Then it's likely that the root filesystem is not ext2/3/4 and debugfs won't work on it. IMO, this exercise is so far removed from what would/could/should be done on a real system that it's pretty much pointless.

only if the user used the " move to trash" on the r-click menu

if DELETE on the r-click menu is used it is NOT moved to the trash cam

nor is it moved if the "rm" command is used or my preferred "srm" is used

recovery after srm would be "fun"

but recovery might be made easier or harder depending on the file system used

and recovery of a deleted folder is why i keep a "SystemRescueCD" around and a Knoppix cd