How to Recover Accidentally Deleted Files on Linux Using lsof and extundelete
This guide explains why careful file deletion matters, introduces Linux tools like lsof and extundelete for recovering mistakenly removed files, and provides step‑by‑step commands, installation instructions, and precautions to maximize recovery success while avoiding data loss.
Introduction
Deleting files in any system must be done carefully because accidental deletion can cause serious loss for individuals or companies.
Linux, like Windows, has tools that can help recover mistakenly deleted files.
Note: Recovery is not guaranteed 100%.
Therefore, when using
rm, be cautious; keep backups; and avoid writing new data to the directory of the deleted file before recovery.
1. lsof
Principle
The
lsofcommand cannot directly restore files, but it lists files opened by processes. Combined with other commands, you can recover files that have been deleted but are still held open by a process via the
/procfilesystem.
Note: Must run as root because
lsofneeds access to kernel memory. It can only recover files that are still open by a process. If a directory was deleted and its contents are not opened, they cannot be recovered with this method.
lsof output fields
File recovery steps
Environment: a file
train.lessis open under
/mntand then deleted from another terminal.
1. Find the process
<code>lsof /mnt</code>2. Recover
Navigate to the process's file‑descriptor directory under
/proc/<PID>/fd/and copy the descriptor to a new file.
<code>cd /proc/31284/fd/
cat 4 > /mnt/ferris_train.less</code>2. extundelete
Principle
extundelete uses information stored in the filesystem journal to attempt recovery of files deleted from ext3 or ext4 partitions.
Advantages
Compared with ext3grep, extundelete works on a broader range of filesystems and is faster.
Official site: http://extundelete.sourceforge.net
Download: http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 (latest version 0.2.4 released Jan 2013).
Precautions
Unmount the disk or partition containing the deleted data before recovery.
If the root partition is affected, boot into single‑user mode and mount it read‑only.
Data overwritten cannot be recovered.
Recovery may fail; always keep backups and use
rmcarefully.
Installation
1. Install dependencies
<code>centos: yum install e2fsprogs-devel e2fsprogs* gcc*</code>
<code>ubuntu: apt-get install build-essential e2fslibs-dev e2fslibs-dev</code>2. Build and install
<code>wget http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
tar xf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
./configure
make
make install</code>Recovery operations
All extundelete commands must be run in a writable directory.
1. Identify filesystem type
<code>df -Th</code>2. Unmount the target partition
<code>umount /mnt</code>3. List recoverable data
Search the partition; files marked “Deleted” in the last column are candidates.
<code>extundelete /dev/vdb1 --inode 2</code>4. Restore a directory
<code>extundelete /dev/vdb1 --restore-directory ferris</code>The command creates a
RECOVERED_FILESdirectory in the current working directory; if not created, recovery failed.
5. Restore a single file
<code>extundelete /dev/vdb1 --restore-file openssh-7.7p1.tar.gz</code>6. Restore all deleted files
<code>extundelete /dev/vdb1 --restore-all</code>Efficient Ops
This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.