Restore a Deleted File in Linux

We will learn how to restore delete file in linux

Foremost is not available in any of the CentOS/RHEL repositories, so we’ll need to install it using RPM.

For centos 7 use following command

yum install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm -y

For Centos 6 use following command

yum install https://forensics.cert.org/centos/cert/6/x86_64//foremost-1.5.7-13.1.el6.x86_64.rpm -y

Once formost installed let’s try to delete one file and recover it.

Get details of file midnight.jpg which we will delete and recover

file midnight.jpg
md5sum midnight.jpg

Now delete file

rm -f midnight.jpg

Restore a Deleted File

mkdir /root/recover
foremost -i /dev/sda1 -t jpg -o /root/recover/

Here -i used to specify disk and -t used to define type of file which we want to restore.
This command will find any .jpg files in /dev/sda1 and restore them into the /root/restored/ directory, as long as the space they are using on disk has not yet been overwritten by anything else.
Now go to /root/restored/jpg folder and execute md5sum 17602156.jpg and you will find md5 hash of this file is exactly same as that of midnight.jpg.