Recover a deleted file

grep -a -B 25 -A 100 'some string in the file' /dev/sda1 > results.txt
grep searches through a file and prints out all the lines that match some pattern. Here, the pattern is some string that is known to be in the deleted file. The more specific this string can be, the better. The file being searched by grep (/dev/sda1) is the partition of the hard drive the deleted file used to reside in. The ?-a? flag tells grep to treat the hard drive partition, which is actually a binary file, as text. Since recovering the entire file would be nice instead of just the lines that are already known, context control is used. The flags ?-B 25 -A 100? tell grep to print out 25 lines before a match and 100 lines after a match. Be conservative with estimates on these numbers to ensure the entire file is included (when in doubt, guess bigger numbers). Excess data is easy to trim out of results, but if you find yourself with a truncated or incomplete file, you need to do this all over again. Finally, the ?> results.txt? instructs the computer to store the output of grep in a file called results.txt. Source:

By: olalonde
2010-08-19 20:07:42

These Might Interest You

  • Accidentally deleted some file while used by a program ? (Eg: a song) Use this command to find the file handle and recover using cp /proc/pid/fd/filehandle /new/recoverd-file.ext Show Sample Output

    ls -l /proc/*/fd/* | grep 'deleted'| grep "\/proc.*\file-name-part"
    totti · 2012-09-13 09:54:16 0
  • Newer versions of the flashplayer browser plugin delete the tmp flash video immediately after opening a filehandle to prevent the user from "exporting" the video by simply copying the /tmp/FlashXYZ file. This command searches such deleted flash videos and creates symbolic links to the opened filehandle with the same name as the deleted file. This allows you to play your flash-videos (from e.g. youtube) with e.g. mplayer or copy the buffered video if you want to keep it. Show Sample Output

    for h in `find /proc/*/fd -ilname "/tmp/Flash*" 2>/dev/null`; do ln -s "$h" `readlink "$h" | cut -d' ' -f1`; done
    hons · 2011-03-02 09:43:42 4
  • The above command assumes the lost data is on /dev/sda and you previously issued the following command to mount _another_ disk or partition (/dev/sdb1) on /recovery sudo mount /dev/sdb1 /recovery If you don't do this, the data could be overwrited! foremost is a very powerful carving tool. By default foremost recovers all known file types. If you want to reduce the amount of files that are recovered you can specify the file type you are looking for. Read the man page to know the available file types. i.e to recover JPEG pictures append to foremost the switch -tjpg

    sudo foremost -i /dev/sda -o /recovery
    vlan7 · 2010-08-19 22:27:41 0
  • A potential source of a full filesystem are large files left open but have been deleted. On Linux, a file may be deleted (removed/unlinked) while a process has it open. When this happens, the file is essentially invisible to other processes, but it still takes on physical space on the drive. Tools like du will not see it.

    sudo lsof -nP | awk '/deleted/ { sum+=$8 } END { print sum }'
    jeffskinnerbox · 2015-09-19 00:45:23 3

What Others Think

Nice trick, but using PhotoRec is probably easier.
Tungmar · 408 weeks and 4 days ago
I've used that technique before. See the script referenced at the bottom of
pixelbeat · 408 weeks and 2 days ago
If results.txt is located in /dev/sda1, isn't there a risk of infinite matching loop ? Like in a grep xyz . > ./result.txt for example
jim · 365 weeks and 5 days ago
@jim: writes to the affected file system should be strictly avoided during the recovery operation, so results.txt shouldn't be created on /dev/sda1 anyway.
lordtoran · 343 weeks and 6 days ago

What do you think?

Any thoughts on this command? Does it work on your machine? Can you do the same thing with only 14 characters?

You must be signed in to comment.

What's this? is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.


Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: