There wasn't anything unusual about getting a call at 7pm on a Friday; when one works at home, one is always accessible. What was unusual was the tone of voice on the other end; the stress level was unmistakeable. One of my coworkers was on the other end of the line explaining how an errant space in a script had, ahem, removed the entire home directory tree of one of our development machines.

Once I had explained that Linux doesn't have a true undelete utility, we started to recover files from our backup tapes. By Monday morning, most everything was back as it should have been.

In the stress of the moment, I had forgotten something. It is possible to recover deleted files from Linux systems, but it needs to be done soon after the files were nuked. Just like in Windows, if you wait too long, there's a chance the contents of the files will be overwritten.

I had learned about this feature while working with the Midnight Commander file manager in 1998. The delete keystroke will either delete the file under the cursor, or all of the selected files if any are selected. I wanted to delete the file under the cursor but had forgotten that all of the files in my documents directory were selected - you can guess what happened. It certainly wasn't the file manager's fault; I acknowledged the request before thinking about the fact that multiple files were selected.

I certainly thought about it afterwards! *smile*

Steven Hirsch, a good friend and Linux mentor, was kind enough to explain how to use a (then specially-compiled version of) Midnight Commander to recover the files. It was more than a bit ironic that the tool that had erased my files with the blinding speed one finds in Linux was my best hope for getting them back.

While I'm sincerely hoping that you never see hundreds of needed files evaporating at high speed, I'd like you to be ready when that day comes. You'll probably want to do this as root; we'll be mounting and unmounting partitions and working with raw drive partitions. This may be especially necessary if, like in the following example, you'll be unmounting a partition like /home.

That's it! You've recovered a file from a Linux partition.

There are a few more important notes about this process. First, this particular undelete trick only works for ext2 partitions. Second, if the files were deleted on a system running a 2.0.x kernel, the undelete process is limited to recovering the first 12288 bytes of the file. There was a bug in the deletion process that didn't keep the entire file as a single unit when it was deleted. While it has not been fixed in the 2.0.x kernels, I do know it has been fixed in 2.2.x kernels.

The credit for this feature go to Ted T'so and the other authors of the ext2 filesystem, and to Miguel de Icaza and the other MC authors.

Many thanks also to Bob DeRosa for graciously allowing me to republish this in LinuxMonth. Baiju and I wish our best to Bob and his wife who just had their second child.

William is an Open-Source developer, enthusiast, and advocate from Vermont, USA.