How to Recover /lost+found Fragments

The folder entitled /lost+found in the root directory of an Linux file structure is part of a technology heritage that it shares with pretty much every form of Unix throughout history. This folder saves files that were deleted before a dramatic event that corrupted a file system. These files have allocated clusters assigned to them, but they no longer have a position in the file system. They might also be fragments of files that were still in the buffer cache when the system went down.

Should this situation ever occur, the lost+found directory would be full of seemingly random files that would be difficult to parse through. Fortunately it’s unlikely to happen on most well kept systems, but there’s always the possibility for a faulty connector or a power outage to cause something like this. Therefore it’s useful to know the best way to go about recovering from this class of incident. Some users have also used these techniques when recovering information from rooted smartphones, which have a tendency to attract clusters in the /lost+found directory. Be extremely careful when working with any sort of unofficially supported device. You could cause damage to the file system in this manner. You’re urged to always make proper backup copies of anything you can’t afford to loose to protect you should this kind of problem ever rear its ugly head.

Method 1: Mounting a Damaged Partition

If you’re able to mount the partition in question, then move immediately to Method 2. Assuming you’re unable to mount the partition in question, then type the following command at a root CLI:

fsck -p /dev/PARTITION

Replace /dev/PARTITION with whatever the device partition is. Be extremely careful to use the correct one. While fsck usually won’t allow you to run on a mounted partition, it can still be a destructive command if applied incorrectly. Give it some time to run, as it might take a while. The output will more than likely be quite verbose.

Method 2: Recover /lost+found Fragments

If you were always able to mount the partition or if running fsck now permitted you to do so, then you’re able to get a list of all the file types in question from the same root super user CLI. Type:

find ./lost+found – exec file -b {} \; > typesOfFiles

Push return and then you can type more typesOfFiles to examine the output. If you’d like to sort it for unique entries, then type the following followed by return

Cat typesOfFiles | sort | uniq > uniqueTypes

You can then use more or less to examine uniqueTypes. One might hope that the output won’t be too verbose. There are some scripts that can be used to recover files once you know what’s in /lost+found, but you can also just type:

cd /lost+found

ls

You can of course move the files to another healthy partition for examination.

Kevin Arrows


Kevin is a dynamic and self-motivated information technology professional, with a Thorough knowledge of all facets pertaining to network infrastructure design, implementation and administration. Superior record of delivering simultaneous large-scale mission critical projects on time and under budget.

Expert Tip

How to Recover /lost+found Fragments

If the issue is with your Computer or a Laptop you should try using Reimage Plus which can scan the repositories and replace corrupt and missing files. This works in most cases, where the issue is originated due to a system corruption. You can download Reimage by clicking the Download button below.

Download Now

I'm not interested

Close