We will learn how to restore delete file in linux
Foremost is not available in any of the CentOS/RHEL repositories, so we’ll need to install it using RPM.
For centos 7 use following command yum install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm -y For Centos 6 use following command yum install https://forensics.cert.org/centos/cert/6/x86_64//foremost-1.5.7-13.1.el6.x86_64.rpm -y
Once formost installed let’s try to delete one file and recover it.
Get details of file midnight.jpg which we will delete and recover
file midnight.jpg md5sum midnight.jpg
Now delete file
rm -f midnight.jpg
Restore a Deleted File
mkdir /root/recover foremost -i /dev/sda1 -t jpg -o /root/recover/
Here -i used to specify disk and -t used to define type of file which we want to restore.
This command will find any .jpg files in /dev/sda1 and restore them into the /root/restored/ directory, as long as the space they are using on disk has not yet been overwritten by anything else.
Now go to /root/restored/jpg folder and execute md5sum 17602156.jpg and you will find md5 hash of this file is exactly same as that of midnight.jpg.