Howto:Recover and Undelete files in Ubuntu the easy way!

Ok I accidentally deleted my /etc/network/interfaces file and didnt have my access point connected to a pc, its just wireless now, so what I did to recover the file was this, please note if you delete the file shutdown your pc immediately or unmount your drive as fast as possible to avoid overwriting the deleted data. This method can be used to find unencrypted passwords and interesting information as well. This works best from a livecd/unmounted filesystem:
grep --binary-files=text -300 "Unique String in Text file" /dev/hda1 > output.txt
The -300 option tells grep to report the 300 lines before the string you choose
Basically this will take quite a while depending on the size of your hard drive and may output a ton of irrelevent information to the output.txt file, you may want to edit the -300 line variable and do man grep to see further usage options.

This method worked for me only because I shutdown my pc immediately and booted into my Hardy Livecd and the file was still available, I just copied/pasted the relevant output to my interfaces file.

[update]
Alternatively you can use the strings command to dump all the text on a partition then grep the strings output for the relevent output, Here is an example:

strings /dev/hda1 > bigtxtfile
grep -i "information" bigtxtfile >grepoutputfile

[update 2]
I ran into another program that is utterly Amazing, actually quite scary, I was able to recover photo's deleted from months ago, even after reading/writing the drive. So now I will need to find a tool to wipe what was deleted lol.. Here is some info..

Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.

Originally developed by the United States Air Force Office of Special Investigations and The Center for Information Systems Security Studies and Research , foremost has been opened to the general public

source code http://foremost.sourceforge.net/
Grab foremost:
sudo apt-get install foremost
Have Foremost audit your drive for recoverable files:
sudo foremost -w -i /dev/hda -o /recovery/foremost

Have foremost recover jpg files:
sudo foremost -t jpg -i /dev/hda -o /recovery/foremost
Here is the complete list of recoverable filetypes for usage with the "-t type" switch:
Available types:

jpg Support for the JFIF and Exif formats including implementations
gif
png
bmp Support for windows bmp format.
avi
exe Support for Windows PE binaries, will extract DLL and EXE files
along with their compile times.
mpg Support for most MPEG files (must begin with 0x000001BA)
wav
riff This will extract AVI and RIFF since they use the same file for‐
mat (RIFF). note faster than running each separately.
wmv Note may also extract -wma files as they have similar format. mov
pdf
ole This will grab any file using the OLE file structure. This includes PowerPoint, Word, Excel, Access, and StarWriter
doc Note it is more efficient to run OLE as you get more bang for your buck. If you wish to ignore all other ole files then use this.
zip Note is will extract .jar files as well because they use a simi‐
lar format. Open Office docs are just zip’d XML files so they are extracted as well. These include SXW, SXC, SXI, and SX? for undetermined OpenOffice files.
rar
htm
cpp C source code detection, note this is primitive and may generate documents other than C code.
all Run all pre-defined extraction methods. [Default if no -t is specified]


If you have additional suggestions or methods to restore files please comment and share your knowledge

Clicky Web Analytics