How to Recover Accidentally Deleted Linux Files with lsof and extundelete
This guide explains why careful file deletion matters, introduces Linux tools like lsof and extundelete for recovering accidentally removed files, and provides step‑by‑step commands, installation instructions, and precautions to successfully restore data from ext3/ext4 partitions.
Introduction
Deleting files in any system must be done carefully because accidental deletion can cause serious loss. Linux also has tools to recover deleted files.
1. lsof
Principle: lsof cannot directly recover files but lists files opened by processes. By examining /proc you can recover files that are deleted but still held open by a process.
Note: Must run as root. Only recovers files that are still open. If a directory is deleted and its files are not open, they cannot be recovered.
lsof output fields meaning: COMMAND, USER, FD, DEVICE, SIZE, NODE, NAME.
Common options:
-c: show files opened by a process
-p: show files opened by a specific PID
-g: show processes belonging to a GID
-d: show files under a directory
-i: show processes using a port (e.g., -i:80)
Recovering files with lsof
Example scenario: a file /mnt/train.less is being viewed, then deleted in another terminal.
Step 1: Use lsof /mnt to find the process ID.
Step 2: Switch to /proc/<pid>/fd, copy the file descriptor to a new file, e.g., cat 4 > /mnt/ferris_train.less.
2. extundelete
Principle: Uses the filesystem journal to attempt recovery of files deleted from ext3/ext4 partitions.
Advantages: Works on ext3 and ext4, faster and broader than ext3grep.
Official site: http://extundelete.sourceforge.net
Download: http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 (latest 0.2.4 released Jan 2013)
Precautions:
Unmount the disk/partition containing the deleted data before recovery.
If the root partition is affected, boot into single‑user mode and mount it read‑only.
Data overwritten cannot be recovered.
Back up important data; use rm carefully.
Installation
Dependencies:
centos: yum install e2fsprogs-devel e2fsprogs* gcc*ubuntu: apt-get install build-essential e2fslibs-dev e2fslibs-devCompile and install:
wget http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
tar xf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
./configure
make
make installRecovery Operations
All commands must be run in a writable directory.
Identify filesystem type: df -Th Unmount the partition: umount /mnt List recoverable files: extundelete /dev/vdb1 --inode 2 Restore a directory: extundelete /dev/vdb1 --restore-directory ferris Restore a single file: extundelete /dev/vdb1 --restore-file openssh-7.7p1.tar.gz Restore all deleted files: extundelete /dev/vdb1 --restore-all Recovered files are placed in a RECOVERED_FILES directory in the current working directory; if the directory is not created, the recovery failed.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Efficient Ops
This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.