Recover Deleted Files on Linux: TestDisk Guide and Command-Line Techniques

File Deletion and Recovery Fundamentals

When a file is deleted, the file system does not erase the data immediately; it only marks the space as free in the file allocation structures (e.g., FAT, ext4 inode bitmap).

As long as that space is not overwritten, the original data remains on the storage medium and can be recovered.

How Recovery Tools Identify Files

Recovery programs scan the allocation tables to locate entries that are marked free but still contain data. They also search for file‑specific magic numbers at the beginning of each block (e.g., CAFEBABE for Java class files, 25504446 for PDFs) to determine file type.

If a file’s header is intact, the tool can copy the raw blocks to a new location, reconstructing the file.

Device Naming on Linux

All block devices appear under /dev/. The naming convention encodes the device type and order: sda is the first SCSI/SATA disk, sda2 the second partition of that disk, hda a PATA (IDE) disk, sdb a second disk (often a USB stick), etc.

Recovering Files with TestDisk

Install TestDisk: sudo apt-get install testdisk Run TestDisk with root privileges: sudo testdisk Select a log option ("None" is fine for a one‑off recovery).

Choose the target storage device (e.g., /dev/sda).

Select the correct partition table type (Intel/MBR, EFI/GPT, etc.).

Navigate to Advanced → List to view files; deleted files appear in red.

Highlight a deleted file and press c to copy it to a directory on another partition.

After copying, adjust ownership and permissions if the recovered directory is owned by root.

Supported Partition Table Types

Intel – MBR, common on Windows and many Linux installations.

EFI GPT – Preferred for modern Linux systems.

Humax – Used by Korean Humax devices.

Mac – Apple Partition Map (APM).

None – Devices without a partition table (e.g., some game consoles).

Sun – SunOS partitioning.

Xbox – Xbox‑specific partition map.

Special Cases

ReiserFS Recovery

Back up the entire partition before attempting recovery. Then run:

reiserfsck --rebuild-tree --scan-whole-partition /dev/DEVICE

Recovered files are placed in lost+found or their original locations.

Recovering an Open File

If a deleted file is still open by a process, its in‑memory copy can be saved from /proc .

Identify the process and file descriptor, for example: lsof -c smplayer | grep mp3 Copy the file from the descriptor path to a safe location:

cp /proc/10037/fd/169 ~/Music/music.mp3

Secure Deletion (Making Files Irrecoverable)

To ensure that deleted data cannot be recovered, overwrite the storage with random data using the secure-delete suite.

sudo apt-get install secure-delete

srm -f ./secret_file.txt

– securely delete a file. sfill -f /mount/point/of/partition – wipe free space on a partition. sswap -f /dev/SWAP_DEVICE – erase the swap area.

Secure erasure may take several hours depending on disk size, but it guarantees that the data cannot be recovered.

Illustrative Screenshots