Recovering Deleted Files & Partitions in Linux

CloudNetOps

CloudNetOps

β€” 3 min read
Recovering Deleted Files & Partitions in Linux
Photo by TC Photography / Unsplash

πŸ“Œ

Accidentally deleting critical files or entire partitions can be a nightmare, especially in enterprise production environments. Fortunately, Linux provides several recovery tools and techniques to restore lost data, whether from ext4, XFS, Btrfs, or LVM-based storage.

πŸ’‘ But don’t panic! In most cases, deleted files and partitions can be recovered if you act quickly.

πŸ“Œ In this guide, you will learn:
βœ… How Linux handles file deletions and why data is often recoverable
βœ… Step-by-step recovery methods for deleted files from ext4, XFS, and Btrfs
βœ… How to recover lost partitions using testdisk and parted
βœ… Enterprise case studies on real-world data recovery
βœ… Best practices to prevent data loss in production environments

πŸ”œ Next in the series: Preventing Data Loss with Snapshot & Backup Strategies

πŸ” 1. Understanding Linux File Deletion & Recovery

πŸ“Œ How File Deletion Works in Linux

Filesystem What Happens When You Delete a File? Can It Be Recovered?
ext4 The file's inode is unlinked, but data remains on disk βœ… Yes, with extundelete
XFS The file's metadata is instantly wiped ❌ Harder to recover
Btrfs Data is preserved in copy-on-write (CoW) mode βœ… Yes, via snapshots
LVM Deleted files can be restored from LVM snapshots βœ… If a snapshot exists

πŸ’‘ Key takeaway: Files are not immediately erased from diskβ€”if you stop writing new data, recovery is possible.

πŸ” 2. Recovering Deleted Files from Different Filesystems

πŸ’‘ Below are step-by-step recovery methods based on the filesystem type.

πŸ› οΈ Fix 1: Recovering Deleted Files from ext4 with extundelete

If your files were deleted from an ext4 filesystem, extundelete can recover them.

1️⃣ Install extundelete:

sudo apt install extundelete  # Ubuntu/Debian
sudo yum install extundelete  # CentOS/RHEL

2️⃣ Unmount the affected partition (to avoid overwriting data):

umount /dev/sda1

3️⃣ Recover deleted files:

extundelete /dev/sda1 --restore-all

πŸ“Œ Expected Outcome: Recovered files will be placed in ./RECOVERED_FILES/.

πŸ› οΈ Fix 2: Recovering Deleted Files from XFS with xfs_undelete

Since XFS instantly wipes metadata, recovering files is difficult, but XFS log replay can help.

1️⃣ Check the filesystem logs for deleted files:

xfs_logprint -C /dev/sda1

2️⃣ Recover files from the transaction log:

xfs_undelete -l /dev/sda1 -o /recovery/

πŸ“Œ Expected Outcome: Some lost files may be restored.

πŸ› οΈ Fix 3: Recovering Deleted Files from Btrfs with Snapshots

If Btrfs snapshots were enabled before deletion, you can restore files easily.

1️⃣ List available snapshots:

btrfs subvolume list /

2️⃣ Restore a previous snapshot:

btrfs restore -v -t /mnt/snapshot /dev/sda1

πŸ“Œ Expected Outcome: The deleted files will be restored from the snapshot.

πŸ” 3. Recovering Lost Linux Partitions

If an entire partition was deleted, you can restore it using testdisk.

πŸ› οΈ Fix 4: Recovering Deleted Partitions with testdisk

1️⃣ Install testdisk:

sudo apt install testdisk  # Ubuntu/Debian
sudo yum install testdisk  # CentOS/RHEL

2️⃣ Run testdisk and scan the disk:

sudo testdisk

3️⃣ Choose "Analyze" β†’ "Quick Search"
4️⃣ Select the missing partition and restore it
5️⃣ Write changes and reboot:

reboot

πŸ“Œ Expected Outcome: The lost partition will be restored.

πŸ› οΈ Fix 5: Recovering Data from a Damaged Partition Table

If the partition table is corrupted:

1️⃣ Backup the current partition table:

sfdisk -d /dev/sda > partition_backup.txt

2️⃣ Rebuild the partition table:

sfdisk /dev/sda < partition_backup.txt

πŸ“Œ Expected Outcome: The partition table is restored.

πŸ” 4. Enterprise Case Study: Restoring Deleted Files from a Production Server

πŸ“Œ Scenario:
A cloud hosting provider accidentally deleted a customer’s website files while performing maintenance.

πŸ“Œ Symptoms:

  • Website data was missing
  • ls -lh /var/www/html/ showed empty directories
  • No backup was available

πŸ“Œ Investigation:

  • Engineers checked the filesystem type (ext4)
  • extundelete was installed on the system
  • No new data was written after deletion

πŸ“Œ Solution:
πŸ”Ή Used extundelete to restore missing files
πŸ”Ή Rebuilt the website database from logs
πŸ”Ή Enabled daily Btrfs snapshots for future protection

πŸ“Œ Lesson Learned:
⚠️ Always enable snapshots on production systems
⚠️ Maintain offsite backups for disaster recovery
⚠️ Implement access controls to prevent accidental deletions

πŸ” 5. Best Practices to Prevent Data Loss

πŸ“Œ To avoid data loss, follow these best practices:

βœ… Enable Btrfs or LVM snapshots for instant rollback
βœ… Schedule automatic backups with rsync or borgbackup
βœ… Use RAID to provide redundancy against disk failures
βœ… Enable undelete protections (alias rm='rm -i') for critical directories
βœ… Monitor filesystem health (fsck -n /dev/sda1) regularly

πŸ“Œ Summary

Data Loss Type Cause Solution
Deleted Files (ext4) rm command or accidental deletion Recover using extundelete
Deleted Files (XFS) Metadata wiped instantly Use xfs_undelete if available
Deleted Partitions fdisk or parted misuse Recover with testdisk
Corrupt Partition Table Disk corruption or misconfiguration Restore using sfdisk

πŸ’‘ Want to learn more? Check out the next article: "Preventing Data Loss with Snapshot & Backup Strategies" πŸš€

πŸ“Œ Next Up: Preventing Data Loss with Snapshot & Backup Strategies

πŸ”œ Continue to the next guide in this series!

πŸ“© Would you like a downloadable PDF version of this guide? Let me know! πŸš€

Read more