Ubuntu: Can you recover previous versions of files?



Question:

I know that if I delete a file it won't actually be 'deleted' as such, just marked as 'can be overridden when needed' so that when that space is needed the file will just be overridden, and this means that after a file is deleted it is possible to recover it even though all links to it will be gone (if any of this information is incorrect please edit this question to explain it in the correct way).
But is the same true for files which have just been edited? Can one recover the previous version of a file if the previous version hasn't been made into a .save file or something? That is, if I edit a file and then save my changes, is there any way to recover the previous version of the file like one can do with deleted files? And if not, if one does not want anyone to be able to properly recover deleted files, should one first edit the file and replace the contents with something else?

So just to clarify, these are the points I want answered:

  • Is it possible to recover the previous versions of files if no backup file has been created (such as a .save file) like one can do with actually deleted files?

  • Is editing a file before deleting it safer than just deleting it (that is is it safer to overwrite the entire contents of a file with other contents before deleting it)?

  • Finally, do tools which 'shred' files such as BleachBit just overwrite the contents of a file with other contents (such as an encrypted version of the file where the private key is deleted) before deleting it or do they use another method?

But please note that I am not asking about how to log file changes, I am asking this question because I want to know if editing a file before deleting it is safer than just deleting it or whether previous versions can be recovered. I am not interested in answers telling me that I should use version control systems to monitor file changes.


Solution:1

Yes, it is possible to recover an overwritten file, but recovery depends on the file system and the application you're using. FAT, EXT2/3/4, NTFS all delete files by marking them deleted. (no experience with other file systems)

What all well-written applications normally do nowadays is to open a temporary file, and if that is written correctly, delete the old file and rename the temp file to the new file. That way is a program crashes while it's writing the new file, it doesn't destroy the old file. (E.G. That's how LibreOffice overwrites its files)

Secure wipe applications normally overwrite the file, but under EXT4 and NTFS defragmentation intelligence and journalling kick in so to be absolutely, positively sure that an overwritten file is completely gone, you need to overwrite the entire free space too.

(Even on an encrypted volume)


Solution:2

If I understand what you are asking, the answer is no. If you make changes to a file, that file's data is over-written where it's at. It's not like deleting a file, which tells the system that it can overwrite this data and new data can take it's position on the hard-disk. The data is overwritten, and the previous version can no longer be recovered because (I sound repetitive now) it was already overwritten. To include a point made in the comments, it is important to note that if you edit the contents of a file and the resulting file is smaller than the original, then some of the data can still be recovered. As such, it would probably be safest to open the file in a text editor (no matter the type of file), clear out all of the contents as they are, and then sit on a key for an hour, spamming the file with a single character. Then, you can create a file of some very large size with just one character in it over and over and over. Of course, solid-state and flash memory works a bit differently, and it seems like the safest bet is to always use encryption on those types of storage.

If I'm close to understanding what you are asking, the answer is yes. It is safer to edit a file and and replace its current contents with random garbage, save it, and then delete it. Then, if file recovery tools are used, the recovered file will be filled with random garbage. This is, essentially, what shred does. It "saves" zeroes into those positions where files previously were so that if file recovery tools are used, they recover zeroed out data.


Solution:3

Throwing my hat into the ring as well. =)

For data destruction that is not recoverable before the file is deleted, even if the file is encrypted or not, I use an application called scrub.

sudo apt-get install scrub  

Then to destroy the file before deleting would be the command:

scrub <filename>  

Here is an example of an encrypted file being destroyed:

~$ cat testfile.des3   Salted__�����a�C7�"U��<���A�B-ԋ�����X�����E �5];A8���e�R�~���N��Ե��F��}Z;�_���^k`��:4��M�w�z��h3G����������+����?N(ٿ��M�_YW��CX��xi����k��ϝ#i����Q�F�����Ȃ(���Q�&;���w�o��^/                                      @"�՗�RX��S੏Ͷ��*�H��-�u�6�2�>�3�m�Gz�����5���f0�D&"$j7W���mH$�C��Q���z�Sxk��#�����Pɀ                                                 �z�NVբ��ARQz��A�?�A���A��/��+,)��M~_��(��q����x3+y��S+�l���gT�;hl���d'�O�Z#�Գ�uHgu1.�>��e�Ⱥ����Yo��.�3$D�c؛��D Jb��#4WrQA��Rr���0�=�2i3V�F�f��K�HLUQ@ˤ'��"�����ԣ  3�v���v�ʝ.%&�?����ۿa��|J������1�c����N@(�r�0E6�܍����Ϫo��A���I`cj)0��3�*c`�hǬ\�y2��x�><�������[�  C���W�:�#�"[�q��       #�λ$�>#x;��n�-d#K��_g@�B»h��m1���ݻ��]���gv���                  WI�$J                          h���l;a�;�Y�2��3��A6��� ڜ������W���ʬ����v7�1����ȄOM~Ux�iR('��78������B�EK0׆�$~����p�f���]2������                                                �~����D�);�X]^�e:��B��.}&�>C{3�j�']���X���,ǣ[\T��r�7<q#                                �Ħ� ��m�>��@,$/Ɂ�y�D��i��4D�����'���----    ~$ scrub testfile.des3   scrub: using NNSA NAP-14.1-C patterns  scrub: padding testfile.des3 with 3184 bytes to fill last fs block  scrub: scrubbing testfile.des3 4096 bytes  scrub: random  |................................................|  scrub: random  |................................................|  scrub: 0x00    |................................................|  scrub: verify  |................................................|    ~$ cat testfile.des3   SCRUBBED!--------------------  

So, now if I delete the testfile.des3 all that can be recovered is a file that says SCRUBBED!--------------------


Solution:4

To be able to recover a previous version of a file you can use Git, which keeps versions of the changes to the files.

Some programs do make backups of your files, if you want to see one, just open Gedit write something on a document and save it with no extension. If you press CTRL + H on nautilus, you will see the hidden files, including a backup to the file you just created.

But even with the backup, you don't know if the backup version is equal to the current version or not.

Your best bet is using some version control system like Git, which records all modifications to the file and let's you revert to the previous version.

You can learn git here.

If you just want to delete a file permanently you can use BleachBit


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »