How to recover lost files

I am assuming you do not use any disk encryption here, that would require another procedure to follow.

I use Ubuntu as OS.

First of all, if you lost an important file, stop using the file system the file was on NOW. The data you lost might still be on the disk, but the longer you use the file system, the higher the chances are that the data gets destroyed. So unmount that file system or switch the system off now.

I will show how data can be recovered that was on a 2GB USB stick, but in principle that works for HDs as well. It just takes much longer, and you need much more disk space for recovery.

First thing I do is that I create a disk image of the disk. That way I do not accidentally destroy any data that might still be there.

I have stored files on this stick and then reformatted the stick:



Now the file system does not know anything about the files anymore. However the data has not been overwritten and is still on the stick.

Lets try to recover them. I need to recover them the hard way, a simple undelete will not work.

I dump all data from the USB stick /dev/sdi to a file. This Step is essential. I am now working on a copy of the data and am not in danger to destroy the original data.

dd if=/dev/sdi of=USBimage.raw

OK, the data is in a secure place now.

No I try to recover the file. I use the carving tool foremost. Foremost scans the disk for known start and end markers of several file types.

I will now use foremost to reconstruct the file

foremost -i USBimage.raw -o foremostout

And like a miracle the file was reconstructed in foremostout/jpg/00007750.jpg

This works quite well for all files with a clear start and end marker. Look into the foremost man pages for more info.

A bit more effort is needed to restore a simple txt file. Here we have no clear start and end markers.

My favorite way is to extract the strings from the diskimage and then restore the files manually.

strings USBimage.raw > strings.txt

I open strings.txt with vi and find the text I was looking for “This text is very important to me.”

Good luck with recovering your data!

Leave a Reply