Sometimes, you may lose important data—whether by accident or due to a lack of knowledge. This detailed, step-by-step guide provides a structured approach to recovering lost files in Linux using a live USB environment and recovery tools such as TestDisk, PhotoRec, and extundelete.
Table of Contents
Very few people lose data due to external factors like hardware failure, power outages or natural disasters. More often, we lose data because of our own mistakes, right?
Picture this: You just executed the commandsudo rm -rf /*on your Linux system. You’re not entirely sure what it does, but you ran it anyway—andboom!All your data is gone. I made this mistake a long time ago when I was new to Linux.
Accidentally running sudo rm -rf /* is one of the most destructive commands you can execute on a Linux system. For those who might not know, it wipes nearly everything, including system files, personal documents, and configurations.
This is a classic (and painful) example of what can happen when you run commands without fully understanding them.
Here's the breakdown of what doessudo rm -rf /*command do.
When combined,sudo rm -rf /*tells the system toforcefully and recursively delete every file and directory starting from the root of the filesystem.
While the OS itself is beyond recovery, some of your files may still be retrievable if you act quickly and follow the correct steps.
Important: If the data is critically important, seek professional help.
If the data is critical and you need to recover it at any cost, I strongly recommend leaving it to professional data recovery experts.
They use advanced tools (E.g. Stellar Data Recovery Toolkit) to retrieve lost files. It may be expensive, but you’ll likely get your data back—and, more importantly, peace of mind.
If you want to recover files on your own using the freely available Linux data recovery tools, this guide is for you. Read on.
I tested the following steps in a safe virtual environment. I created a test virtual machine (VM) that contained no important data.
I intentionally deleted files, and then attempted to recover them using the tools mentioned in this guide. My goal was to learn how data recovery works.
I want to emphasize that data recovery is not always 100% successful. Depending on the situation, you may or may not recover all your lost data.
Here are some key points to keep in mind:
1. File Names May Be Lost
2. SSDs vs. HDDs
3. Use External Drives for Storing Recovered Data
4. Data Recovery is a Time-Consuming Process
By understanding these factors, you can set realistic expectations and prepare adequately before attempting file recovery in Linux.
Let us get started!
Every second the affected drive is in use increases the risk of overwriting recoverable data. If the system is still running, shut it down immediately. Avoid rebooting or installing any new software on the drive.
Since the installed OS is no longer functional, use a live Linux environment for recovery. Recommended options include:
If you don’t already have a live USB, create one on another computer using:
My Recommendation: Always Keep a Persistent Live USB for Emergency Use
If you have a spare external USB drive, consider creating apersistent live USB. You can either do a full install of an operating system onto the external drive or use a live USB distro likeKali Linuxthat supports persistence. Persistence allows you to save installed packages, configurations, and changes permanently to the external drive.
You can use Ventoy or Mkusb tools to create persistent live USBs:
Having a persistent live USB is incredibly useful in emergencies, such as accidentally deleting partitions, formatting drives, or encountering sudden data loss, an unbootable OS, or other catastrophic situations. You’ll have a ready-to-go recovery tool at your fingertips.
Pro tip: Mark your emergency thumb drive with a distinctive label, so it’s easy to identify among other flash drives.
For the demonstration purpose, I am booting into Ubuntu 24.04 LTS live environment.
Once booted into the live environment, open a terminal and run:
lsblk
OR
fdisk -l
This will display the available disks and partitions (e.g., /dev/sda, /dev/nvme0n1). Take note of the affected disk.
Sample Output:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS loop0 7:0 0 1.6G 1 loop /rofs loop1 7:1 0 457.5M 1 loop loop2 7:2 0 868.1M 1 loop loop3 7:3 0 4K 1 loop /snap/bare/5 loop4 7:4 0 74.2M 1 loop /snap/core22/1380 loop5 7:5 0 10.7M 1 loop /snap/firmware-updater/127 loop6 7:6 0 91.7M 1 loop /snap/gtk-common-themes/1535 loop7 7:7 0 505.1M 1 loop /snap/gnome-42-2204/176 loop8 7:8 0 269.6M 1 loop /snap/firefox/4173 loop9 7:9 0 10.3M 1 loop /snap/snap-store/1124 loop10 7:10 0 116.7M 1 loop /snap/ubuntu-desktop-bootstrap/171 loop11 7:11 0 137.3M 1 loop /snap/thunderbird/470 loop12 7:12 0 38.7M 1 loop /snap/snapd/21465 loop13 7:13 0 476K 1 loop /snap/snapd-desktop-integration/157 sda 8:0 0 50G 0 disk ├─sda1 8:1 0 1M 0 part ├─sda2 8:2 0 513M 0 part └─sda3 8:3 0 49.5G 0 part sdb 8:16 0 10G 0 disk /media/ubuntu/Backup sr0 11:0 1 5.7G 0 rom /cdrom
As you can see in the above output, /dev/sda is my local drive with three partitions (/dev/sda1, /dev/sda2 and /dev/sda3). And /dev/sdb is the external drive for backup purpose.
Refer to the following article for more methods to list disk partitions in Unix-like systems:
Before attempting file recovery, create a backup image of the entire disk to avoid further data loss.
First, connect an External drive that has a sufficient space to save the disk image and the data that we are going to recover in the subsequent steps. If possible, use two external drives. One for saving the disk image and another for saving the recovered data.
Please note that the target drive should be larger than the source drive. For instance, if you want to recover data from a 50GB disk (i.e. source drive), the target drive (i.e destination drive) must be larger than 50GB.
Next, run the following command to create the full disk image:
sudo dd if=/dev/sda of=/media/ubuntu/Backup/recovery.img bs=4M status=progress
(Replace /dev/sda with the correct disk identifier, /media/ubuntu/Backup/ with external drive's path and ensure the image is stored on the external drive.)
This can be useful for a few reasons:
TestDisk is a powerful open-source tool for recovering lost partitions and deleted files. It works on Linux, Windows, and macOS.
sudo apt update && sudo apt install testdisk -y
Launch TestDisk:
sudo testdisk
When TestDisk starts, it will ask you to create a log file. SelectCreateto proceed. Select [Create] to create a new log file.
TestDisk will list all available disks. Use the arrow keys to select the disk you want to recover data from, then press Enter. Select the source (affected) drive → [Proceed].
Christophe GRENIER <grenier> https://www.cgsecurity.org TestDisk is free software, and comes with ABSOLUTELY NO WARRANTY. Select a media (use Arrow keys, then press Enter): >Disk /dev/sda - 53 GB / 50 GiB - QEMU QEMU HARDDISK Disk /dev/sdb - 10 GB / 10 GiB - QEMU QEMU HARDDISK Disk /dev/sr0 - 6114 MB / 5831 MiB (RO) - QEMU DVD-ROM Disk /dev/loop0 - 1748 MB / 1667 MiB (RO) Disk /dev/loop1 - 479 MB / 457 MiB (RO) Disk /dev/loop10 - 122 MB / 116 MiB (RO) Disk /dev/loop11 - 143 MB / 137 MiB (RO) Disk /dev/loop12 - 40 MB / 38 MiB (RO) Disk /dev/loop13 - 487 KB / 476 KiB (RO) Disk /dev/loop2 - 910 MB / 868 MiB (RO) Disk /dev/loop3 - 4096 B (RO) Disk /dev/loop4 - 77 MB / 74 MiB (RO) Disk /dev/loop5 - 11 MB / 10 MiB (RO) Disk /dev/loop6 - 96 MB / 91 MiB (RO) Disk /dev/loop7 - 529 MB / 505 MiB (RO) Disk /dev/loop8 - 282 MB / 269 MiB (RO) Disk /dev/loop9 - 10 MB / 10 MiB (RO) >[Proceed ] [ Quit ] Note: Disk capacity must be correctly detected for a successful recovery. If a disk listed above has an incorrect size, check HD jumper settings and BIOS detection, and install the latest OS patches and disk drivers.</grenier>
TestDisk will ask you to select the partition table type (usually Intel/PC for most systems). Select the correct type and pressEnter. Choose [Intel] or [EFI GPT] based on your partition type.
TestDisk 7.1, Data Recovery Utility, July 2019 Christophe GRENIER <grenier> https://www.cgsecurity.org Disk /dev/sda - 53 GB / 50 GiB - QEMU QEMU HARDDISK Please select the partition table type, press Enter when done. [Intel ] Intel/PC partition >[EFI GPT] EFI GPT partition map (Mac i386, some x86_64...) [Humax ] Humax partition table [Mac ] Apple partition map (legacy) [None ] Non partitioned media [Sun ] Sun Solaris partition [XBox ] XBox partition [Return ] Return to disk selection Hint: EFI GPT partition table type has been detected. Note: Do NOT select 'None' for media with only a single partition. It's very rare for a disk to be 'Non-partitioned'.</grenier>
Select [Analyze] to scan for lost partitions:
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier>
https://www.cgsecurity.org
Disk /dev/sda - 53 GB / 50 GiB - QEMU QEMU HARDDISK
CHS 51200 64 32 - sector size=512
>[ Analyse ] Analyse current partition structure and search for lost partitions
[ Advanced ] Filesystem Utils
[ Geometry ] Change disk geometry
[ Options ] Modify options
[ Quit ] Return to disk selection
Note: Correct disk geometry is required for a successful recovery. 'Analyse'
process may give some warnings if it thinks the logical geometry is mismatched.</grenier>
TestDisk will display the current partition structure. If partitions are missing, it will search for them. You can also manually do it by choosing Quick Search option.
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier>
https://www.cgsecurity.org
Disk /dev/sda - 53 GB / 50 GiB - CHS 51200 64 32
Current partition structure:
Partition Start End Size in sectors
1 P Unknown 2048 4095 2048
2 P EFI System 4096 1054719 1050624 [EFI System Partition]
3 P Linux filesys. data 1054720 104855551 103800832
P=Primary D=Deleted
>[Quick Search] [ Backup ]
Try to locate partition</grenier>TestDisk will now perform a "Quick Search" to find lost partitions. If it finds any, it will list them.
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier>
https://www.cgsecurity.org
Disk /dev/sda - 53 GB / 50 GiB - CHS 51200 64 32
Partition Start End Size in sectors
P MS Data 4096 1054719 1050624 [NO NAME]
>P Linux filesys. data 1054720 104855551 103800832
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
P=Primary D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
ext4 blocksize=4096 Large_file Sparse_SB, 53 GB / 49 GiB</grenier>If the Quick Search doesn't find your lost partitions, selectDeeper Searchfor a more thorough scan.
After the scan, TestDisk will list the partitions it found. Use the arrow keys to select the partition you want to recover.
If the partition looks correct, selectWriteto save the partition table to the disk. This will restore the lost partition.
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier>
https://www.cgsecurity.org
Disk /dev/sda - 53 GB / 50 GiB - CHS 51200 64 32
Partition Start End Size in sectors
1 P MS Data 4096 1054719 1050624 [NO NAME]
2 P Linux filesys. data 1054720 104855551 103800832
[ Quit ] [ Return ] [Deeper Search] >[ Write ]
Write partition structure to disk</grenier>
Type Y to confirm:
TestDisk 7.1, Data Recovery Utility, July 2019 Christophe GRENIER <grenier> https://www.cgsecurity.org Write partition table, confirm ? (Y/N)</grenier>
Next, quit from the Testdisk and reboot your computer to see if the partition is restored.
In my case, Testdisk has successfully restored the partition.
Now, we will try to recover files from the restored partitions.
Log in to the live environment as described in the earlier steps.
To recover deleted files, we need to install the TestDisk again. Because, we rebooted the live system and testdisk is gone now.
sudo apt update && sudo apt install testdisk -y
Launch the TestDisk:
sudo testdisk
In TestDisk, select the partition where the files were located.
SelectAdvancedfrom the menu.
Choose a partition and press P to view the files on the partition.
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier>
https://www.cgsecurity.org
Disk /dev/sda - 53 GB / 50 GiB - CHS 51200 64 32
Partition Start End Size in sectors
P MS Data 4096 1054719 1050624 [NO NAME]
>P Linux filesys. data 1054720 104855551 103800832
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
P=Primary D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
ext4 blocksize=4096 Large_file Sparse_SB, 53 GB / 49 GiB</grenier>
Now you will see available files in the selected partition. Navigate through the directories to find the deleted files.
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier>
https://www.cgsecurity.org
P Linux filesys. data 1054720 104855551 103800832
Directory /
>drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 .
drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 ..
drwxr-xr-x 0 0 4096 5-Mar-2025 11:42 boot
-rw------- 0 0 2147483648 25-Apr-2024 12:48 swapfile
drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 var
drwxr-xr-x 0 0 4096 7-Aug-2023 22:52 dev
drwxr-xr-x 0 0 4096 18-Apr-2022 10:28 proc
drwxr-xr-x 0 0 4096 25-Apr-2024 12:52 run
drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 snap
drwxr-xr-x 0 0 4096 18-Apr-2022 10:28 sys
Next
Use Right to change directory, h to hide deleted files
q to quit, : to select the current file, a to select all files
C to copy the selected files, c to copy the current file</grenier>
Use the C key to copy the deleted files to a safe location (e.g., another drive) and then press C to save the file in the destination drive.
estDisk 7.1, Data Recovery Utility, July 2019
Please select a destination where the marked files will be copied.
Keys: Arrow keys to select another directory
C when the destination is correct
Q to quit
Directory /media/ubuntu/Backup
>drwx------ 1000 1000 4096 5-Mar-2025 12:15 .
drwxr-x--- 0 0 80 5-Mar-2025 13:27 ..
drwx------ 0 0 16384 5-Mar-2025 11:49 lost foundPress C to copy the files in the destination:
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier>
https://www.cgsecurity.org
P Linux filesys. data 1054720 104855551 103800832
Directory /
Copy done! 7 ok, 0 failed
>drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 .
drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 ..
drwxr-xr-x 0 0 4096 5-Mar-2025 11:42 boot
-rw------- 0 0 2147483648 25-Apr-2024 12:48 swapfile
drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 var
drwxr-xr-x 0 0 4096 7-Aug-2023 22:52 dev
drwxr-xr-x 0 0 4096 18-Apr-2022 10:28 proc
drwxr-xr-x 0 0 4096 25-Apr-2024 12:52 run
drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 snap
drwxr-xr-x 0 0 4096 18-Apr-2022 10:28 sys
Stop
Next
Use Right to change directory, h to hide deleted files
q to quit, : to select the current file, a to deselect all files
C to copy the selected files, c to copy the current file</grenier>
Depending on the size of the items, it will take a few minutes to several minutes.
If you want to backup more than one file, press a to select all files, and press C to save them in your preferred destination.
Once you're done, exit TestDisk by selectingQuit.
If TestDisk doesn’t restore everything, PhotoRec can help recover individual files.
PhotoRec is a companion tool to TestDisk that specializes in file recovery. It works even if the file system is damaged or the partition is lost.
Let us say you accidentally deleted files (documents, images, or videos) from an ext4 partition on the local drive (/dev/sda2). I will explain how to recover them using Photorec.
PhotoRec is included with TestDisk. If it’s not installed, run:
sudo apt update sudo apt install testdisk
Run the following command:
sudo photorec
It will open a text-based interface. The Photorec interface is very similar to Testdisk, but with a few different options.
Use the arrow keys to highlight the affected disk (/dev/sda for local drive) and press Enter to select it.
If you remember the partition where files were deleted (e.g., /dev/sda2), select it. If the partition table is corrupted, select "No partition" and scan the whole disk.
Press Enter to proceed.
PhotoRec asks for the file system type:
Press Enter to continue.
Use arrow keys to select Free Space first. If it doesn’t recover what you need, try Whole Disk.
Press Enter to continue.
PhotoRec asks for a destination folder to store recovered files. Press the Left arrow key to choose the destination drive.
PhotoRec begins recovering files automatically. You’ll see a progress bar showing:
Wait until it completes.
Once finished, navigate to the recovery folder and check your files:
ls -lh /media/ubuntu/Backup/
PhotoRec recovers files without original names but retains extensions (.jpg, .pdf, .mp4).
If needed, sort files by type:
ls -lh /media/ubuntu/Backup/ | grep .pdf
Additional Tips:
If you got your files back, you can skip the following step and go straight to STEP 8. But if you still didn't get the files you need, read on.
extundelete is another powerful tool for recovering deleted files from ext3/ext4 file systems.
Unlike PhotoRec, which works at the raw data level, extundelete attempts to restore files with their original filenames and directory structure—if the data blocks haven't been overwritten.
As I already said, immediately stop writing data to the disk and stop using your system. Log in to the live environment as I described in STEP 4.
If not installed, run:
sudo apt update sudo apt install extundelete
Run the following command to list recoverable files:
sudo extundelete /dev/sda2 --list-deleted
This scans the partition and shows files that can be recovered.
If you found a specific file (e.g., important.doc), recover it using:
sudo extundelete /dev/sda2 --restore-file /home/user/Documents/important.doc
The recovered file will be saved in a folder called RECOVERED_FILES in your current directory.
If you deleted a whole directory (e.g., /home/user/Pictures), use:
sudo extundelete /dev/sda2 --restore-directory /home/user/Pictures
This restores all files from that folder.
If you want to restore all deleted files, run:
sudo extundelete /dev/sda2 --restore-all
This will attempt to recover every deleted file and save them in RECOVERED_FILES/.
Once recovery is complete, check the folder:
ls -lh RECOVERED_FILES/
Important Notes
Once recovery is complete, review the retrieved files and make sure you have moved them to a safe location. Ensure they are intact before proceeding with a fresh OS installation.
Since the system files are beyond repair, a full OS reinstall is necessary. Use your live USB to install your preferred Linux distribution.
If you had backups using tools like Timeshift, rsync, or cloud storage, now is the time to restore them. Check out the Backup tools category for exploring more backup options.
While running sudo rm -rf /* is a disastrous mistake, data recovery is possible if you act quickly and follow a structured approach. The key steps are stopping all activity on the drive, using a live USB, leveraging recovery tools like TestDisk, PhotoRec and Extundelete, and reinstalling the OS.
Have you encountered a similar situation? Share your experiences and recovery tips in the comments below! I will check and update the guide accordingly.
The above is the detailed content of A Comprehensive Guide To Recover Data In Linux After Accidentally Deleting Your OS. For more information, please follow other related articles on the PHP Chinese website!
Ouyi trading platform app
Python online playback function implementation method
What does data encryption storage include?
The role of validate function
Solid state drive data recovery
What is the difference between webstorm and idea?
Second-level domain name query method
What is the transfer limit of Alipay?
What should I do if eDonkey Search cannot connect to the server?
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
