Almost 2 years back I wrote about recovering deleted text file with grep command under UNIX or Linux.
Michael Stutz shows us how to recover deleted files using lsof command.
From the article:
There you are, happily playing around with an audio file you've spent all afternoon tweaking, and you're thinking, "Wow, doesn't it sound great? Lemme just move it over here." At that point your subconscious chimes in, "Um, you meant mv, not rm, right?" Oops. I feel your pain -- this happens to everyone. But there's a straightforward method to recover your lost file, and since it works on every standard Linux system, everyone ought to know how to do it.
Briefly, a file as it appears somewhere on a Linux filesystem is actually just a link to an inode, which contains all of the file's properties, such as permissions and ownership, as well as the addresses of the data blocks where the file's content is stored on disk. When you rm a file, you're removing the link that points to its inode, but not the inode itself; other processes (such as your audio player) might still have it open. It's only after they're through and all links are removed that an inode and the data blocks it pointed to are made available for writing.
This delay is your key to a quick and happy recovery: if a process still has the file open, the data's there somewhere, even though according to the directory listing the file already appears to be gone.
Read more at Linux.com
However recovering files under Linux is still hard work for new admins. I highly recommend backing up files regularly and storing backup offsite.
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- 10 Greatest Open Source Software Of 2009
- My 10 UNIX Command Line Mistakes
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
- Email this to a friend
- Download PDF version
- Printable version
- Comment RSS feed
- Last Updated: Jan/5/2009
{ 21 comments… read them below or add one }
i think the OS files in my solaris server have been deleted accidentally.i would like to know if there is any way to recover the files.
I delete a whole data in home folder by rm -rf * then
how i recover the data pls reply me
Is is not correct, This is for open-deleted files
I delete a whole folder which having data by rm -rf * then
how i recover the data pls reply me
thx in adv – madan
I accidently deleted a whole folder from my home directory.
How i recover my lost data plz reply
Here I give you a link with a useful tip
http://tips-debian.blogspot.com/2008/04/recover-erased-data-ext2ext3.html
I want recover the deleted files and directory command. Please help me give proceture.
Hi Guys,
Accidentaly I deleted all of my folders using
rm -rf *
It contained some important data. I need those
data back.Can any body help me in this regard.
Thanks in advance,
Manoj.
This is a nice site which can help us in urgent.
Some one destroyed all my vpses now I want to recover data please help me how to recover that data.
System->Administration->Software Sources. From the terminal I installed Foremost:
sudo apt-get install foremost
You need to know your target partition’s path to recover from it. I simply started System-Administration->Partition Editor and saw the the home partition is /dev/sda1.
Let’s recover some JPEG images:
sudo foremost -t jpeg -i /dev/sda1
This command causes Foremost to create a directory called output and put every file it can recover in. This could take a while.
You don’t actually link to the article on Linux.com, it’s here: http://www.linux.com/articles/58142
By mistake i delete my file by rm command, file name is myprog.tgz. This file contains all my programs. Can any one help me for recover this file.
Hi,
I just managed to recover a script, that was still running in an endless loop, but I deleted the File:
./doit &
rm doit
lsof | grep doit (you get the PID, you get the INUM also, but that did not help)
cat /proc//fd/255 (outputs the script)
the editor deleted the PID, use this:
cp /proc/PID/fd/255 recovered
hello
Actually I have deleted a file by using “shift+delete”..
i want to recover it
m using fedora core 10
please help
thank you in advance
Hi Manoj,
If you follow step by step from this site you might recover the file.
http://www.cyberciti.biz/tips/linuxunix-recover-deleted-files.html
That guides to have you in a level than try to search your directory or file either by grep or locate command.
Regards,
I delete a whole data in home folder by rm -rf * then
how i recover the data pls reply me at the earliest possible. I am in mess….
I have moved files from a directory to a computer on the network and have since discovered that the drive they were moved to is bad. It is my sense that moving and deleting are largely the same process, is there a best way to recover the files from the directory they were moved from? THANKS! -jim-
i have deleted one important files on lamp server.
is there any idea to recover that files from server.
plssssss replyyyyyy m n messsss
Hi.
Like some other people I did something very stupid.
I deleted my home directory using the following command:
userdel -r pedro
After I read your article I approached the problem in the following way:
lsof | grep /home/pedro
I receive a four line answer:
bash 4414 root cwd DIR 8,2 0 8085505 /home/pedro (deleted)
lsof 5650 root cwd DIR 8,2 0 8085505 /home/pedro (deleted)
grep 5651 root cwd DIR 8,2 0 8085505 /home/pedro (deleted)
lsof 5652 root cwd DIR 8,2 0 8085505 /home/pedro (deleted)
Is there any possibility to recover the whole directory by setting some values manually.
Please write back,
Pedro