Format a Flash Drive to EXT3
For testing purposes, we'll "cd" to the root directory to run the recovery and format an 8 GB flash-based thumb drive to have an EXT3 file system and direct the output of the recovery there.
Typing "df" into a terminal shows that the flash drive is mounted on /dev/sb1. In Ubuntu, the command
umount /dev/sdb1
informs me that, according to mtab, the flash drive is not mounted. However, it's still showing the icon on the desktop. The answer here is to right-click the icon and select "Unmount volume." When the icon disappears, the drive can be formatted.
To create a Linux file system on the flash drive, the command is
sudo mkfs /dev/sdb1
Running the Scan with Foremost
When the command completes, removing and reinserting the drive mounts it, and we find that it now has a "lost+found" folder just like a proper Linux file system.
I placed .doc, docx, and .pdf files in my home/user/Documents folder and a few .jpg and .gif files in my Pictures folder, deleted them all, and rebooted the PC just for good measure.
Upon restart, I opened a terminal and entered
cd /
sudo foremost -v -T -t doc,pdf,jpg,gif -i /dev/sda6 -o /media/disk/Recover
That translates into foremost be verbose, put a time stamp on the output directory (in case I want to run it more than once), look for types .doc, .jpg, and .gif, read in from /dev/sda6 (/home) and write out to /media/disk/Recover (on the flash drive).
For a reason that I'm not sure of at all, Foremost scanned /dev/sda6 and found the files I'd deliberately deleted, and then it continued onto the Windows 7 partition that was on the same drive. I had actually taken 100 GB from the /home partition to create the new partition for Windows 7, but this will take some further study.
The important thing is that Foremest DID find the files I deleted and recovered them.
The first time I ran it, I did not specify which files to look for, and it returned over 30,000 different files, most of them the temporary and now deleted files from the Windows 7 installation and Windows Update and from files, I presume help files, deleted during package management. The next time I ran it, I made doubly sure to specify the file types that I wanted.
And the second time, using the command above, I successfully found the files that I'd deleted, as well as 32 .pdf files, 3,457 .jpg files, and 2161 .gif files.
Obtaining the Results
Foremost ran for about 100 minutes. When finished, the Recover folder on the flash drive contained directories named gif, jpg, and pdf, and there was a file called "audit.txt." The file turned out to contain the text that had displayed in the terminal, effectively creating a log of the program's (verbose) output.
Since root had issued the command, the folder containing the results was also owned by root. To make it easier to work with, I issued
sudo chown lamar -R /media/disk
to give myself normal access. Then I copied the Recovery folder to my Ubuntu desktop, put the flash drive in my Vista PC, and formatted it back to NTFS, which both Windows and Ubuntu handle equally well.
Conclusion
So Foremost definitely works. Not only did it find what I needed, it also found some stuff that I'd forgotten about and stuff that I had no idea was there. That it recovered far more than I'd expected was pause for thought. Deleted in an EXT3 file system does not mean gone. Now, some of us might have material that we really want gone from time to time, so we need some means of secure, multi-pass erasure for files that doesn't involve wiping or overwriting a partition. I'll look into that for a possible future article or blog post.
And what if you didn't install your /home and /root directories on separate partitions? Then you'll need to run Foremost from a bootable Linux system disc. In fact, that's planned as the next article - how to edit an .ISO file to add applications to a disc image in Linux.
I hope this article helped you recover your accidentally deleted files. Thank you for reading this, and thank you for visiting Bright Hub.