https://www.rootusers.com/restore-deleted-file-linux/
https://unix.stackexchange.com/questions/80270/unix-linux-undelete-recover-deleted-files

First check the type of filesystem, and use the good tool for it:

manu-opensuse:~ # df -T
Filesystem                      Type     1K-blocks      Used Available Use% Mounted on
/dev/sda3                       btrfs     41943040  25226004  15962412  62% /
/dev/sda1                       vfat        523248      8288    514960   2% /boot/efi
/dev/sda3                       btrfs     41943040  25226004  15962412  62% /root
/dev/sda3                       btrfs     41943040  25226004  15962412  62% /srv
/dev/sda4                       xfs       26201600  11458312  14743288  44% /home
/dev/mapper/libraryvg-vmlv      ext4     133126984  78003860  48290996  62% /virtual_vm

Install Foremost Foremost is available in many different distributions of Linux.

Mint/Debian/Ubuntu We can install Foremost in Linux Mint, Debian, or Ubuntu by simply running the following command.

apt-get install foremost

CentOS/RHEL

yum install https://forensics.cert.org/centos/cert/7/x86_64/foremost-1.5.7-13.1.el7.x86_64.rpm -y

This RPM is for el7 (for el6 https://centos.pkgs.org/6/repoforge-x86_64/foremost-1.5.7-1.el6.rf.x86_64.rpm.html)

In this example we are using CentOS 7, however once you’ve installed Foremost the rest of the steps should be the same in any Linux distribution.

Deleting a File with extension .jpg

In this example we will be removing the image.jpg file shown below.

Create a restore directory

[root@centos7 ~]# mkdir /root/restored

Now we are ready to run the Foremost command and restore our image file. The -i switch is used to specify the disk or image file that we want to search, while -t is used to restore files of the type specified. Foremost supports many different files, check the foremost man page for the full list. This is required as foremost searches the disk based on the headers which that type of file uses.

[root@centos7 ~]# foremost -i /dev/sda3 -t jpg -o /root/restored/
Processing: /dev/sda3
|*********************************************************************

This took approximately 2 minutes to complete on an 18gb disk. This will find any .jpg files in /dev/sda3 and restore them into the /root/restored/ directory, as long as the space they are using on disk has not yet been overwritten by anything else.

If we look inside our /root/restored directory, we can see that our image file has successfully been restored.

As file names are not stored within the file itself it is not possible to restore the file with the original file name, however the data is all there.

For ext3/ext4 filesystems

ext4magic /dev/sdf6 -a $(date -d "-24hours" +%s) -f home/obaro/Music -l
ext4magic /dev/sdf6 -r -a $(date -d "-24hours" +%s) -f /path/to/restore -d /path/recovery -l
ext4magic /dev/sda3 -r -f user1/picture/cim01234.jpg -d /tmp

  -l print all restore file
  -f filename
  -i
  -r :applied  to  directories,  all  files without conflicts with the occupied blocks will recovered
  -R : undeleted even if overwritten
  -d output directory RECOVERDIR
  -a $(date -d "-3day" +%s) -b $(date -d "-2day" +%s)
  -M : after rm -rf

mount -o remount,ro /dev/sdX1
extundelete --restore-directory home/u1604/Documents --after 1467200716 -o 5T /dev/sda12

extundelete --restore-all --after $(date -d "-2 hours" +%s) /dev/sdX1
find RECOVERED_FILES/

https://www.cgsecurity.org/wiki/PhotoRec

It can recover lost files from at least

FAT NTFS exFAT ext2/ext3/ext4 HFS+ LVM/LVM2 jfs xfs...

PhotoRec searches for known file headers. If there is no data fragmentation, which is often the case, it can recover the whole file. PhotoRec recognizes and recovers numerous file formats including ZIP, Office, PDF, HTML, JPEG and various graphics file formats. The whole list of file formats recovered by PhotoRec contains more than 480 file extensions (about 300 file families).

https://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step