How to recover deleted file if it is still opened by some process?
If /home is NFS, there will be a .nfsNNNNNNNNNN file in /home/vi that you can access/copy. If home is a local filesystem, you should be able to do the same thing via the /proc/PID/fd/3 link:
cp /proc/PID/fd/3 /tmp/recovered_file If you want to actually undelete the file, here’s a blog post on the subject.
OK, I was confused by that readlink /proc/13381/fd/3 -> «/home/vi/important_file (deleted)» and /home/vi/important_file\ \(deleted\) obviously does not exist.
lmao! I love you! I was examining a particular vmlinux in gdb for a very particular stack trace for a mysterious race condition, forgot about that and rebuilt the kernel with different .config options.
. better than copying at a given time (and gathering only that time’s snapshot of the file’s content) is to » tail -f » that file into a new file:
tail -c +0 -f /proc/PIDofProgram>/fd/# > /new/path/to/file
(thanks to tail’s cautious programmers, that will even work with binary output.)
During its runtime, the tail -f itself keeps the file open, safely preventing it from being purged off disk when the original program ends. Thus, don’t stop the tail -f immediately after your original program ends — check the tail’ed /new/path/to/file first whether it is what you want. If it isn’t (or is unsatisfying for any other reason), you can copy the original file again, but this time after all writing to it has finished by «Program» and from the still-running tail -f ‘s /proc/PIDoftail/fd/ directory.
Use lsof to find the inode number, and debugfs to recreate a hard link to it. For example:
# lsof -p 12345 | grep /var/log/messages syslogd 12345 root 3w REG 8,3 3000 987654 /var/log/messages (deleted) # mount | grep var /dev/sda2 on /var type ext3 (rw) # debugfs -w /dev/sda2 debugfs: cd log debugfs: ln tmp debugfs: mi tmp Mode [0100600] User ID [0] Group ID [0] Size [3181271] Creation time [1375916400] Modification time [1375916322] Access time [1375939901] Deletion time [9601027] 0 Link count [0] 1 Block count [6232] File flags [0x0] . snip. debugfs: q # mv /var/log/tmp /var/log/messages # ls -al /var/log/messages -rw------- 0 root root 3301 Aug 8 10:10 /var/log/messages Before you complain, I faked the above transcript as I don’t have a deleted file to hand right now 😉
I use mi to reset the delete time and link count to sensible values (0 and 1 respectively), but it doesn’t work properly — you can see the link count remains at zero in ls . I think the kernel might be caching the inode data. You should probably fsck at the earliest opportunity after using debugfs, to be on the safe side.
In my experience, you should create the link using a temporary file name and then rename to the proper name. Linking it directly to the original file name seems to cause directory corruption. YMMV!
How to find which files and folders were deleted recently in Linux?
I just want to know which files and folders were deleted. Recovering those deleted files and folders is not important for me.
You should tell us what filesystem you are using. For example with ext2, ext3 and ext4 You could probably use ext3grep utility to find out information about deleted files. With some scripting it should be possible to put together simple application that lists deleted files based on specific directory. These utilities however needs raw access to disk and as such are extremely dangerous if not used properly (non-blocking read only operations should be completely safe if you remember that writing to disk same time could cause current operation to return broken/incorrect data).
If you use command line to delete the files then the history command is your friend. History command will show you recently used commands.
3 Answers 3
Use find to search by modification time. For example, to find files touched in the last 3 days:
find /home/sam/officedocuments -mtime -3
For «older than 3 days», use +3 .
Pretty much impossible. When a file is deleted, it’s simply gone. On most systems, this is not logged anywhere.
«Pretty much impossible» This is just plain wrong and because of this I have to downvote this. Deletion times are stored in some filesystems, example of such fs is ext3 filesystem. ext3grep might help when hunting down. I got superuser.com/a/433785/132604 that has some information and links to utilities that could be used to find (possibly recover too) deleted files and information about them. When you delete file, in most filesystems, it is not actually removed but marked as space that could be overwritten in demand.
You might be able to restore files from a backup and compare a list of those files with the ones on the filesystem. That would yield a list of missing and newly created files. Grawity’s answer already show you can filter on time, thus you can limit that to only the deleted files.
You should probably install Inotify Tools. then you can use the inotifywait command to listen for events happening for the specified directory.
Specifically if you want to watch for deleted files and folder use this
inotifywait -m -r -e delete dir_name and log this output in some file.
Hope this solves your problem
Sound like best approach for this. There’s promising cli-app/daemon named iwatch that you might want to include in your answer. +1 for using right tools to solve problem.
ravi, @SampoSarrala — is this applicable if I want to watch files in the / root, taking into account mounting/unmounting drives? I would guess, in that case the only thing viable for keeping a deletion log would be a kernel module that would hook into unlink (see stackoverflow.com/questions/8588386/…); also man inotifywait states: «—recursive: Warning: . this option while watching . a large tree, it may take quite a while. Also, . the maximum amount of inotify watches per user will be reached. The default maximum is 8192;«
I wonder if there is also a way to find out which process deleted the file (say a cron job) where applicable. Have a case of files mysteriously disappearing.
Linux does not generally ask for confirmation before removing files, assuming you’re using rm from the command line.
To find files modified in the last 30 minutes, use touch —date=»HH:MM» /tmp/reference to create a file called reference with a timestamp from 30 minutes ago (where HH:MM corresponds to 30 minutes ago). Then use find /home/sam/officedocuments -newer /tmp/reference to find files newer than the reference.
If you deleted files using a GUI tool, they may still be in some kind of «trash can». It depends on what you’re using for a desktop environment. If you used rm from the command line, then try one of the utilities mentioned in this answer. (Hat tip to @Sampo for that link.)
Get list of files deleted by `find -delete` [duplicate]
But when I use -delete parameter with it, I can’t see the list of deleted files. They just get deleted. Preferably without making it complicated with | xarg .. or -exec rm <> , is there any magic flag to see the deleted files when using find . -iname .DS_Store -delete ? PS: I know I can run the command without delete flag before, but I’m looking for something like print0 (though prints uglily) to get the job done.
1 Answer 1
Just add -print to the end of the command:
find . -name .DS_Store -delete -print This would output the pathnames of the files found.
If this is on a macOS system (or on any of the BSD systems), using the default implementation of find there, then the -delete predicate always returns true, meaning that the -print would also always come into effect. This means that the command above would print all found pathnames, regardless of whether they were successfully deleted or not. The -delete predicate in GNU find would return false if the name could not be deleted.
If you’re on a macOS or BSD system, and if this matters to you, then use
find . ! -type d -name .DS_Store -exec rm <> \; -print instead. Here, the rm would return a non-zero exit status if it failed to remove the given name, and this in turn means that the -print would not come into effect for that pathname. I’ve also added ! -type d since rm only deletes non-directories (when not using rm -r ).