How to Recover Accidentally Deleted Linux Files with lsof and extundelete

Why file deletion must be handled carefully

Deleting files can cause irreversible loss if the data is important and not backed up. Once a file is removed, recovery is only possible if the data has not been overwritten. Linux provides tools that can help recover accidentally deleted files.

Recovering open‑deleted files with lsof

Principle : lsof cannot restore a file directly, but it lists files that are still opened by running processes. If a deleted file is still held open, its contents remain in the process’s file descriptor and can be copied.

Requirements : Run as root because lsof needs access to kernel memory. Only files that are deleted **and** still open can be recovered; fully removed files or directories with no open handles cannot be restored.

Common options

-c <command>

– show files opened by a specific command -p <pid> – show files opened by a given PID -g <gid> – show files opened by processes belonging to a specific group -d <dir> – list files opened under a directory -i :80 – show processes using port 80

Recovery steps

Identify the process that still holds the deleted file: lsof /mnt Note the PID and the file descriptor (FD) of the target file.

Navigate to the process’s descriptor directory and copy the data:

cd /proc/<PID>/fd</code>
<code>cat <FD> > /mnt/recovered_file

Only files whose descriptors are still active can be recovered this way.

Recovering files from ext3/ext4 with extundelete

Principle : extundelete reads the journal of an ext3 or ext4 partition and attempts to reconstruct deleted files. It works on both ext3 and ext4, is faster than ext3grep, and can restore entire directories.

Official site : http://extundelete.sourceforge.net

Source archive : http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 (version 0.2.4, released Jan 2013)

Installation

Install build dependencies and compile the source.

# CentOS</code>
<code>yum install e2fsprogs-devel e2fsprogs* gcc*</code>
<code># Ubuntu</code>
<code>apt-get install build-essential e2fslibs-dev</code>
<code>wget http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2</code>
<code>tar xf extundelete-0.2.4.tar.bz2</code>
<code>cd extundelete-0.2.4</code>
<code>./configure</code>
<code>make</code>
<code>make install

The extundelete binary is installed to /usr/local/bin.

Recovery workflow

Identify the filesystem type of the target partition: df -Th Unmount the partition to prevent further writes: umount /mnt List recoverable inodes (files marked as Deleted). Example for the root inode (2): extundelete /dev/vdb1 --inode 2 Restore a specific directory:

extundelete /dev/vdb1 --restore-directory ferris

Restore a single file:

extundelete /dev/vdb1 --restore-file openssh-7.7p1.tar.gz

Restore all deleted files at once: extundelete /dev/vdb1 --restore-all Recovered files are placed in a RECOVERED_FILES directory created in the current working directory. If the directory is not created, the recovery has failed.

Important precautions

Immediately unmount the affected disk or partition after data loss.

If the root partition is affected, boot into single‑user mode and remount it read‑only before running extundelete.

Do not write new data to the partition before recovery; any write may overwrite the deleted data.

Recovery is not guaranteed; maintain regular backups and use rm cautiously.