How to undo rm in Linux? [100% Working]

Linux distributions are managed with both GUI(Graphical User Interface) and CLI(Command Line Interface). The CLI is at the forefront in the use of the server operating system. So, can the work done in an operating system with the GUI be done on the systems used with the CLI? For example, can you undo the rm operation?

How to undo rm in Linux?

We will describe 2 methods and 3 suggestions to answer this question. You can search for deleted data on disk with Foremost and Scalpel applications. With the Trash command you have a bin in the CLI just like you would in a GUI system. You can alias the rm command to the mv command and provide a workaround. Finally, you can add an alias to the rm command and add a check step again before deleting it. Let's exemplify them.

Method-1: Recover data using Foremost

Foremost is a data recovery program for Linux used to recover files using their headers, footers and data structures through a process known as file carving. It is available for free and can be used as a general data recovery tool.

According to the Linux distribution you are using, you can find the installation step below:

For Debian Based OS(Ubuntu, Mint, Pardus etc):

sudo apt install foremost -y

For Arch Based OS(Archman Linux, Arch Linux, Manjaro etc):

sudo pacman -S foremost

For Redhat-based OS(Centos, Fedora, AlmaLinux, Rocky Linux etc), the forensics repository is added first, then the package is installed:

sudo dnf install https://forensics.cert.org/cert-forensics-tools-release-el9.rpm
sudo dnf --enablerepo=forensics install foremost 

The default usage of the foremost command is:

foremost [-h] [-V] [-d] [-vqwQT] [-b <blocksize>] [-o <dir>] [-t <type>] [-s <num>] [-i <file>]

You can search by giving the file(jpg, gif, png, exe, mov,pdf, doc, zip, rar, htm, mp4 etc) parameter with the -t parameter.  The -i parameter is used as the file input file. If no input file is specified or the input file cannot be read, stdin is used.Files recovered with the -o parameter are written to the specified directory. If no value is entered, the output is taken to the "output" directory.

An example for foremost:

foc@linux:~$ sudo foremost -t pdf -i /dev/vda3
Processing: /dev/vda3
|**************************************************************************************************************************

The output directory and the pdf files found are as follows:

foc@linux:~$ sudo tree output
output
├── audit.txt
└── pdf
    ├── 00472288.pdf
    ├── 09197568.pdf
    ├── 09198264.pdf
    ├── 09204608.pdf
    ├── 09208560.pdf
    ├── 09212840.pdf
    ├── 09296680.pdf
    ├── 10765320.pdf
    ├── 11036672.pdf
    ├── 13143040.pdf
    ├── 13143320.pdf
    ├── 13143664.pdf
    ├── 13150208.pdf
    ├── 13150488.pdf
    ├── 13150848.pdf
    ├── 13284784.pdf
    ├── 13389464.pdf
    ├── 13395368.pdf
    ├── 13412800.pdf
    └── 13862912.pdf

1 directory, 21 files

All formats are searched by giving the value "all" to the -t parameter:

foc@linux:~$ sudo foremost -t all -i /dev/vda3

foc@linux:~$ sudo ls -l output/
total 92
-rw-r--r-- 1 root root 44568 Nov 13 07:44 audit.txt
drwxr-xr-- 2 root root  4096 Nov 13 07:41 bmp
drwxr-xr-- 2 root root  4096 Nov 13 07:41 exe
drwxr-xr-- 2 root root  4096 Nov 13 07:41 gif
drwxr-xr-- 2 root root 12288 Nov 13 07:41 htm
drwxr-xr-- 2 root root  4096 Nov 13 07:41 jpg
drwxr-xr-- 2 root root  4096 Nov 13 07:41 pdf
drwxr-xr-- 2 root root 12288 Nov 13 07:41 png
drwxr-xr-- 2 root root  4096 Nov 13 07:41 zip

The file formats found are in their named directory. This way undo rm is done with the "previous" command.

Method-2: Recover data using Scalpel

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is independent on used file-system and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery.

Follow the steps below to install on your system. For Debian Based OS(Ubuntu, Mint, Pardus etc):

sudo apt install scalpel -y

For Arch Based OS(Archman Linux, Arch Linux, Manjaro etc):

sudo pacman -S scalpel

For Redhat based operating systems (Centos, Fedora, AlmaLinux, Rocky Linux etc.), the EPEL repository is added first and the "tre" package is installed:

sudo dnf install epel-release -y
sudo dnf install tre -y

Then the forensics repository is added, then the "scalpel" package is installed:

sudo dnf install https://forensics.cert.org/cert-forensics-tools-release-el9.rpm
sudo dnf --enablerepo=forensics install scalpel -y

The scalpel configuration file is located("/etc/scalpel/scalpel.conf" for Debian based OS) at /etc/scalpel.conf. File formats are in this file, a new file type definition or wanted/unwanted formats are defined in this file:

nano /etc/scalpel.conf

#---------------------------------------------------------------------
# ADOBE PDF
#---------------------------------------------------------------------

        pdf        y        5000000        %PDF  %EOF\x0d        REVERSE
        pdf        y        5000000        %PDF  %EOF\x0a        REVERSE
        
# MICROSOFT OFFICE
#---------------------------------------------------------------------

# Word documents

        doc        y        10000000  \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT
        doc        y        10000000  \xd0\xcf\x11\xe0\xa1\xb1
        
# MISCELLANEOUS
#---------------------------------------------------------------------

        zip        y        10000000        PK\x03\x04        \x3c\xac
        rar     y       10000000        Rar!
        java        y        1000000        \xca\xfe\xba\xbe

# GRAPHICS FILES
#---------------------------------------------------------------------


# AOL ART files
        art        y        150000        \x4a\x47\x04\x0e        \xcf\xc7\xcb
        art        y         150000        \x4a\x47\x03\x0e        \xd0\xcb\x00\x00

# GIF and JPG files (very common)
        gif        y        5000000                \x47\x49\x46\x38\x37\x61        \x00\x3b
        gif        y         5000000                \x47\x49\x46\x38\x39\x61        \x00\x00\x3b
        jpg        y        200000000        \xff\xd8\xff\xe0\x00\x10        \xff\xd9
        jpg     y       200000000       \xff\xd8\xff\xe1                \xff\xd9

You must prefix the file format you want to exclude with a # character. Then start a sample search:

[root@fedora faruk]# scalpel -c /etc/scalpel.conf -o files_found /dev/nvme0n1p2
Scalpel version 2.1
Written by Golden G. Richard III and Lodovico Marziale.
Multi-core CPU threading model enabled.
Initializing thread group data structures.
Creating threads...
Thread creation completed.

Opening target "/dev/nvme0n1p2"

Image file pass 1/2.
/dev/nvme0n1p2: 72.3% |********************************* | 335.8 GB 01:57 ETA/dev/nvme0n1p2: 100.0% |**********************************************| 464.8 GB 00:00 ETAAllocating work queues...
Work queues allocation complete. Building work queues...
Adding files_found/pdf-0-0/00000000.pdf to queue
...
Adding files_found/pdf-1-0/00000875.pdf to queue
Adding files_found/pdf-1-0/00000876.pdf to queue
Adding files_found/pdf-1-0/00000877.pdf to queue
Adding files_found/pdf-1-0/00000878.pdf to queue
Work queues built. Workload:
pdf with header "%PDF" and footer "%EOF\x0d" --> 113 files
pdf with header "%PDF" and footer "%EOF\x0a" --> 766 files
Carving files from image.
Image file pass 2/2.
/dev/nvme0n1p2: 100.0% |**********************************************| 464.8 GB 00:00 ETAProcessing of image file complete. Cleaning up...
Done.
Scalpel is done, files carved = 879, elapsed = 400 secs.

When the search is complete, you can access the data in the directory specified with the -o parameter:

[root@fedora faruk]# tree files_found/
files_found/
├── audit.txt
├── pdf-0-0
│   ├── 00000000.pdf
...
├── 00000877.pdf
└── 00000878.pdf

2 directories, 880 files

Before starting the scan, make sure that the directory you specify with -o has enough space. Otherwise, you may encounter an insufficient disk space warning.

Protect Linux system from accidental rm command execution

Suggestion-1: Using Trash Command

In this suggestion we will use trash on the CLI. Let's examine how you can install the "trash-cli" application to Linux distributions:

sudo apt install trash-cli -y # For Debian Based OS(Ubuntu, Mint, Pardus etc)
sudo apt-get install trash-cli -y # For Debian-based old version operating systems (Ubuntu, Mint, Pardus etc.)
sudo pacman -S trash-cli # For Arch Based OS(Archman Linux, Arch Linux, Manjaro etc)
sudo dnf install trash-cli # For Redhat-based OS(Centos, Fedora, AlmaLinux, Rocky Linux etc)
sudo yum install trash-cli -y # For Redhat-based old version operating systems(Centos, Fedora, AlmaLinux, Rocky Linux etc)
sudo zypper install trash-cli # For openSUSE

After installation, you can delete files with the trash command:

foc@ubuntu22:~$ ls 
text-1.txt text-2.txt text-3.txt text-4.txt 

foc@ubuntu22:~$ trash text-1.txt 
foc@ubuntu22:~$ ls text-2.txt text-3.txt text-4.txt

The file was deleted with the trash command, you can give the -d parameter for the directory:

foc@ubuntu22:~$ trash -d folder

You can list the deleted files and directory with the trash-list command:

foc@ubuntu22:~$ trash-list 
2022-11-09 18:44:37 
/home/foc/folder 2022-11-09 18:41:11 
/home/foc/text-1.txt 2022-11-09 18:42:46 
/home/foc/text-1.txt

The trash-restore command is used to get the deleted file/folder back from the trash box:

foc@ubuntu22:~$ trash-list 
2022-11-09 18:44:37 /home/foc/folder
2022-11-09 18:49:45 /home/foc/text-1.txt

foc@ubuntu22:~$ trash-restore /home/foc/text-1.txt
   0 2022-11-09 18:49:45 /home/foc/text-1.txt
What file to restore [0..0]: 0

foc@ubuntu22:~$ ls
text-1.txt  text-2.txt  text-3.txt  text-4.txt

Clears all trash with the trash-empty command:

foc@ubuntu22:~$ trash-empty

These works fine, so how do we use them in the rm command use? The answer to this question is to define "alias". When the rm command runs, the "trash" command runs so the undo can be done after deletion.

Open the user's ".bashrc" file with a text editor and type the following line:

foc@ubuntu22:~$ nano ~/.bashrc 
alias rm='trash'

Then get this change to the user:

foc@ubuntu22:~$ source ~/.bashrc

Now when you run the rm command, the trash command actually works:

foc@ubuntu22:~$ rm -h
Usage: trash [OPTION]... FILE...

Put files in trash
...

Suggestion-2: Sort of Hack Solution for undo rm

This time, the "mv" command can be given as alias to the rm command. For this, the ".Trash" directory is created in the user's home directory:

[foc@rocky9 ~]$ mkdir ~/.trash

Then the mv command Alias is defined:

[foc@rocky9 ~]$ vi ~/.bashrc
alias rm='mv --target-directory="$HOME/.trash"'

Then get this change to the user:

[foc@rocky9 ~]$ source ~/.bashrc

Then run the rm command:

[foc@rocky9 ~]$ rm text-1

[foc@rocky9 ~]$ ls ~/.trash/
arch text-1

If you use RM in this way, you will have a limited "undo rm" feature.

Suggestion-3: Use interactive rm command

Again, a alias is needed. This time we will define the rm command with its own parameter. Some Linux distribution do this by default. They set the "-i" paramter to the rm command default. In this way, the user requests approval before the deletion process.

Edit the ".bashrc" file:

[manjaro manjaro]# nano ~/.bashrc

alias rm="rm -i"

Then get this change to the user:

[manjaro manjaro]# source ~/.bashrc

And try deleting files:

[manjaro manjaro]# rm text-1
rm: remove regular empty file 'text-1'? y

You will now receive a warning before deleting. There is no undo process, but you will have time before the deletion process.

Summary

Data deletion on servers is risky. Care should be taken when assigning authorization to users. Above are some undo methods and precautions you can take in the system.

For more information, you can get help from the application's manual pages:

man foremost
man scalpel
man trash

References

• undo Linux's rm?
• Undo the Linux trash command
• linux terminal undo rm 'somefile'