How to Recover /lost+found Fragments

Kevin ArrowsUpdated on October 13, 2022
Kevin is a certified Network Engineer

The folder entitled /lost+found in the root directory of an Linux file structure is part of a technology heritage that it shares with pretty much every form of Unix throughout history. This folder saves files that were deleted before a dramatic event that corrupted a file system. These files have allocated clusters assigned to them, but they no longer have a position in the file system. They might also be fragments of files that were still in the buffer cache when the system went down.

Should this situation ever occur, the lost+found directory would be full of seemingly random files that would be difficult to parse through. Fortunately it’s unlikely to happen on most well kept systems, but there’s always the possibility for a faulty connector or a power outage to cause something like this. Therefore it’s useful to know the best way to go about recovering from this class of incident. Some users have also used these techniques when recovering information from rooted smartphones, which have a tendency to attract clusters in the /lost+found directory. Be extremely careful when working with any sort of unofficially supported device. You could cause damage to the file system in this manner. You’re urged to always make proper backup copies of anything you can’t afford to loose to protect you should this kind of problem ever rear its ugly head.

Method 1: Mounting a Damaged Partition

If you’re able to mount the partition in question, then move immediately to Method 2. Assuming you’re unable to mount the partition in question, then type the following command at a root CLI:

fsck -p /dev/PARTITION

Replace /dev/PARTITION with whatever the device partition is. Be extremely careful to use the correct one. While fsck usually won’t allow you to run on a mounted partition, it can still be a destructive command if applied incorrectly. Give it some time to run, as it might take a while. The output will more than likely be quite verbose.

Method 2: Recover /lost+found Fragments

If you were always able to mount the partition or if running fsck now permitted you to do so, then you’re able to get a list of all the file types in question from the same root super user CLI. Type:

find ./lost+found – exec file -b {} \; > typesOfFiles

Push return and then you can type more typesOfFiles to examine the output. If you’d like to sort it for unique entries, then type the following followed by return

Cat typesOfFiles | sort | uniq > uniqueTypes

You can then use more or less to examine uniqueTypes. One might hope that the output won’t be too verbose. There are some scripts that can be used to recover files once you know what’s in /lost+found, but you can also just type:

cd /lost+found

ls

You can of course move the files to another healthy partition for examination.

Kevin ArrowsUpdated on October 13, 2022
Kevin is a certified Network Engineer
ABOUT THE AUTHOR
Photo of Kevin Arrows

Kevin Arrows


Kevin Arrows is a highly experienced and knowledgeable technology specialist with over a decade of industry experience. He holds a Microsoft Certified Technology Specialist (MCTS) certification and has a deep passion for staying up-to-date on the latest tech developments. Kevin has written extensively on a wide range of tech-related topics, showcasing his expertise and knowledge in areas such as software development, cybersecurity, and cloud computing. His contributions to the tech field have been widely recognized and respected by his peers, and he is highly regarded for his ability to explain complex technical concepts in a clear and concise manner.