Recover Deleted Files in Linux/UNIX with Midnight Commander:

About Midnight Commander:

Midnight Commander is a GNU (free) software application with the primary purpose of being a file manager. What makes it particularly useful in this case is that it has an undelete feature. Midnight Commander can be obtained at http://www.ibiblio.org/mc/

Limitations of Midnight Commander:

Before you start trying to recover your files you should make sure that this recovery method will work in your case. First, this particular undelete trick only works for ext2 partitions. Second, if the files were deleted on a system running a 2.0.x kernel, the undelete process is limited to recovering the first 12288 bytes of the file. There was a bug in the deletion process that didn't keep the entire file as a single unit when it was deleted. While it has not been fixed in the 2.0.x kernels, it has been fixed in 2.2.x kernels.

Undelete Your Files:

Unmount the partition with the erased file(s).

e.g. umount /dev/sdd1

You should not attempt to undelete files from a mounted partition - you risk corrupting the drive.

Load Midnight Commander, once loaded type

cd undel:/dev/sdd1 (the sdd1 part may vary depending on your partition)
. You can't do this anywhere else but in Midnight Commander. Using the "cd" command in mc normally does what it would at a shell prompt; it changes directories. This special syntax instructs mc to display all the undeleted files on that partition instead of the files in a directory.

Wait a moment while it searches through that ext2 filesystem for deleted inodes (an inode holds the _contents_ of a file, but not the directory name, etc.). In a minute or so, you'll see a list of files with names like "23434632:2" in that window. The dates and times for the entries are the dates and times when that inode was deleted. I find it most useful to sort this window according to time:

You can use the <F3> "View" feature to look at the contents of the inode. Press <ins> on top of the files that have times around the time you think you deleted the file(s). This tags them to be undeleted in a moment.

Undelete the files.

In the other window (use <tab> to switch windows in mc), make an empty directory under /tmp, such as /tmp/deletedfiles.

mkdir /tmp/deletedfiles

Now switch back to your undel window and press <F5> to copy those files to your real filesystem. If you're done, you can leave mc with the <F10> key - see the legend at the bottom of the screen.

This would also be a good time to remount the /home partition with

mount /home

Now look through the each of the deleted files to figure out what the file was. Now that the files are in /tmp/deletedfiles, they can be manipulated just like any other file, such as:

cd /tmp/deletedfiles
mv 23434632:2 /home/testfile

Once the files have been recovered you can sort and filter they by size, so if you know you had some databases that were deleted those would probably have larger sizes than images and text documents. I have managed to find 100 important files out of 500,000 deleted files (most of the deleted files were archived PDF files) for a client through this Midnight Commander method.

It is possible to recover multiple copies of some of your files if you deleted that file more than once; you'll need to decide which is the one you want to keep.