Recover the deleted file by simple commands

[timir126]

If you deleted a file on linux based OS accidentally, and want to recover it, lsof command may help you.

lsof is a Linux tool which can show open files and network connections, and even recover deleted files.

The funda behind is, if a process is holding the file, you can recover it completely.

Detailed explanation :
vishnu-agarwal.blogspot.com/2011/11/recover-deleted-file-on-linux.html

[atreyu]

That's cool, I didn't know about that. Thanks for posting.

I had to restore a deleted file (that no process still had open) on an ext3 filesystem. I wrote down what I did, in case I ever needed it again. Here it is (note that much of it is antiquated - you could probably use a rescue CD like SystemRescueCd for much of it):


Before you begin, you'll need at least two additional programs which you might not find in your distro repos:

-SleuthKit (The Sleuth Kit (TSK) & Autopsy: Open Source Digital Investigation Tools)
-Foremost (Foremost)

compile and install these forensic tools on some other system that is compatible with the system you'll be using as your rescue system (which is not necessarily the distro of your system with the deleted file).

---
1. if you trust yourself, unmount the partition that the file resides on, if
possible (or remount it "ro", if /, if possible).

2. power off system - if a laptop or otherwise 'smart' PC, don't press the power button, as this may initiate a shutdown sequence (and possibly overwrite any files you care about). to be safe, just remove the power cord, and, if a laptop, the battery.

3. pxe/cdrom boot into any rescue linux (I used Fedora Core 5), and elect NOT to mount any partitions, if so prompted. This rescue system must have copies of the two forensic tools mentioned above.

4. create the disk block devices, if necessary, e.g.:

Code:

mknod /dev/sda b 8 0
mknod /dev/sda3 b 8 3

5. mount a usable directory (nfs/ramdisk/other disk partition, etc.), e.g.:

Code:

mount -t nfs 192.168.1.100:/data/backup /nfs

6. if you're uber-paranoid, and if your newly mounted dir has sufficient space, back up the target partition (I skipped this...), e.g.:

Code:

dd if=/dev/sda3 of=/nfs/sda3_backup.img bs=65536

NOTE: this could take a long time

7. run the dls command from SleuthKit to get all blocks of data from the partition, e.g.:

Code:

dls /dev/sda3 > /nfs/sda3_saved_blocks.dat

8. make a dir on your new mount point to contain all recoverable files, e.g.:

Code:

mkdir /nfs/output

9. edit the foremost config file (foremost.conf) to include relevant details about your particular file. For example, in my case, I added the following, to tell it to care about perl files:

Code:

  (extension) (case)    (size)          (grepable identifiers)
        pl      y       1000000         perl

The above line says that all files with a ".pl" extension (case-sensitive), with the string "perl" in them, will be restored, up to 1000000 bytes. Note that if your file is less in size than the size specified (i.e., 1000000), consecutive block data may be "tailed" to your restored file, to bring the restored file size to 1000000 bytes. As it turns out, I only needed to specify a size of around 18000 (my files is ~ 17KB, as opposed to the ~976KB specified), but I was paranoid.

10. run foremost to examine the disk dump created by dls, e.g.:

Code:

foremost -d -i /nfs/sda3_saved_blocks.dat -c /path/to/foremost.conf -o /nfs/output/

11. examine the log file /nfs/output/audit.txt, or list /nfs/output/$dir for copies of your file, where $dir is the extension you added to foremost.conf, e.g.:

Code:

ls -al /nfs/output/pl

tips taken from Why Recovering a Deleted Ext3 File Is Difficult . . . | Linux