Scalpel – Recover Deleted or Lost Files on Linux

It is not uncommon to accidentally press ‘Shift + Delete‘ on files instead of just ‘Delete‘, due to our natural habits, many of us tend to use it without realizing it.

I recently found myself in this situation a few days ago. I was actively working on a project and had saved my work file in a specific directory that contained numerous unwanted files that needed to be deleted permanently.

As I began the process of deleting them one by one, I mistakenly pressed ‘Shift + Delete‘ on one of my crucial files. Unfortunately, the file was permanently deleted from my directory.

Feeling concerned about this, I wondered how to recover deleted files but had no clue where to start. Despite spending a significant amount of time attempting to restore the file, I had no luck.

It was a frustrating experience, and I realized the importance of being cautious while managing files to avoid such accidental deletions.

How File Deletion Works in Linux

Having some technical knowledge, I understood how the file system and hard drive (HDD) operate. When you accidentally delete a file, the actual content doesn’t disappear from your computer.

It’s simply removed from the database folder, making it invisible in the directory, but it still lingers somewhere on your hard drive. Essentially, the system has a list pointer to blocks on the storage device that still contain the data. The data won’t be erased from the block storage device unless you overwrite it with a new file.

Realizing this, I considered that my deleted file might still be somewhere in an unindexed area of the hard disk. However, it’s recommended to immediately unmount a device as soon as you realize you’ve deleted an important file. Unmounting helps prevent the blocked files from being overwritten by new ones.

In this scenario, I didn’t want to overwrite that data, so I chose to search the hard drive without mounting it.

Recovering Lost Files in Linux Using Scalpel Tool

Typically, Windows offers a plethora of third-party tools for recovering lost data, while Linux, particularly Ubuntu, provides only a few options. Using Ubuntu as my operating system, I encountered the challenge of finding a tool to recover a lost file.

In the course of my research, I came across ‘Scalpel‘, a tool designed to scan the entire hard drive and retrieve lost files. After installing it, I successfully recovered my lost file, and I must say, Scalpel is truly an amazing tool.

This situation could happen to you too, so I wanted to share my experience. In this article, I will guide you through the process of recovering deleted files using the Scalpel tool.

Let’s dive into it.

What is a Scalpel Tool?

Scalpel is a data recovery tool that is specifically crafted to scan storage devices, such as hard drives, to retrieve lost files that may have been accidentally deleted or lost due to other reasons.

Key features of Scalpel include its ability to search through the entire hard drive, making it effective in recovering files even if they have been removed from the directory or database. The tool is known for its reliability in handling various file types and formats.

One notable characteristic of Scalpel is its suitability for command-line usage, which aligns with the preferences of many Linux users who are comfortable with the terminal interface.

Scalpel proves to be a valuable asset for Linux users facing the challenge of retrieving lost files, providing an efficient and reliable solution to recover data in situations where other tools might fall short.

How to Install Scalpel in Linux

To install Scalpel on Linux, use the following appropriate command for your specific Linux distribution.

sudo apt install scalpel         [On Debian, Ubuntu and Mint]
sudo yum install scalpel         [On RHEL/CentOS/Fedora and Rocky/AlmaLinux]
sudo emerge -a sys-apps/scalpel  [On Gentoo Linux]
sudo apk add scalpel             [On Alpine Linux]
sudo pacman -S scalpel           [On Arch Linux]
sudo zypper install scalpel      [On OpenSUSE]    
sudo pkg install scalpel      [On FreeBSD]

After installing Scalpel, you’ll need to do some text editing. Scalpel comes with its own configuration file located in the ‘/etc‘ directory. The full path is either “/etc/scalpel/scalpel.conf” or “/etc/scalpel.conf“.

When you open the configuration file, you’ll see that everything is initially commented out with '#' symbols.

sudo nano /etc/scalpel/scalpel.conf
Or
sudo nano /etc/scalpel.conf

Before running Scalpel, you have to uncomment the file formats you want to recover. However, uncommenting the entire file can be time-consuming and may lead to a lot of false results.

For example, if you only want to recover '.jpg' files, you can simply uncomment the '.jpg' file section in the Scalpel configuration file.

Configure Scalpel
Configure Scalpel

Now run the the following command in the terminal to search for deleted files.

sudo scalpel /path/to/target/directory

Once you run Scalpel on the directory, it will take time to recover your deleted file depending on the disk space that you are trying to scan and the speed of the machine.

It will generate a ‘rec’ directory containing recovered files in the specified output directory. Review the recovered files and move them to a secure location.

Conclusion

By following these steps, you can install Scalpel on your Linux system and use it to recover deleted files and folders. Remember to carefully configure the Scalpel settings to target specific file formats, reducing the risk of false results and improving the efficiency of the recovery process.

I suggest everyone get into the habit of using just “delete” instead of “Shift + Delete“. Remember, it’s always better to prevent a mistake than to try and fix it later.

Similar Posts