How to recover a deleted file from /data partition?

First to clarify root and data:

• Root directory / of Android devices is a read-only pseudo (temporary) filesystem (rootfs) that lives in RAM and is vanished when device is powered off. When device is powered on, it's again extracted from initramfs that lives in boot partition along with kernel.

On newer devices with system-as-root, system partition is mounted at root /.

• /data directory is a mountpoint, where largest partition, usually named userdata is mounted. This partition contains all user apps, their data (settings, databases, caches, temporary files etc.), system apps' data and all other configurations we make through Settings. /data/media/0 is the directory that we see as /sdcard or /storage/emulated/0 through emulation.

... there was a file in the /data directory which I need. Is it possible to create an image (.img or something similar) of the root directory ...

If a file is deleted from /data, you need to create a dump of data partition, not that of root directory.

You can do that in multiple ways described below. All require root access.

But first of all, see this answer to make sure your data is recoverable.

In short, recovery is more or less possible only if ⁽¹⁾:

• Your deleted data hasn't been TRIMmed or discarded.


• And you haven't done a factory reset on encrypted /data partition.

What you should do immediately:

• Switch off phone to make sure the deleted data isn't overwritten.


• Don't install data recovery apps on device, it can do more harm than good.


• Mount the filesystem (if required) in recovery mode (or on PC) only with ro,nodiscard options.

FINDING BLOCK DEVICE:

In order to access the userdata partition, you need to find its block device. If you have root access, you can do so from mounted partitions:

~# mount | grep 'on /data'

/dev/block/mmcblk0p... on /data type f2fs (rw,nosuid,nodev,...)

On Qualcomm devices, it's located at /dev/block/bootdevice/by-name/userdata (symlink). For MediaTek (MTK) and other SoCs, the path is slightly different. You can find all block devices or by-name directory using find command:

~# find /dev -type b

~# find /dev -type d -name 'by-name'

Or by hit and trial:

~# ls -d /dev/*/by-name

~# ls -d /dev/*/*/by-name

~# ls -d /dev/*/*/*/by-name

Note:

• If your /data partition has Full Disk Encryption (FDE) you need to decrypt it before exposing to UMS because decrypting Android's FDE on PC is near to impossible in most cases due to hardware-backed encryption. See some relevant explanation in my answer to Cross-platform compatible encryption of SD-card for Android. dm-crypt decrypts the block device to /dev/block/dm-[N]. Use this instead of userdata.


• To prevent any data loss, it's recommended to create a dump when the partition is not mounted i.e. in recovery mode.

CREATING PARTITION DUMP:

DISK DUMP (dd)

Once the block device is known, you can use the dd command from:

• ADB shell (OS or custom recovery)


• A terminal emulator app like Termux

Since the userdata partition is the largest partition (all other partitions are hardly using 5GB out of total storage), you can't dump it to your internal memory. An external SD card with larger capacity is needed.

To create the dump:

~# dd if=/dev/block/bootdevice/by-name/userdata of=/path/to/ext_sdcard/data.img

ADB

If you don't want to use an external SD card, you can also dump the partition directly to PC. First you need a working adb setup, running as root. Then it can be used in multiple ways:

~$ adb exec-out dd if=/dev/block/bootdevice/by-name/userdata > data.img

^{* Make sure your adb binary (on Windows or Linux) supports exec-out.}

But you may end up with corrupted data when writing a whole large-sized partition to STDOUT of terminal because there are issues with line break types (CR and LF). Also STDOUT or STDERR from the programs involved could possibly be added to the file if not directed to /dev/null. Even a single wrong byte may render filesystems un-mountable. See this question for reference.

To avoid unwanted characters, use stty raw and/or dos2unix:

~$ adb shell 'stty raw && dd if=/dev/block/bootdevice/by-name/userdata' > data.img

But the most straightforward way is:

~$ adb pull /dev/block/bootdevice/by-name/userdata data.img

See this answer for more details.

STREAM OVER TCP

To avoid the terminal-related complications described above or if for some reason adbd cannot be run as root, it's also possible to create a minimal TCP server for data transfer. Forward the port from phone to PC and run a netcat TCP server in listening mode:

~$ adb reverse tcp:1024 tcp:1024

~$ nc -v -l -p 1024 </dev/null | pv -ab >data.img

On phone:

~# cat /dev/block/bootdevice/by-name/userdata | busybox nc 127.0.0.1 1024

USB TETHERING (RNDIS)

To avoid using ADB at all, USB tethering can be used to provide network connectivity:

~# cd /sys/class/android_usb/android0

~# echo -n 0 >enable

~# echo -n rndis,adb >functions

~# echo -n 1 >enable

<sup>* You may also change other files like { iSerial,iProduct,iManufacturer } and f_rndis/{ ethaddr,manufacturer,wceis,rndis_transports,max_pkt_per_xfer } in the above directory if required.
* On new devices you might need to use /config interfaces instead of /sys. Some relevant hints here.</sup>

Add IP address:

~# busybox ip rule add lookup main

~# busybox ip address add 192.168.1.1/30 dev rndis0

~# busybox ip link set rndis0 up

On PC add IP manually (there's no DHCP server):

~$ sudo ip address add 192.168.1.2/30 dev usb0

~$ nc -v -l -p 1024 </dev/null | pv -ab >data.img

On phone:

~# busybox nc 192.168.1.2 1024 </dev/block/bootdevice/by-name/userdata

In the same way it's also possible to use rclone rcat to transfer the dump over WebDAV or FTP or SFTP. See How to stream an encrypted backup of the entire device to remote host?

USB MASS STORAGE (UMS)

This method is useful if you don't want to create a dump of the partition, but instead access partition directly on PC. See my answer to Why can't I see Android storage as a partition on PC? for methods on how to enable UMS thorough /sys or /config interfaces.

Once done, userdata will appear as a partition on Linux PC just as we connect a USB drive. If /dev/sda is the hard disk drive, usually /dev/sdb will be the userdata partition. You can find that by using blkid command:

~# blkid | grep userdata

/dev/sdb: PARTLABEL="userdata" PARTUUID="..."

You can run recovery programs directly on the block device or mount the filesystem (if needed) or may also create a dump.

HOW TO RECOVER DATA?

There are basically two ways to recover deleted data as mentioned in this answer: carving method and through the filesystem.

Recovery tools mostly don't need mounting filesystems but if it's required, it needs to be done on Linux PC because Windows doesn't support ext4 or f2fs natively, hence the tools aren't easily available AFAIK.

^{If anyone has been able to successfully make block/journal level access to Linux/Android filesystem for data recovery on Windows through Ext3Fsd or any other driver, let me know so that I can update the answer.}

On Linux you can use tools like extundelete to recover data using filesystem journal:

~# extundelete --restore-all data.img

Or to recover data directly with UMS:

~# extundelete --restore-all /dev/sdb

Since you have done a factory reset which erases the filesystem, consider carving method using tools like TestDisk or scalpel:

~# testdisk data.img

In the same way you can use any other data recovery tools. See the ArchWiki on File Recovery for more details.

RELATED:

• How to get data off a completely dead Android phone?


• How to take full image backup of eMMC?


• Why can't I see Android storage as a partition on PC?


• Is there any way to recover data from 2nd SD partition?


• How disk space is used on Android device?