Oops! Your important files are removed by yourself! -> Here is the solution ( File Recovery in linux)
Situation( It is a fiction ):
Today's topic is,
'Oops, Your Important Files Are Encrypted!'
Ransomeware?
No!
As ransomeware is dangerous, we can use some anti-virus software to protect files, but sometimes we can remove important files by mistake.
Nobody can save us rather than ourself.
One day, I use rm command to remove some useless files.
Oops! I removed a file which doesn't look like a trash file by mistake.
I remember that many important things is recorded in this file, so how can I recover it?
Well, calm down and try the following steps.
*1. Check the partition.
I'm using sda1 partition now.
*2. Check the file system of your OS.
> df -T
The file system of sda1 is ext4.
If your file system is ext3 or ext4, you can go to step 2. If not, ... I recommend searching the method to recover the file on the file system XXX ...:>
*3. Check the time that you removed the file.
> export HISTTIMEFORMAT="%F %T "
> history
We get a super long command history list ( unless almost you do not use this linux machine ) and we can see that the time I removed is "2019-05-22 04:35:05".
*4. Convert the date&time to unix timestamp.
> date +%s --date "[your date&time](<- do not copy it)"
! Important: If you removed a file which is located in root partition, you should follow step 5. If not, just skip step 5 and go to step 6.
*5. Boot a linux live CD or prepare a USB flash drive.
Linux Guide: How To Easily Create A Bootable Live USB Using Ubuntu
Boot it.
*6. Download extundelete.
If extundelete tool does not exist in your OS, you should first download and enable it.
Check the update information.
> wget "http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.0/extundelete-0.2.0.tar.bz2?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fextundelete%2F&ts=1318824482&use_mirror=nchc"
> tar jxvf extundelete-0.2.0.tar.bz2
> cd extundelete-0.2.0
> ./configure
> make
*7. Recover.
* Note: extundelete only can be executed by root user.
* Remount /dev/sda1 ( replace it to your current dev ) as Read-Only.
> sudo mount -o remount,ro /dev/sda1
(Using timestamp for recovery)
> extundelete --after 1558514105 --before 1558513000 --restore-all /dev/sda1
or
(Assigning the file for recovery)
> extundelete --restore-file /tmp/testfile /dev/sda1
Then, a directory named 'RECOVERED_FILES' is created in the current directory.
If you succeed, you can see some files recovered.