Recover rm command

Gautham · August 8, 2014, 12:04pm

Consider a situation where in you have used rm command wrongly in a particular directory say

rm -r *

and we don't have any backup of those files which ever are deleted.

NOTE: I'm not facing situation like this but wanted to know what all options are available for such a situation.

is there any way to recover those files back?.

I'm looking this in Solaris OS; I would also like to know in any linux flavors if you are aware of it

Corona688 · August 8, 2014, 12:19pm

There are a few specialized tools which moderately successful at recovering specific kinds of data. photorec is pretty good at recovering photos deleted from camera cards, for example.

But recovering deleted files without a backup anywhere means stopping the OS from writing to that disk and hoping that particular "unused space" hasn't already been overwritten by new files. Not even FAT partitions have a real "undelete" anymore, and "undelete" didn't always work!

Once that's done, then you do grueling, sector-by-sector brute-force scanning which might get you nameless/partial/garbled results at best if you know exactly what you're looking for (which is how photorec manages to work at all, it scans for JPEG headers). If you can't tell the needle apart from the haystack, the needle is lost.

So there aren't really "options" in the usual sense of the word -- nothing you can actually trust.

achenle · August 8, 2014, 12:21pm

You ask yourself, "Why the hell don't we have BACKUPS?!?!"

Gautham · August 9, 2014, 2:54am

Thanks Corona

@achenle: Haha.. That will be an obvious 1st question for everyone !

jlliagre · August 9, 2014, 4:15am

If you are using ZFS, a nice way to protect against accidental file deletion without doing backups is to regularily create ZFS snapshots. The time-slider service allows to automatize this task.

vbe · August 9, 2014, 5:53am

For normal folk options are reduced to almost nothing�
As you have noticed corona's use of "stopping the OS".. it means the little chance you have to save anything will depend mostly of your knowledge of the system and how fast you are and the time between the command execution and your reaction, for a shutdown is what is to avoid, its a crash you need - a reboot without sync
Then it knowing what was there and look in the lost+found after doing a fsck of the file system where the directory resided� because you won't see files with 1rst letter missing like in FAT but strange numeric or alphanumeric suites as names and you have to decide what you see is, your chances are from 80% ( less than ten seconds have passed) to 0%
(more than 3minutes)
I happen to have had to do this sort of work 2 decades ago when systems weren't as user friendly as today, thats maybe why I am such a paranoid...