How to recover a removed file under Linux?

The following are generic steps to recover text files.

1. First use wall command to tell user that system is going down in a single user mode:

   # wall
   System is going down to .... please save your work.
   

   Press CTRL+D to send message.

2. Next use init 1 command to take system to a single user mode:

   # init 1
   

3. Using grep (traditional UNIX way) to recover files

   Use following grep syntax:

   grep -b 'search-text' /dev/partition > file.txt
   

   OR

   grep -a -B[size before] -A[size after] 'text' /dev/[your_partition] > file.txt
   

   Where,

   -i : Ignore case distinctions in both the PATTERN and the input files i.e. match both uppercase and lowercase character.
   -a : Process a binary file as if it were text
   -B Print number lines/size of leading context before matching lines.
   -A: Print number lines/size of trailing context after matching lines.
   

   To recover text file starting with "nixCraft" word on /dev/sda1 you can try following command:

   # grep -i -a -B10 -A100 'nixCraft' /dev/sda1 > file.txt
   

4. Next use vi to see file.txt.

   This method is ONLY useful if deleted file is text file. If you are using ext2 file system, try out recover command.

Found at http://www.cyberciti.biz/tips/linuxunix-recover-deleted-files.html

• If it's very-very important, take the disk from the computer and hire a company to do it for you.
• If it is only very important, mount the disk read-only, copy the whole partition to a file using dd and try to find the file within it (using grep, or an editor).

Edit: sometimes ddrescue works better than dd.

If your filesystem is ext3, use ext3grep.