https://ostechnix.com/recover-data-in-linux-after-accidentally-deleting-your-os
A Comprehensive Guide To Recover Data In Linux After Accidentally Deleting Your OS
Recovering Deleted Files After Accidentally Running `sudo rm -rf /*` on Linux
Sometimes, you may lose important data—whether by accident or due to a lack of knowledge. This detailed, step-by-step guide provides a structured approach to recovering lost files in Linux using a live USB environment and recovery tools such as TestDisk, PhotoRec, and extundelete.
Introduction
Very few people lose data due to external factors like hardware failure, power outages or natural disasters. More often, we lose data because of our own mistakes, right?
Picture this: You just executed the command sudo rm -rf /* on your Linux system. You’re not entirely sure what it does, but you ran it anyway—and boom! All your data is gone. I made this mistake a long time ago when I was new to Linux.
Accidentally running sudo rm -rf /* is one of the most destructive commands
you can execute on a Linux system. For those who might not know, it
wipes nearly everything, including system files, personal documents, and
configurations.
This is a classic (and painful) example of what can happen when you run commands without fully understanding them.
Here's the breakdown of what does sudo rm -rf /* command do.
sudo: Runs the command with superuser (root) privileges, giving it access to delete any file or directory on the system.rm: The "remove" command, used to delete files and directories.-r: Recursively deletes directories and their contents.-f: Forces deletion without prompting for confirmation./*: Targets the root directory (/) and everything inside it.
When combined, sudo rm -rf /* tells the system to forcefully and recursively delete every file and directory starting from the root of the filesystem.
While the OS itself is beyond recovery, some of your files may still be retrievable if you act quickly and follow the correct steps.
Important: If the data is critically important, seek professional help.
If the data is critical and you need to recover it at any cost, I strongly recommend leaving it to professional data recovery experts.
They use advanced tools (E.g. Stellar Data Recovery Toolkit) to retrieve lost files. It may be expensive, but you’ll likely get your data back—and, more importantly, peace of mind.
If you want to recover files on your own using the freely available Linux data recovery tools, this guide is for you. Read on.
Things You Should Know Before Attempting File Recovery
I tested the following steps in a safe virtual environment. I created a test virtual machine (VM) that contained no important data.
I intentionally deleted files, and then attempted to recover them using the tools mentioned in this guide. My goal was to learn how data recovery works.
I want to emphasize that data recovery is not always 100% successful. Depending on the situation, you may or may not recover all your lost data.
Here are some key points to keep in mind:
1. File Names May Be Lost
- When using the recovery tools (E.g. PhotoRec), you will likely lose all original file names. Recovered files will be organized by file type, but you’ll need to manually identify and rename them.
2. SSDs vs. HDDs
- If you’re using an SSD, the chances of recovering data are significantly lower. This is especially true if the TRIM function is active, as it permanently deletes data to optimize performance.
- If you’re using an HDD, the chances of successful data recovery are much higher.
3. Use External Drives for Storing Recovered Data
- You may need one or two external drives with sufficient storage space. One drive can be used to run a live OS (e.g., Ubuntu Live USB), while the other can store backups or recovered files.
- DO NOT save the recovered data in the same local disk itself.
- If possible, try to use a persistent live USB. This way you don't need to install the recovery software on every reboot.
4. Data Recovery is a Time-Consuming Process
- Data recovery can take several hours or even days, depending on the size of the drive and the extent of data loss. Be prepared to wait patiently for the process to complete.
By understanding these factors, you can set realistic expectations and prepare adequately before attempting file recovery in Linux.
Let us get started!
Step 1: Stop Using the System Immediately
Every second the affected drive is in use increases the risk of overwriting recoverable data. If the system is still running, shut it down immediately. Avoid rebooting or installing any new software on the drive.
Step 2: Boot from a Live USB
Since the installed OS is no longer functional, use a live Linux environment for recovery. Recommended options include:
- Ubuntu/Kubuntu/Linux Mint Live ISO (User-friendly and familiar)
- SystemRescue (Designed for system recovery)
- Kali Linux (Contains forensic tools)
- Rescuezilla (GUI-based recovery tool)
Creating a Live USB
If you don’t already have a live USB, create one on another computer using:
- Ventoy (Linux/macOS/Windows)
- balenaEtcher (Windows/Linux/macOS)
- Rufus (Windows)
- dd command (Linux/macOS):
My Recommendation: Always Keep a Persistent Live USB for Emergency Use
If you have a spare external USB drive, consider creating a persistent live USB. You can either do a full install of an operating system onto the external drive or use a live USB distro like Kali Linux that supports persistence. Persistence allows you to save installed packages, configurations, and changes permanently to the external drive.
You can use Ventoy or Mkusb tools to create persistent live USBs:
- Create Persistent Bootable USB Using Ventoy In Linux
- How To Create Persistent Live USB Using Mkusb On Ubuntu
Having a persistent live USB is incredibly useful in emergencies, such as accidentally deleting partitions, formatting drives, or encountering sudden data loss, an unbootable OS, or other catastrophic situations. You’ll have a ready-to-go recovery tool at your fingertips.
Pro tip: Mark your emergency thumb drive with a distinctive label, so it’s easy to identify among other flash drives.
Booting from the Live USB
- Insert the USB drive.
- Restart the system and enter the BIOS (press F2, F12, or Del, depending on the manufacturer).
- Set the USB drive as the first boot device.
- Save changes and exit the BIOS.
For the demonstration purpose, I am booting into Ubuntu 24.04 LTS live environment.
Step 3: Identify the Affected Drive
Once booted into the live environment, open a terminal and run:
lsblk
OR
fdisk -l
This will display the available disks and partitions (e.g., /dev/sda, /dev/nvme0n1). Take note of the affected disk.
Sample Output:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS loop0 7:0 0 1.6G 1 loop /rofs loop1 7:1 0 457.5M 1 loop loop2 7:2 0 868.1M 1 loop loop3 7:3 0 4K 1 loop /snap/bare/5 loop4 7:4 0 74.2M 1 loop /snap/core22/1380 loop5 7:5 0 10.7M 1 loop /snap/firmware-updater/127 loop6 7:6 0 91.7M 1 loop /snap/gtk-common-themes/1535 loop7 7:7 0 505.1M 1 loop /snap/gnome-42-2204/176 loop8 7:8 0 269.6M 1 loop /snap/firefox/4173 loop9 7:9 0 10.3M 1 loop /snap/snap-store/1124 loop10 7:10 0 116.7M 1 loop /snap/ubuntu-desktop-bootstrap/171 loop11 7:11 0 137.3M 1 loop /snap/thunderbird/470 loop12 7:12 0 38.7M 1 loop /snap/snapd/21465 loop13 7:13 0 476K 1 loop /snap/snapd-desktop-integration/157 sda 8:0 0 50G 0 disk ├─sda1 8:1 0 1M 0 part ├─sda2 8:2 0 513M 0 part └─sda3 8:3 0 49.5G 0 part sdb 8:16 0 10G 0 disk /media/ubuntu/Backup sr0 11:0 1 5.7G 0 rom /cdrom
As you can see in the above output, /dev/sda is my local drive with three partitions (/dev/sda1, /dev/sda2 and /dev/sda3). And /dev/sdb is the external drive for backup purpose.
Refer to the following article for more methods to list disk partitions in Unix-like systems:
Step 4: Create a Full Disk Image (Recommended)
Before attempting file recovery, create a backup image of the entire disk to avoid further data loss.
First, connect an External drive that has a sufficient space to save the disk image and the data that we are going to recover in the subsequent steps. If possible, use two external drives. One for saving the disk image and another for saving the recovered data.
Please note that the target drive should be larger than the source drive. For instance, if you want to recover data from a 50GB disk (i.e. source drive), the target drive (i.e destination drive) must be larger than 50GB.
Next, run the following command to create the full disk image:
sudo dd if=/dev/sda of=/media/ubuntu/Backup/recovery.img bs=4M status=progress
(Replace /dev/sda with the correct disk identifier, /media/ubuntu/Backup/ with external drive's path and ensure the image is stored on the external drive.)
This can be useful for a few reasons:
- Prevents Further Data Loss – Any failed recovery attempt on the original disk can overwrite recoverable data.
- Safer to Experiment – You can try different recovery tools without affecting the actual drive.
- Faster Recovery – You can restore data multiple times without re-imaging the disk.
Step 5: Use TestDisk to Recover Lost Partitions and Deleted Files
TestDisk is a powerful open-source tool for recovering lost partitions and deleted files. It works on Linux, Windows, and macOS.
Installing and Running TestDisk
sudo apt update && sudo apt install testdisk -y
Launch TestDisk:
sudo testdisk
When TestDisk starts, it will ask you to create a log file. Select Create to proceed. Select [Create] to create a new log file.
Recover Lost Partitions
TestDisk will list all available disks. Use the arrow keys to select the disk you want to recover data from, then press Enter. Select the source (affected) drive → [Proceed].
Christophe GRENIER <grenier@cgsecurity.org> https://www.cgsecurity.org TestDisk is free software, and comes with ABSOLUTELY NO WARRANTY. Select a media (use Arrow keys, then press Enter): >Disk /dev/sda - 53 GB / 50 GiB - QEMU QEMU HARDDISK Disk /dev/sdb - 10 GB / 10 GiB - QEMU QEMU HARDDISK Disk /dev/sr0 - 6114 MB / 5831 MiB (RO) - QEMU DVD-ROM Disk /dev/loop0 - 1748 MB / 1667 MiB (RO) Disk /dev/loop1 - 479 MB / 457 MiB (RO) Disk /dev/loop10 - 122 MB / 116 MiB (RO) Disk /dev/loop11 - 143 MB / 137 MiB (RO) Disk /dev/loop12 - 40 MB / 38 MiB (RO) Disk /dev/loop13 - 487 KB / 476 KiB (RO) Disk /dev/loop2 - 910 MB / 868 MiB (RO) Disk /dev/loop3 - 4096 B (RO) Disk /dev/loop4 - 77 MB / 74 MiB (RO) Disk /dev/loop5 - 11 MB / 10 MiB (RO) Disk /dev/loop6 - 96 MB / 91 MiB (RO) Disk /dev/loop7 - 529 MB / 505 MiB (RO) Disk /dev/loop8 - 282 MB / 269 MiB (RO) Disk /dev/loop9 - 10 MB / 10 MiB (RO) >[Proceed ] [ Quit ] Note: Disk capacity must be correctly detected for a successful recovery. If a disk listed above has an incorrect size, check HD jumper settings and BIOS detection, and install the latest OS patches and disk drivers.
TestDisk will ask you to select the partition table type (usually Intel/PC for most systems). Select the correct type and press Enter. Choose [Intel] or [EFI GPT] based on your partition type.
TestDisk 7.1, Data Recovery Utility, July 2019 Christophe GRENIER <grenier@cgsecurity.org> https://www.cgsecurity.org Disk /dev/sda - 53 GB / 50 GiB - QEMU QEMU HARDDISK Please select the partition table type, press Enter when done. [Intel ] Intel/PC partition >[EFI GPT] EFI GPT partition map (Mac i386, some x86_64...) [Humax ] Humax partition table [Mac ] Apple partition map (legacy) [None ] Non partitioned media [Sun ] Sun Solaris partition [XBox ] XBox partition [Return ] Return to disk selection Hint: EFI GPT partition table type has been detected. Note: Do NOT select 'None' for media with only a single partition. It's very rare for a disk to be 'Non-partitioned'.
Select [Analyze] to scan for lost partitions:
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Disk /dev/sda - 53 GB / 50 GiB - QEMU QEMU HARDDISK
CHS 51200 64 32 - sector size=512
>[ Analyse ] Analyse current partition structure and search for lost partitions
[ Advanced ] Filesystem Utils
[ Geometry ] Change disk geometry
[ Options ] Modify options
[ Quit ] Return to disk selection
Note: Correct disk geometry is required for a successful recovery. 'Analyse'
process may give some warnings if it thinks the logical geometry is mismatched.
TestDisk will display the current partition structure. If partitions are missing, it will search for them. You can also manually do it by choosing Quick Search option.
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Disk /dev/sda - 53 GB / 50 GiB - CHS 51200 64 32
Current partition structure:
Partition Start End Size in sectors
1 P Unknown 2048 4095 2048
2 P EFI System 4096 1054719 1050624 [EFI System Partition]
3 P Linux filesys. data 1054720 104855551 103800832
P=Primary D=Deleted
>[Quick Search] [ Backup ]
Try to locate partition
TestDisk will now perform a "Quick Search" to find lost partitions. If it finds any, it will list them.
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Disk /dev/sda - 53 GB / 50 GiB - CHS 51200 64 32
Partition Start End Size in sectors
P MS Data 4096 1054719 1050624 [NO NAME]
>P Linux filesys. data 1054720 104855551 103800832
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
P=Primary D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
ext4 blocksize=4096 Large_file Sparse_SB, 53 GB / 49 GiBIf the Quick Search doesn't find your lost partitions, select Deeper Search for a more thorough scan.
After the scan, TestDisk will list the partitions it found. Use the arrow keys to select the partition you want to recover.
If the partition looks correct, select Write to save the partition table to the disk. This will restore the lost partition.
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Disk /dev/sda - 53 GB / 50 GiB - CHS 51200 64 32
Partition Start End Size in sectors
1 P MS Data 4096 1054719 1050624 [NO NAME]
2 P Linux filesys. data 1054720 104855551 103800832
[ Quit ] [ Return ] [Deeper Search] >[ Write ]
Write partition structure to disk
Type Y to confirm:
TestDisk 7.1, Data Recovery Utility, July 2019 Christophe GRENIER <grenier@cgsecurity.org> https://www.cgsecurity.org Write partition table, confirm ? (Y/N)
Next, quit from the Testdisk and reboot your computer to see if the partition is restored.
In my case, Testdisk has successfully restored the partition.
Now, we will try to recover files from the restored partitions.
Recover Deleted Files
Log in to the live environment as described in the earlier steps.
To recover deleted files, we need to install the TestDisk again. Because, we rebooted the live system and testdisk is gone now.
sudo apt update && sudo apt install testdisk -y
Launch the TestDisk:
sudo testdisk
In TestDisk, select the partition where the files were located.
Select Advanced from the menu.
Choose a partition and press P to view the files on the partition.
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Disk /dev/sda - 53 GB / 50 GiB - CHS 51200 64 32
Partition Start End Size in sectors
P MS Data 4096 1054719 1050624 [NO NAME]
>P Linux filesys. data 1054720 104855551 103800832
Structure: Ok. Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
P=Primary D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
Enter: to continue
ext4 blocksize=4096 Large_file Sparse_SB, 53 GB / 49 GiB
Now you will see available files in the selected partition. Navigate through the directories to find the deleted files.
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
P Linux filesys. data 1054720 104855551 103800832
Directory /
>drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 .
drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 ..
drwxr-xr-x 0 0 4096 5-Mar-2025 11:42 boot
-rw------- 0 0 2147483648 25-Apr-2024 12:48 swapfile
drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 var
drwxr-xr-x 0 0 4096 7-Aug-2023 22:52 dev
drwxr-xr-x 0 0 4096 18-Apr-2022 10:28 proc
drwxr-xr-x 0 0 4096 25-Apr-2024 12:52 run
drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 snap
drwxr-xr-x 0 0 4096 18-Apr-2022 10:28 sys
Next
Use Right to change directory, h to hide deleted files
q to quit, : to select the current file, a to select all files
C to copy the selected files, c to copy the current file
Use the C key to copy the deleted files to a safe location (e.g., another drive) and then press C to save the file in the destination drive.
estDisk 7.1, Data Recovery Utility, July 2019
Please select a destination where the marked files will be copied.
Keys: Arrow keys to select another directory
C when the destination is correct
Q to quit
Directory /media/ubuntu/Backup
>drwx------ 1000 1000 4096 5-Mar-2025 12:15 .
drwxr-x--- 0 0 80 5-Mar-2025 13:27 ..
drwx------ 0 0 16384 5-Mar-2025 11:49 lost+found
Press C to copy the files in the destination:
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
P Linux filesys. data 1054720 104855551 103800832
Directory /
Copy done! 7 ok, 0 failed
>drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 .
drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 ..
drwxr-xr-x 0 0 4096 5-Mar-2025 11:42 boot
-rw------- 0 0 2147483648 25-Apr-2024 12:48 swapfile
drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 var
drwxr-xr-x 0 0 4096 7-Aug-2023 22:52 dev
drwxr-xr-x 0 0 4096 18-Apr-2022 10:28 proc
drwxr-xr-x 0 0 4096 25-Apr-2024 12:52 run
drwxr-xr-x 0 0 4096 5-Mar-2025 11:43 snap
drwxr-xr-x 0 0 4096 18-Apr-2022 10:28 sys
Stop
Next
Use Right to change directory, h to hide deleted files
q to quit, : to select the current file, a to deselect all files
C to copy the selected files, c to copy the current file
Depending on the size of the items, it will take a few minutes to several minutes.
If you want to backup more than one file, press a to select all files, and press C to save them in your preferred destination.
Once you're done, exit TestDisk by selecting Quit.
Step 6: Use PhotoRec for Deep File Recovery
If TestDisk doesn’t restore everything, PhotoRec can help recover individual files.
PhotoRec is a companion tool to TestDisk that specializes in file recovery. It works even if the file system is damaged or the partition is lost.
Let us say you accidentally deleted files (documents, images, or videos) from an ext4 partition on the local drive (/dev/sda2). I will explain how to recover them using Photorec.
Install PhotoRec
PhotoRec is included with TestDisk. If it’s not installed, run:
sudo apt update sudo apt install testdisk
Launch PhotoRec
Run the following command:
sudo photorec
It will open a text-based interface. The Photorec interface is very similar to Testdisk, but with a few different options.
Select the Affected Drive
Use the arrow keys to highlight the affected disk (/dev/sda for local drive) and press Enter to select it.
Choose a Partition or Whole Disk
If you remember the partition where files were deleted (e.g., /dev/sda2), select it. If the partition table is corrupted, select "No partition" and scan the whole disk.
Press Enter to proceed.
Select File System Type
PhotoRec asks for the file system type:
- If your files were on Linux (ext4, ext3, ext2), choose [ ext2/ext3/ext4 ].
- For Windows (NTFS, FAT32, exFAT), choose [ Other ].
Press Enter to continue.
Select Recovery Mode
- Free Space → Only scan unallocated space (faster).
- Whole Disk → Scan the entire drive (slower, but finds more files).
Use arrow keys to select Free Space first. If it doesn’t recover what you need, try Whole Disk.
Press Enter to continue.
Choose Where to Save Recovered Files
PhotoRec asks for a destination folder to store recovered files. Press the Left arrow key to choose the destination drive.
- DO NOT save recovered files on the same drive (this prevents data overwriting).
- Use the left key to navigate to a different disk (e.g.,
/media/ubuntu/Backup- an external drive). - The destination drive should be larger in size than the source drive.
- Press C to confirm the destination.
Start Recovery Process
PhotoRec begins recovering files automatically. You’ll see a progress bar showing:
- Total files found
- Estimated time remaining
- Types of recovered files
Wait until it completes.
Verify Recovered Files
Once finished, navigate to the recovery folder and check your files:
ls -lh /media/ubuntu/Backup/
PhotoRec recovers files without original names but retains extensions (.jpg, .pdf, .mp4).
If needed, sort files by type:
ls -lh /media/ubuntu/Backup/ | grep .pdf
Additional Tips:
- If you want to recover specific file types (e.g., only PDFs or images), press S before starting the scan and select file types.
- If files are corrupted, try recovering from Whole Disk instead of Free Space.
- Use ExifTool to retrieve metadata from images:
sudo apt install exiftool exiftool /media/ubuntu/Backup/image.jpg
If you got your files back, you can skip the following step and go straight to STEP 8. But if you still didn't get the files you need, read on.
Step 7: Use extundelete for Ext4 File Recovery (If Applicable)
extundelete is another powerful tool for recovering deleted files from ext3/ext4 file systems.
Unlike PhotoRec, which works at the raw data level, extundelete attempts to restore files with their original filenames and directory structure—if the data blocks haven't been overwritten.
Stop Using the System
As I already said, immediately stop writing data to the disk and stop using your system. Log in to the live environment as I described in STEP 4.
Install extundelete
If not installed, run:
sudo apt update sudo apt install extundelete
Check the Partition for Deleted Files
Run the following command to list recoverable files:
sudo extundelete /dev/sda2 --list-deleted
This scans the partition and shows files that can be recovered.
Recover a Specific File
If you found a specific file (e.g., important.doc), recover it using:
sudo extundelete /dev/sda2 --restore-file /home/user/Documents/important.doc
The recovered file will be saved in a folder called RECOVERED_FILES in your current directory.
Recover an Entire Folder
If you deleted a whole directory (e.g., /home/user/Pictures), use:
sudo extundelete /dev/sda2 --restore-directory /home/user/Pictures
This restores all files from that folder.
Recover Everything
If you want to restore all deleted files, run:
sudo extundelete /dev/sda2 --restore-all
This will attempt to recover every deleted file and save them in RECOVERED_FILES/.
Verify Recovered Files
Once recovery is complete, check the folder:
ls -lh RECOVERED_FILES/
Important Notes
extundeleteworks best if the file system is not journaled.- If files are partially overwritten, they may not be fully recoverable.
- If
extundeletedoesn’t work, use PhotoRec for raw file recovery.
Step 8: Review and Restore Recovered Files
Once recovery is complete, review the retrieved files and make sure you have moved them to a safe location. Ensure they are intact before proceeding with a fresh OS installation.
Step 9: Reinstall the OS
Since the system files are beyond repair, a full OS reinstall is necessary. Use your live USB to install your preferred Linux distribution.
Step 10: Restore Backups (If Available)
If you had backups using tools like Timeshift, rsync, or cloud storage, now is the time to restore them. Check out the Backup tools category for exploring more backup options.
Preventing Future Data Loss
- Always Do Backups: Set up automatic backups with Deja Dup, Timeshift, Borg, Restic, or rsync.
- Enable safeguards: Use aliases like
alias rm='rm -i'to prevent accidental deletions. - Use
--preserve-root: This preventsrmfrom running on the root directory. - Test recovery procedures: Practice using TestDisk and backup recovery in a virtual machine.
- Do not blindly Run Commands: If you don't know what a command actually does, DO NO RUN it. Do a quick web search, read manual pages, or seek an experienced user's help.
Conclusion
While running sudo rm -rf /*
is a disastrous mistake, data recovery is possible if you act quickly
and follow a structured approach. The key steps are stopping all
activity on the drive, using a live USB, leveraging recovery tools like TestDisk, PhotoRec and Extundelete, and reinstalling the OS.
Have you encountered a similar situation? Share your experiences and recovery tips in the comments below! I will check and update the guide accordingly.
No comments:
Post a Comment