How to Recover Accidentally Deleted Files on Linux Using lsof and extundelete

Introduction

Deleting files in any system must be done carefully because accidental deletion can cause serious loss for individuals or companies.

Linux, like Windows, has tools that can help recover mistakenly deleted files.

Note: Recovery is not guaranteed 100%.

Therefore, when using rm, be cautious; keep backups; and avoid writing new data to the directory of the deleted file before recovery.

1. lsof

Principle

The lsof command cannot directly restore files, but it lists files opened by processes. Combined with other commands, you can recover files that have been deleted but are still held open by a process via the /proc filesystem.

Note: Must run as root because lsof needs access to kernel memory. It can only recover files that are still open by a process. If a directory was deleted and its contents are not opened, they cannot be recovered with this method.

lsof output fields

File recovery steps

Environment: a file train.less is open under /mnt and then deleted from another terminal.

1. Find the process

lsof /mnt

2. Recover

Navigate to the process's file‑descriptor directory under /proc/<PID>/fd/ and copy the descriptor to a new file.

cd /proc/31284/fd/
cat 4 > /mnt/ferris_train.less

2. extundelete

Principle

extundelete uses information stored in the filesystem journal to attempt recovery of files deleted from ext3 or ext4 partitions.

Advantages

Compared with ext3grep, extundelete works on a broader range of filesystems and is faster.

Official site: http://extundelete.sourceforge.net

Download: http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 (latest version 0.2.4 released Jan 2013).

Precautions

Unmount the disk or partition containing the deleted data before recovery.

If the root partition is affected, boot into single‑user mode and mount it read‑only.

Data overwritten cannot be recovered.

Recovery may fail; always keep backups and use rm carefully.

Installation

1. Install dependencies

centos: yum install e2fsprogs-devel e2fsprogs* gcc*</code>
<code>ubuntu: apt-get install build-essential e2fslibs-dev e2fslibs-dev

2. Build and install

wget http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
tar xf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
./configure
make
make install

Recovery operations

All extundelete commands must be run in a writable directory.

1. Identify filesystem type

df -Th

2. Unmount the target partition

umount /mnt

3. List recoverable data

Search the partition; files marked “Deleted” in the last column are candidates.

extundelete /dev/vdb1 --inode 2

4. Restore a directory

extundelete /dev/vdb1 --restore-directory ferris

The command creates a RECOVERED_FILES directory in the current working directory; if not created, recovery failed.

5. Restore a single file

extundelete /dev/vdb1 --restore-file openssh-7.7p1.tar.gz

6. Restore all deleted files

extundelete /dev/vdb1 --restore-all