Step-by-Step Linux Data Recovery Tutorial

Table of Contents

1. Prerequisites: What You’ll Need
2. Step 1: Assess the Data Loss Scenario
3. Step 2: Prepare the Work Environment
4. Step 3: Recover Accidentally Deleted Files
5. Step 4: Recover Lost Partitions
6. Step 5: Recover Data from Drives with Bad Sectors
7. Step 6: Recover from File System Corruption
8. Troubleshooting Common Issues
9. Prevention: Avoid Future Data Loss
10. References

Prerequisites: What You’ll Need

Before starting, gather the following tools and resources to ensure a smooth recovery process:

Hardware:

• Affected Drive: The storage device (HDD, SSD, USB drive, or SD card) from which data is lost. Do not write to this drive!
• Secondary Storage: An external drive or USB stick with enough space to store recovered data (at least the size of the affected drive).
• Live Linux USB: A bootable USB with a Linux distribution (e.g., Ubuntu, GParted Live, or SystemRescueCD). This avoids writing to the affected drive by running the OS from external media.

Software Tools:

• TestDisk: A powerful tool to recover lost partitions and repair boot sectors.
• PhotoRec: Companion to TestDisk, designed to recover specific file types (photos, documents, videos) from damaged or formatted drives.
• ddrescue: Creates disk images of failing drives to avoid further damage during recovery.
• extundelete: Recovers deleted files from ext2/ext3/ext4 filesystems (common on Linux).
• GParted: A GUI tool to manage partitions (useful for visualizing drive structure).

Step 1: Assess the Data Loss Scenario

Before diving into recovery, identify the cause of data loss. This determines which tools and steps to use:

Common Scenarios:

• Accidental Deletion: Files/folders deleted with rm, emptied trash, or overwritten.
• Partition Loss: Partition table corrupted (e.g., due to fdisk misuse, malware, or power failure).
• Drive Corruption: File system errors (e.g., ext4 journal corruption, NTFS errors).
• Bad Sectors: Physical damage to the drive (clicking noises, slow read/write speeds).
• Formatted Drive: Drive accidentally formatted with mkfs or via GUI tools.

How to Diagnose:

1. Identify the Affected Drive: Boot from your live USB and run:

   lsblk  # Lists all connected drives (e.g., /dev/sda, /dev/sdb)
   fdisk -l /dev/sdX  # Replace sdX with your drive (e.g., /dev/sdb) to check partitions

   Example output of lsblk:

   NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
   sda      8:0    0 238.5G  0 disk 
   ├─sda1   8:1    0   512M  0 part /boot/efi
   └─sda2   8:2    0 238G    0 part /
   sdb      8:16   0   1TB   0 disk  # <-- This is the affected external drive

   Here, /dev/sdb is the external drive (no partitions listed, indicating partition loss).

2. Check Drive Health: Use smartctl (part of smartmontools) to check for hardware issues:

   sudo smartctl -a /dev/sdX  # Replace sdX with your drive

   Look for “Failed” attributes (e.g., “Reallocated_Sector_Ct”)—signs of bad sectors.

Step 2: Prepare the Work Environment

To avoid overwriting data, work from a live Linux environment and ensure the affected drive is unmounted:

1. Boot from Live USB:

• Insert the live USB, restart your computer, and boot from the USB (press F2, F12, or Del to access BIOS/UEFI).
• Select “Try Ubuntu” (or equivalent) to run the OS without installing.

2. Unmount the Affected Drive:

If the drive is mounted (check with mount | grep /dev/sdX), unmount it immediately:

sudo umount /dev/sdXn  # Replace sdXn with the partition (e.g., /dev/sdb1)

Never mount the drive read-write—this risks overwriting lost data.

Step 3: Recover Accidentally Deleted Files

If you deleted files with rm or emptied the trash, use extundelete (for ext filesystems) or PhotoRec (for any filesystem).

Option A: Using extundelete (Ext2/Ext3/Ext4)

extundelete works by scanning the filesystem’s inode table for deleted files.

1. Install extundelete:

   sudo apt update && sudo apt install extundelete  # Ubuntu/Debian
   sudo dnf install extundelete  # Fedora/RHEL

2. Scan for Deleted Files: Replace /dev/sdXn with your partition (e.g., /dev/sdb1):

   sudo extundelete --restore-all /dev/sdXn

   This recovers all deleted files to a folder named RECOVERED_FILES in your current directory.

3. Restore Specific Files: To recover a single file (e.g., document.pdf), first list deleted files:

   sudo extundelete --list-deleted /dev/sdXn

   Then restore by inode number (replace 12345 with the inode of your file):

   sudo extundelete --restore-inode 12345 /dev/sdXn

Option B: Using PhotoRec (Any Filesystem)

PhotoRec ignores the filesystem and scans the drive at the sector level, recovering files by signature (e.g., JPG, PDF, DOCX).

1. Launch PhotoRec: From the live USB terminal:

   sudo photorec

2. Step-by-Step PhotoRec Setup:

   • Create Log File: Press Enter to create a log (optional but helpful).
   • Select Drive: Use arrow keys to choose the affected drive (e.g., /dev/sdb), then Enter.
   • Select Partition Table Type: Choose “Intel/PC” (most common) or “EFI GPT” for modern systems.
   • Select Partition: Highlight the partition with deleted files, then Enter.
   • File Opt: Press s to select file types to recover (e.g., check “jpg”, “pdf”, “docx”). Press b to return.
   • Choose Recovery Directory: Select the secondary storage drive (e.g., /media/ubuntu/USB_DRIVE), then Y to start recovery.

3. Locate Recovered Files: PhotoRec saves files in recup_dir.1, recup_dir.2, etc., on your secondary drive.

Step 4: Recover Lost Partitions

If your drive’s partition table is corrupted (e.g., after fdisk errors or malware), use TestDisk to restore partitions.

Using TestDisk:

1. Launch TestDisk:

   sudo testdisk

2. Step-by-Step Partition Recovery:

   • Create Log File: Select “Create” and press Enter (recommended for debugging).
   • Select Drive: Choose the affected drive (e.g., /dev/sdb), then Enter.
   • Select Partition Table Type: Choose “Intel/PC” or “EFI GPT” (matches your system).
   • Analyze Disk: Select “Analyze” to scan for lost partitions.
   • Quick Search: Press Enter to start a quick scan. TestDisk will display found partitions.
   • Review Results: Lost partitions are marked with [D]eleted or [L]ost. Use arrow keys to highlight a partition, then P to list files (verify if it’s the correct partition).
   • Recover Partition: If valid, select “Write” to save the partition table. Press Y to confirm.

3. Reboot: After writing the partition table, reboot and check if the drive mounts normally.

Step 5: Recover Data from Drives with Bad Sectors

Drives with bad sectors (physical damage) risk data loss. Use ddrescue to create a disk image, then recover from the image.

Step 1: Create a Disk Image with ddrescue

ddrescue copies data from the failing drive to a healthy image file, skipping bad sectors to avoid stalls.

1. Install ddrescue:

   sudo apt install gddrescue  # Ubuntu/Debian (package name is gddrescue)
   sudo dnf install ddrescue   # Fedora/RHEL

2. Run ddrescue: Replace /dev/sdX (failing drive) and image.img (output image) with your paths:

   sudo ddrescue -n /dev/sdX image.img logfile.txt  # First pass: copy good sectors
   sudo ddrescue -r3 /dev/sdX image.img logfile.txt  # Retry bad sectors 3 times

   • -n: No-scrape mode (faster, skips bad sectors).
   • -r3: Retry bad sectors 3 times (use -r0 to skip retries).
   • logfile.txt: Tracks progress (resumes if interrupted).

Step 2: Recover from the Disk Image

Use TestDisk or PhotoRec on the image.img file instead of the original drive:

sudo testdisk image.img  # Recover partitions from the image
sudo photorec image.img  # Recover files from the image

Step 6: Recover from File System Corruption

Corrupted filesystems (e.g., due to power outages) may fail to mount. Use fsck (filesystem check) with caution, or recover data from a ddrescue image.

Option A: Repair with fsck (Use with Caution!)

fsck fixes filesystem errors but can delete corrupted data. Always run it on a ddrescue image first:

1. Check Filesystem Type:

   sudo blkid /dev/sdXn  # e.g., ext4, ntfs, vfat

2. Run fsck on the Image:

   sudo fsck -y /dev/sdXn  # -y: auto-answer "yes" to fixes (use on image first!)

   • For NTFS: Use ntfsfix instead: sudo ntfsfix /dev/sdXn.

Option B: Recover Data from the Image

If fsck fails, use PhotoRec or TestDisk on the ddrescue image (see Step 5.2).

Troubleshooting Common Issues

• Drive Not Detected: Check dmesg | grep sd for hardware errors (e.g., “I/O error”). Try a different USB port/cable or a SATA-to-USB adapter.
• TestDisk Finds No Partitions: Run a “Deep Search” in TestDisk (under Analyze > Deep Search) to scan for fragmented partitions.
• PhotoRec Recovers Garbage Files: Filter file types in PhotoRec’s “File Opt” menu to avoid irrelevant files.
• ddrescue Stalls: Use -n (no-scrape) to skip bad sectors, or -d (direct disk access) for problematic drives.

Prevention: Avoid Future Data Loss

• Regular Backups: Use rsync, borgbackup, or cloud services (Nextcloud, Backblaze) to back up data.
• Monitor Drive Health: Use smartctl to check for early signs of failure:

  sudo smartctl -H /dev/sdX  # "SMART overall-health self-assessment test result: PASSED" is good.

• Use RAID: For critical data, set up RAID 1 (mirroring) or RAID 5 (striping with parity) to protect against drive failure.
• Avoid Abrupt Shutdowns: Always power off properly to prevent filesystem corruption.

References

• TestDisk Official Documentation
• PhotoRec User Guide
• ddrescue Manual
• extundelete Documentation
• Ubuntu Live USB Guide
• Smartmontools (smartctl) Guide