Recovering deleted files in Linux

Have you ever deleted a file in linux accidently and realized that it was a critical file and desperate to get the file back asap?
You would then be after couple of questions that are knocking your mind hard.

1. Can I recover this file?
2. If so, how do I recover that deleted file ?

The answer is Yes, If an Open file is deleted accidentally, it is possible to use lsof command to recreate a copy of the file; provided this is done before the file is closed by the application holding it open.

If you have inadvertently removed a file from the filesystem, it is still recoverable if the application using the file is still running. On the technical jargon, this is because the inode is still open and therefore the data blocks are still on the disk until the application closes the file or exits.

By using lsof and /proc, the filesystem entry for the file can be recreated. Let’s first understand quickly about lsof and /proc on a high level.

lsof (list open files) – this command lists on its standard output, file information about files opened by processes (Reference from lsof man page)
/proc (process information pseudo-filesystem) – This is a virtual filesystem. It doesn’t contain ‘real’ files but runtime system information (e.g. system memory, devices mounted, hardware configuration, etc)
Now we know the above stuffs, let’s try this concept of recovering a file with an example.

Consider the below example in which we delete a file and later recover it by the help of basic unix command lsof.

Step1: Create a file “testfile” by using touch command under /tmp

testuser# touch /tmp/testfile
testuser#
testuser# ls -l /tmp/testfile
-rw-r--r-- 1 root root 0 Aug 14 18:17 /tmp/testfile

Step2: Add some data to the file like below

testuser# man df > /tmp/testfile
testuser#

Step3: Run some command to hold the file open

testuser# tail -f /tmp/testfile &
[1] 3674
testuser#

Step4: List the process to confirm for open process

testuser# ps -ef | grep 3674 | grep -v grep
root 3674 6365 0 18:27 pts/13 00:00:00 tail -f /tmp/testfile

Step5: Manually delete the file and try to list the file to check for non-existence

testuser# rm /tmp/testfile
rm: remove regular file ‘/tmp/testfile’? y
testuser# ls -l /tmp/testfile
ls: cannot access /tmp/testfile: No such file or directory

Since now the file is gone. Let’s work on the main important thing ie., recovering this deleted file “testfile”

Step6: Run lsof as below to show the open file descriptor of the process

testuser# lsof | grep -i testfile
tail 2154 root 3r REG 253,1 4395 67333185 /tmp/testfile (deleted)

The second column is the PID of the process that has this file open and the fourth field the file descriptor that the process is using to access the file.

Step6: Locate the open file descriptor in /proc

testuser# ls -l /proc/2154/fd/3
lr-x------ 1 root root 64 Aug 14 18:04 /proc/2154/fd/3 -> /tmp/testfile (deleted)

Step7: This open file can now be copied back to its original location i.e., under /tmp

testuser# cp /proc/2154/fd/3 /tmp/
testuser#
testuser# ls -l /tmp/3
-rw-r--r-- 1 root root 4395 Aug 14 18:39 /tmp/3

Step8: You can rename the file to its original name “testfile”

testuser# mv /tmp/3 /tmp/testfile
testuser# ls -l /tmp/testfile
-rw-r--r-- 1 root root 4395 Aug 14 18:39 /tmp/testfile

That’s it, you are now in a safe zone by recovering the critical file and remember to be cautious while dealing with the critical files next time.

Leave a Reply

Your email address will not be published.