Several times in the past I’ve accidentally overwritten a file or used a greedy wildcard with rm -rf. If you find yourself in this situation, don’t worry, scalpel can recover your file(s). My experience using scalpel was on a Ubuntu server but the tool will work on other linux distros including Redhat, Fedora, Debian, and more.  A Windows and Mac OS X build is also available.

scalpel is my tool of choice because it will recover files from the newer ext4 filesystem, which is the default filesystem for Ubuntu since 9.10.

Installing scalpel

//Ubuntu or Debian linux
sudo apt-get install scalpel

//Redhat or Fedora linux
sudo yum install scalpel

Once installed, you will need to edit /etc/scalpel/scalpel.conf and uncomment the file type definition of the deleted file you are trying to recover. Since I was trying to recover plain text php files I needed to add my own file type definition.

php n   50000   <?php           ?>

scalpel will need somewhere to copy the recovered files, in my case I create the directory /tmp/scalp before executing. Be patient as the tool scans the volume extracting the found files. scalpel will find not only deleted files but numerous old versions created each time a file is overwritten.

mkdir /tmp/scalp
scalpel "/dev/sda1" -o "/tmp/scalp"

There is still a bit of work to find the most recent version of your deleted file. scalpel will find many revisions of the file along many other php files, the trick is to find a fresh copy of your file to recover. To accomplish this, I used grep to search for a line of code I remember adding shortly before deleting the file.

grep -R “some recently added code” /tmp/scalp/*

You may end up looking through several files before finding a recent copy you are happy with. Another thing to consider, scalp might recover a large number of files so make sure you have plenty of space on the volume you extract to.

Did this work you? or do you use another filesystem recover tool? Lets here about it by leaving a comment below.


