Unix/Linux undelete/recover deleted files
The link someone provided in the comments is likely your best chance.
Linux debugfs Hack: Undelete Files
That write-up though looking a little intimidating is actually fairly straight forward to follow. In general the steps are as follows:
Use debugfs to view a filesystems log
$ debugfs -w /dev/mapper/wks01-rootAt the debugfs prompt
debugfs: lsdelSample output
Inode Owner Mode Size Blocks Time deleted 23601299 0 120777 3 1/ 1 Tue Mar 13 16:17:30 2012 7536655 0 120777 3 1/ 1 Tue May 1 06:21:22 2012 2 deleted inodes found.Run the command in debugfs
debugfs: logdump -i <7536655>Determine files inode
... ... .... output truncated Fast_link_dest: bin Blocks: (0+1): 7235938 FS block 7536642 logged at sequence 38402086, journal block 26711 (inode block for inode 7536655): Inode: 7536655 Type: symlink Mode: 0777 Flags: 0x0 Generation: 3532221116 User: 0 Group: 0 Size: 3 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x4f9fc732 -- Tue May 1 06:21:22 2012 atime: 0x4f9fc730 -- Tue May 1 06:21:20 2012 mtime: 0x4f9fc72f -- Tue May 1 06:21:19 2012 dtime: 0x4f9fc732 -- Tue May 1 06:21:22 2012 Fast_link_dest: bin Blocks: (0+1): 7235938 No magic number at block 28053: end of journal.With the above inode info run the following commands
# dd if=/dev/mapper/wks01-root of=recovered.file.001 bs=4096 count=1 skip=7235938 # file recovered.file.001 file: ASCII text, with very long lines
Files been recovered to recovered.file.001.
Other options
If the above isn't for you I've used tools such as photorec to recover files in the past, but it's geared for image files only. I've written about this method extensively on my blog in this article titled:
How to Recover Corrupt jpeg and mov Files from a Digital Camera's SDD Card on Fedora/CentOS/RHEL.
With a bit of chances, sometimes I can recover deleted files with this script or next solution in the answer :
#!/bin/bash
if [[ ! $1 ]]; then
echo -e "Usage:\n\n\t$0 'file name'"
exit 1
fi
f=$(ls 2>/dev/null -l /proc/*/fd/* | fgrep "$1 (deleted" | awk '{print $9}')
if [[ $f ]]; then
echo "fd $f found..."
cp -v "$f" "$1"
else
echo >&2 "No fd found..."
exit 2
fi
There's another useful trick: if you know a pattern in your deleted files, type alt+sys+resuo to reboot+remount in read-only, then with a live-cd, use grep to search in the hard-drive :
grep -a -C 500 'known pattern' /dev/sda | tee /tmp/recover
then edit /tmp/recover to keep only what were your file(s) before.
Hey, if with unix philosophy all is files, it's time to take advantage of this, no ?
What worked for me was given by arch (only applies to text files):
grep -a -C 200 -F 'Unique string in text file' /dev/sdXN
where /dev/sdXN is the partition containing the lost file (check with mount if unsure).
Takes a little while, but worked when I accidentally deleted some source code I hadn't commited yet!