How to Recover Accidentally Deleted Linux Files with lsof and extundelete

Introduction

Deleting files in any system must be done carefully because accidental deletion can cause serious loss. Linux also has tools to recover deleted files.

1. lsof

Principle: lsof cannot directly recover files but lists files opened by processes. By examining

/proc

you can recover files that are deleted but still held open by a process.

Note: Must run as root. Only recovers files that are still open. If a directory is deleted and its files are not open, they cannot be recovered.

lsof output fields meaning: COMMAND, USER, FD, DEVICE, SIZE, NODE, NAME.

Common options:

-c: show files opened by a process

-p: show files opened by a specific PID

-g: show processes belonging to a GID

-d: show files under a directory

-i: show processes using a port (e.g., -i:80)

Recovering files with lsof

Example scenario: a file

/mnt/train.less

is being viewed, then deleted in another terminal.

Step 1: Use

lsof /mnt

to find the process ID.

Step 2: Switch to

/proc/<pid>/fd

, copy the file descriptor to a new file, e.g.,

cat 4 > /mnt/ferris_train.less

.

2. extundelete

Principle: Uses the filesystem journal to attempt recovery of files deleted from ext3/ext4 partitions.

Advantages: Works on ext3 and ext4, faster and broader than ext3grep.

Official site: http://extundelete.sourceforge.net

Download: http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 (latest 0.2.4 released Jan 2013)

Precautions:

Unmount the disk/partition containing the deleted data before recovery.

If the root partition is affected, boot into single‑user mode and mount it read‑only.

Data overwritten cannot be recovered.

Back up important data; use

rm

carefully.

Installation

Dependencies:

<code>centos: yum install e2fsprogs-devel e2fsprogs* gcc*</code>

<code>ubuntu: apt-get install build-essential e2fslibs-dev e2fslibs-dev</code>

Compile and install:

<code>wget http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
 tar xf extundelete-0.2.4.tar.bz2
 cd extundelete-0.2.4
 ./configure
 make
 make install</code>

Recovery Operations

All commands must be run in a writable directory.

Identify filesystem type:

df -Th

Unmount the partition:

umount /mnt

List recoverable files:

extundelete /dev/vdb1 --inode 2

Restore a directory:

extundelete /dev/vdb1 --restore-directory ferris

Restore a single file:

extundelete /dev/vdb1 --restore-file openssh-7.7p1.tar.gz

Restore all deleted files:

extundelete /dev/vdb1 --restore-all

Recovered files are placed in a

RECOVERED_FILES

directory in the current working directory; if the directory is not created, the recovery failed.