Recovering data with grep from linux volumes

We have all done it.
We all should have known better.
We all know scripts should be developed in source control, not in vim on your running instance.
Finally, we were warned that “rm -f” is a powerful tool, and not to be used without adult supervision.

That feeling of dread that hits you almost before you have completely pressed the return key, but the synaptic nerves in your brain that have figured out what you are about to do, can’t quite get the message to your fingers in time to actually stop you pressing the key.

What makes this worse, is that when this happens to you, Murphy’s law says that you wont be in the office, and it will be on a production system that you can’t take down to single user mode.

What can you do?
Well despite the odds, in this case I was able to get my file back, with relatively little pain, using good old grep.

[DISCLAIMER - Your Milage May Vary, If your data is critical, contract your data recovery woes to a professional. My data loss was irritating, but not the end of the world!]

Step 1
Go to single user mode (if you can) in my example, i didn’t do this, but to increase your chances you want to stop any further IO to the volume

Step 2
Mount the volume as RO (if you can) – see above

Step 3
Rack your brains and try and remember the contents of the file you were working on, try and think of a passage of text, or a combination of words you (100%) know were in the file.  If its a script, try and remember some of your comments (you do comment your scripts…right) avoid commands or file paths, because they are unlikely to be unique enough – my phrase was “some trickery to find”

Step 4
Estimate the length of your file before your phrase, and after.. I went for 100 lines in both directions.

Step 5
grep the nuts out of your HD in binary mode, looking for any occurrence of your search string:
grep -a -B[lines before] -A[lines after] 'text' /dev/[your_partition] > file.txt
if your running this remotely, consider running it within ‘screen’ in case you get disconnected.

Step 6
Grab a coffee, this may take a while depending on the size of your disk

Step 7
You should now have a large text file, which will contain loads of junk, but hopefully most of your missing text.

Search through your recovered file for your string, until you find something useful.
Note, you may not find all of your text, and the first copy you find may not be the best, make sure you parse the file thoroughly before settling on the version which only contains 50% of your code.

As said above, this is a quick and dirty way to recover ascii data which you may have lost through your own (or someone else’s) stupidity, and is dependent on a number factors, such as knowing “EXACTLY” a phrase to search for, and the IO on the volume being suitably low so as not to have overwritten your data.

Good luck, and next time, just use “rm”
…….and source control.