You are not logged in.

#1 2020-08-29 07:43:08

maboleth
Member
Registered: 2020-01-03
Posts: 220

Help me recover deleted file with RM command

I have deleted the entire directory using rm -R, totally forgetting that in it there was a .po translate file I've been working on for days. sad

I tried with photorec, searching for .txt files but to no avail. I recovered ~800k of txt files but searching through it didn't provide any results.

Is it recoverable at all, if so, what to use? It's on my main, linux filesystem, using ext4.

Last edited by maboleth (2020-08-29 07:46:32)

Offline

#2 2020-08-29 07:58:18

frostschutz
Member
Registered: 2013-11-15
Posts: 1,471

Re: Help me recover deleted file with RM command

if it's SSD, disable fstrim first things first, or it'll be gone. if you mount with discard mount flag, it's already gone.

systemctl stop fstrim.timer
systemctl stop fstrim.service
chmod -x /usr/bin/fstrim

If it's a plain text file you can search it like this:

strings -w /dev/disk | grep -C 1000 -F 'unique string' | tee /dev/shm/output.txt

unique string is anything you remember that was in the text file guaranteed. for code you'd use a distinct function name.

if the file had more than 1000 lines, use a larger number for -C

PS:

strings might not work for UTF-8 ... so if your file has äöüß or similar non-ascii characters, it won't work quite this way

in that case you can use 'strings -t d /dev/disk | grep UNIQUE_ASCII' for any ascii in your file and get the data offset

Last edited by frostschutz (2020-08-29 08:04:49)

Online

#3 2020-08-29 08:05:22

Anchorman
Member
Registered: 2020-07-26
Posts: 49
Website

Re: Help me recover deleted file with RM command

https://wiki.archlinux.org/index.php/File_recovery

Extundelete or ext4magic might help. I think a key point to do first is to make an image of the partition.

Offline

#4 2020-08-29 08:21:27

Anchorman
Member
Registered: 2020-07-26
Posts: 49
Website

Re: Help me recover deleted file with RM command

Oh i didn't know that strings trick, pretty cool!

Offline

#5 2020-08-29 08:35:19

maboleth
Member
Registered: 2020-01-03
Posts: 220

Re: Help me recover deleted file with RM command

frostschutz wrote:

if it's SSD, disable fstrim first things first, or it'll be gone. if you mount with discard mount flag, it's already gone.

systemctl stop fstrim.timer
systemctl stop fstrim.service
chmod -x /usr/bin/fstrim

If it's a plain text file you can search it like this:

strings -w /dev/disk | grep -C 1000 -F 'unique string' | tee /dev/shm/output.txt

unique string is anything you remember that was in the text file guaranteed. for code you'd use a distinct function name.

if the file had more than 1000 lines, use a larger number for -C

PS:

strings might not work for UTF-8 ... so if your file has äöüß or similar non-ascii characters, it won't work quite this way

in that case you can use 'strings -t d /dev/disk | grep UNIQUE_ASCII' for any ascii in your file and get the data offset

@frostschutz

Strings trick sounds so good. smile

So, yes the file uses UTF-8 Cyrillic characters (also English ones too).

So my question is - can i use your first suggestion if I search for English phrase? Or it doesn't matter because the whole file is UTF-8?

Also if I got the 2nd command right it's

strings -t d /dev/disk | grep PHRASE_IN_CYRILLIC

Is it right?

Offline

#6 2020-08-29 09:37:17

frostschutz
Member
Registered: 2013-11-15
Posts: 1,471

Re: Help me recover deleted file with RM command

no, you'd have to search for an ascii/english string in the 2nd example, then feed the offset to dd to get the whole thing.

strings won't work for umlauts or cyrillic I'm afraid. Not sure if there is an alternative to strings that would spit out valid UTF-8... strings has encoding option but it's weird

could use grep directly but it tends to run into out-of-memory conditions (trying to read gigabytes of zeroes as a single "line")

good luck

Online

#7 2020-08-29 09:58:14

frostschutz
Member
Registered: 2013-11-15
Posts: 1,471

Re: Help me recover deleted file with RM command

uconv might work as a strings replacement for utf-8 text

# losetup --find --show --read-only --offset=1M /dev/SSD/home
/dev/loop0
# pv < /dev/loop0 | uconv -i -c -f utf8 -t utf8 | grep -a -C 1000 -F 'A組とB組' | tee /dev/shm/output.txt

Online

#8 2020-08-29 12:47:16

maboleth
Member
Registered: 2020-01-03
Posts: 220

Re: Help me recover deleted file with RM command

frostschutz wrote:

uconv might work as a strings replacement for utf-8 text

# losetup --find --show --read-only --offset=1M /dev/SSD/home
/dev/loop0
# pv < /dev/loop0 | uconv -i -c -f utf8 -t utf8 | grep -a -C 1000 -F 'A組とB組' | tee /dev/shm/output.txt

I typed this:

losetup --find --show --read-only --offset=1M /dev/nvme0n1p3/home /dev/loop0 pv < /dev/loop0 | uconv -i -c -f utf8 -t utf8 | grep -a -C 1000 -F 'даркрум' | tee /dev/shm/output.txt

And I get  losetup: unexpected arguments

Please correct me if I typed/pasted something wrong, as I'm totally unfamiliar with this. Thanks!

Last edited by maboleth (2020-08-29 12:49:56)

Offline

#9 2020-08-29 13:19:41

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 30,330
Website

Re: Help me recover deleted file with RM command

If you are going the grep route, you could just loop through the device using `dd` to extract byte ranges from the device in a loop, then feeding that to grep.  When one matches, you can print out that offset, then use dd again to retrieve content around that offset.  Some pseudocode:

# NOT REAL CODE
for offset in $(seq 0 $DiskSizeInKB); do
  dd if=/dev/disk-device of=/dev/stdout skip=$((offset * 1024) count=1024 | grep -aq 'unique string' && echo $offset
done
# any offsets that are printed are candidates from which to grab surrounding content with dd
# 2048 and 4096 are just arbitrary sizes, adjust to be confident to include the size of the original file
dd if/dev/disk-device of=/dev/shm/out skip=$((ListedOffset * 1024 - 2048)) count=4096

"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

Offline

#10 2020-08-29 14:37:55

frostschutz
Member
Registered: 2013-11-15
Posts: 1,471

Re: Help me recover deleted file with RM command

Getting more complicated :-)

It should be as simple as 'grep -a -b -o -F 'UNIQUESTRING' /dev/disk'

as a simple alternative to photorec where it's unclear which files it finds and can't specify a string to search for.

Originally grep prints the offset and everything, so no need for anything else. I only started using 'strings | grep' since 'grep' by itself tends to run out of memory when running it on large block devices. It tries to fit an entire line into memory, but binary data might not have a newline character for a few gigabytes...

(((maybe one of the grep options makes grep handle binary data efficiently without suppressing the output of the search string byte offset ... last time I tried, I just couldn't get it to work)))

If you slice it yourself with dd, you have to use overlap as well, otherwise one block might end with UNIQUE and the next block might start with STRING and the grep UNIQUESTRING comes empty since it's divided between blocks.

So you could do that (also with losetup offset sizelimit instead of dd) and grep like 1G at a time (if you have more than 1G of RAM)

@maboleth: I don't understand why you wrote it all in one line? It's one command per line, # being the root shell prompt in this case.

Last edited by frostschutz (2020-08-29 14:43:37)

Online

#11 2020-08-30 00:01:51

maboleth
Member
Registered: 2020-01-03
Posts: 220

Re: Help me recover deleted file with RM command

I will try this tomorrow.

I wrote it in one line because when I write

losetup --find --show --read-only --offset=1M /dev/nvme0n1p3/home 

I get losetup: cannot find an unused loop device error.

Adding /dev/loop0 to the line I get error losetup: unexpected arguments

Last edited by maboleth (2020-08-30 00:10:13)

Offline

Board footer

Powered by FluxBB