Ever accidentally delete a file you really needed from the recycle bin? Ever format a disk and install a new operating system only to find later that you forgot to save off some really important files first? The former recently happened to us here at the Univeristy in Mzuzu... we thought doom was upon us until we stumbled upon a open (free to change, use, and distribute) software utility called Sleuthkit (http://www.sleuthkit.org).

When we realized our disaster, we started searching Google for "data recovery", "recover my files", etc. Listings appeared for companies charging hundreds of dollars for data recovery services and software. We tried some of the trial versions of the commercial software, but nothing was able to detect our files. Finally one of us here in the office in Mzuzu stumbled upon Sleuthkit, an amazing utility that was able to recover out deleted files from a formatted disk and didn't cost us a penny!

For all those out there that do not feel comfortable removing hard disks from computers, or if all of this talk of Ubuntu and software is boring you at this stage, let me leave you with just one parting thought - if you are using a computer and discover that a file you really need has somehow been "permanently" deleted the steps you should take are:

1. Immediately stop using the computer and shut it down. When your precious file was "deleted" from the disk, it wasn't actually deleted at all. In fact all the computer did was make a note to it self that the space occupied by the file is now free to be over written. If your file has not yet been over written by new files, then recovery might possible with Sleuthkit.

2. Next, contact all the nerds you know. Tell them what has happened and tell them that you have heard of about tools like "Ubuntu", "Linux", and "Sleuthkit" that can be used to fix the problem. If the nerd's eyes light up when you mention "Ubuntu" or "Linux" you have found the right person to help.

The following are the steps we used to recover our files from the formatted disk here at the university in Mzuzu:

1. Remove the hard disk from the computer it was in when the files were deleted (if the disk with deleted files in on a laptop do the following: boot the laptop with a liveCD such as knoppix, mount a network drive using smbmount or nfs, use dd to write an image of the disk to the network drive, and skip to step #8 below)

2. Attach the disk with the "deleted" files to a computer that is running Ubuntu Linux as its operating system (I imagine your Could use a Ubuntu LiveCD here )
   *** Note this computer will need to have free disk space larger than the entire size of the disk with deleted files ****

3. Boot up the Ubuntu computer
4. use System->Administration->Disks or run the command "df -h" from the command line to determine which system device number your disk being identified by. We used df -h and based on the size of our disks found that the one with the deleted files was referenced as /dev/hdb
   *** Only once you are positive that you have the correct system identity of your disk should you proceed ***

5. Create a disk image of the disk "sudo dd if=/dev/YOUR_DISK_ID of=/home/YOUR_HOME_FOLDER/recovery_disk_image.img"
6. When the image of the disk with deleted files is ready, power down Ubuntu and remove the disk with the deleted files. Store it in a safe place. But do not plug it back into another computer just yet.
7. Turn the Ubuntu computer back on
8. Add the universe software repoitories to your apt sources list (see The Ubuntu Getting Started Guidi on Google for more info)
9. use apt or synaptic package manager to to install sleuthkit and autopsy
10. open a command line prompt and run "sudo autopsy"
11. open a web browser and go to the page http://localhost:9999/autopsy
12. A graphical interface appears Choose "New case" and follow the questions that the wizard asks you. When prompted for the location of the disk image enter "/home/YOUR_HOME_FOLDER/formatted_disk.img"
13. After sluethkit analyzes the disk image it will display a listing of the disk's partitions. Choose the partition where you deleted file was saved and click Analyze -> File Analysis
14. Along the left hand side of the screen you will see a search box where you can search for the deleted file by name. Enter the file name and click Search.
15. A list of the files matching your search text will appear. Browse the list of files and click on the hyperlink name of the file that you would like to recover
16. Once the file finishes loading click the Export hyperlink and wait for your web browser to prompt you to save the file
17. When prompted save the file
18. Test to make sure your “deleted” file opens correctly on another computer. Transfer the file to another computer using a CD, USB flash drive, floppy disk or the internet

Repeat steps 14 -18 to recover more files that were deleted. Using these steps we were able to recover an entire folder of files from a disk that had been formatted and reinstalled with a new version of Windows XP. Hope it works for you as well as it worked for us