The rm command is used to remove files and directories in Linux, Unix, and macOS systems. The rm -rf command is used to delete files and folders recursively and forcibly. The files and directories deleted with the rm command are not put into the trash or recycle bin which makes them very hard to recover or undelete. Event recovery of files deleted with the “rm -rf” command is not easy but possible. In this tutorial we examine how to recover “rm -rf” delete files.
Where is “rm -rf” Deleted Files
Files and directories deleted with the “rm -rf” command are not moved or stored in another location like trash or recycle bin. This means they are completely deleted and not stored in the Linux file system with their information. But their data is not deleted from the hard disk drive or overwritten. Data is stored in a hard disk drive but not defined in the file system as a file or directory. We should crave the data from a hard disk drive by using tools like extundelete or ext4magic .
Recover Using extundelete
The extundelete is a very practical and popular tool to undelete ext3 and ext4 file system files. It can be used to recover files and directories deleted with the “rm -rf” command. As undelete is a low-level administrator operation we should provide the sudo . We can specify the directory we want to restore with its files and directories. The --restore-directory is used to specify a specific path to recover its content. In the following example, we restore the path /home/ismail/data . We should also provide the partition to the extundelete command as the first parameter.
$ sudo extundelete /dev/sda1 --restore-directory /home/ismail/dataAlternatively, we can restore a specific file by using the --restore-file option below. We provide the file absolute path to the –restore-file option. In the following example, we restore the file named “/home/ismail/users.txt” .
$ sudo extundelete /dev/sda1 --restore-file /home/ismail/users.txt