blog posts

TestDisk is a powerful, free, and open-source data recovery tool. While primarily designed to recover lost partitions and make non-bootable disks bootable again, it also has a robust feature for undeleting files from various Linux filesystems, including:

• ext2
• ext3
• ext4
• FAT12/16/32
• exFAT
• NTFS

Key things to understand about file recovery:

• Data Persists After Deletion: When you delete a file, the actual data often remains on the disk. The system removes the pointers that tell it where the file’s data is located.
• Overwriting is the Enemy: The crucial factor in successful recovery is whether new data has overwritten the disk space occupied by the deleted file. The more you use the system after deletion, the higher the chance of overwriting.
• Act Fast: As soon as you realize you’ve deleted important files, stop using the affected partition to minimize the risk of overwriting.
• Recover to a Different Location: Always try to recover files to a different partition or an external drive. Returning recovered data to the same partition can overwrite other potentially recoverable files.

Step-by-Step Guide to Recovering Linux Files with TestDisk

Here’s a detailed, step-by-step process for recovering your lost Linux files using TestDisk:

Step 1: Installation

First, you need to ensure TestDisk is installed on your Linux system. Open your terminal and use the appropriate package manager for your distribution:

• Debian/Ubuntu:
  Bash

  sudo apt update
  sudo apt install testdisk
  

• Fedora/CentOS/RHEL:
  Bash

  sudo dnf install testdisk
  # or
  sudo yum install testdisk
  

• Arch Linux:
  Bash

  sudo pacman -S testdisk
  

Step 2: Launching TestDisk and Creating a Log File

1. Open your terminal.
2. Run TestDisk with root privileges (necessary for disk access):
   Bash

   sudo testdisk
   

3. The first screen will ask you to create a log file. It’s highly recommended that you do this, as it can help you track the recovery process.
   • Use the arrow keys to select “Create” and press Enter.

Step 3: Selecting the Disk

1. TestDisk will display a list of your system’s hard drives and partitions.
2. Carefully identify the drive that contained the deleted files. The disk size can help you determine the correct one.
3. Use the up and down arrow keys to highlight the correct disk and press Enter to “Proceed“.

Step 4: Selecting the Partition Table Type

1. TestDisk will try to detect the partition table type automatically. In most cases, the highlighted suggestion is correct. Common types include:
   • Intel: For standard PC partitions (MBR).
   • EFI GPT: For newer systems using UEFI.
2. It’s usually safe to accept the default highlighted option and press Enter if unsure.

Step 5: Accessing Advanced Options and Undeleting Files

1. You will now see the TestDisk main menu. Use the arrow keys to navigate to “Advanced” and press Enter.
2. TestDisk will list the partitions on the selected disk. Highlight the partition where your deleted files were located and press Enter.
3. In the partition’s advanced menu, navigate to “Undelete” and press Enter.

Step 6: Browsing and Selecting Deleted Files

1. TestDisk will now scan the selected partition for deleted files and directories. Deleted entries are usually marked with a red color (this might vary depending on your terminal theme).
2. Use the arrow keys to navigate through the list of files and directories.
3. If you find the file(s) you want to recover, highlight them.
4. To select a file for recovery, press the colon key “:“. An asterisk “*” will appear next to the specified file. You can select multiple files.
5. To select all files in the current directory, press the “a” key.
6. To unselect all files, press the “A” key.

Step 7: Copying the Selected Files

1. Once you have selected the files you want to recover, press the “c” key (lowercase ‘c’) to copy them.
2. TestDisk will prompt you to choose a destination directory to save the recovered files in. It is crucial to select a directory on a different partition or an external drive.
3. Use the arrow keys to navigate through the directory structure. If needed, you can also create a new directory (check the on-screen instructions for creating directories, usually by pressing “m“).
4. Once you are in the desired destination directory, press “C” (uppercase ‘C’) to copy the selected files to that location.

Step 8: Completion and Quitting

1. TestDisk will display a “Copy done!” message if the recovery was successful.
2. Press “q” (lowercase ‘q’) to return to the previous menus until you reach the main TestDisk menu.
3. From the main menu, select “Quit” and press Enter to exit TestDisk.

Step 9: Verifying Recovered Files

1. Navigate to the destination directory you selected in Step 7 using your file manager.
2. Check if the recovered files are there and if they are intact.

Important Considerations and Tips for Successful Recovery

• Mounting: Ensure the partition containing the deleted files is mounted read-only, if possible, to prevent further writes. However, TestDisk usually handles this by performing read-only operations during the scan.
• File Fragmentation: If the deleted file was heavily fragmented, TestDisk might recover parts, but it is not fully functional.
• Time Since Deletion: The longer it has been since the deletion, and the more the system has been used, the lower the chances of a successful recovery.
• Specific File Systems: While the general process is similar, the effectiveness of undelete can vary slightly between different filesystems.
• PhotoRec: If TestDisk cannot recover your files with their original names and directory structure, consider using PhotoRec, a companion tool by the same developers. PhotoRec is designed to carve out files based on their file signatures and can often recover files even when the filesystem metadata is heavily damaged. However, PhotoRec typically doesn’t recover original filenames or directory structures. You can usually install PhotoRec using the same package as TestDisk.
• Log File Review: If you encounter issues, review the log file created by TestDisk. It might contain valuable information about the process and any errors.
• Patience: Scanning large partitions can take a significant amount of time. Be patient and let TestDisk complete the process.
• No Guarantees: Data recovery is not always successful. There’s always a chance that the deleted files have been overwritten or the filesystem metadata is too damaged.

Advanced TestDisk Features for File Recovery

While the “Undelete” option is the primary method for file recovery, TestDisk offers other features that can indirectly help in some scenarios:

• List Files: In the “Advanced” menu for a partition, the “List” option (usually by pressing “p“) allows you to browse the current and deleted files. This can help you confirm if the files are still on the disk before attempting to undelete. Deleted files will often be marked differently.
• Recover Partition: If the files were lost due to a deleted or corrupted partition, recovering the partition itself might restore access to the files. However, this is a more complex operation and should be done cautiously.

Conclusion

Recovering deleted files in Linux using TestDisk is a powerful capability. By following these steps carefully and understanding the underlying principles of data recovery, you significantly increase your chances of retrieving lost data.