How to Recover Accidentally Deleted Linux Files with lsof and extundelete

Preface

Deleting files on any system must be done with caution because accidental removal of important files can cause significant personal or corporate loss. Linux, like Windows, offers tools to recover mistakenly deleted files.

Note that recovery is not guaranteed to be 100 % successful; always back up important data and avoid writing new data to the directory of the deleted file before recovery.

1. lsof

Principle

The lsof command cannot directly restore files, but it lists information about files opened by processes. By examining the /proc filesystem you can recover files that have been deleted but are still held open by a process.

Because /proc reflects in‑memory mappings, a file that has been removed from disk can still be read from memory while a process keeps it open.

Important notes

Run as root, since lsof needs access to kernel memory and various files.

Only files that are deleted but still open by a process can be recovered.

If an entire directory was deleted and none of its files are open, this method cannot recover them.

lsof output fields

COMMAND   PID   USER   FD   DEVICE   SIZE   NODE   NAME

Recovery steps with lsof

lsof /mnt

Identify the PID and file descriptor (FD) of the process that still holds the deleted file, then copy the data:

cd /proc/31284/fd/</code>
<code>cat 4 > /mnt/ferris_train.less

2. extundelete

Principle

extundelete reads the journal of an ext3/ext4 partition to attempt recovery of files that have been removed.

Advantages

Compared with ext3grep, extundelete supports both ext3 and ext4, works faster, and has a broader scope.

Official resources

Website: http://extundelete.sourceforge.net

Download: extundelete‑0.2.4.tar.bz2 (latest version released January 2013).

Important notes

After data deletion, unmount the affected disk or partition.

If the root partition is affected, boot into single‑user mode and mount it read‑only to avoid overwriting data.

Overwritten data cannot be recovered.

Recovery may still fail; always keep backups and use rm carefully.

Installation

Dependencies

# CentOS</code>
<code>yum install e2fsprogs-devel e2fsprogs* gcc*</code>
<code># Ubuntu</code>
<code>apt-get install build-essential e2fslibs-dev

Compile and install

wget http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2</code>
<code>tar xf extundelete-0.2.4.tar.bz2</code>
<code>cd extundelete-0.2.4</code>
<code>./configure</code>
<code>make</code>
<code>make install

Recovery operations with extundelete

Identify the filesystem type of the partition to be recovered: df -Th Unmount the partition to avoid further writes: umount /mnt List deletable files (the last column shows "Deleted"): extundelete /dev/vdb1 --inode 2 Restore a specific directory (empty directories cannot be restored):

extundelete /dev/vdb1 --restore-directory ferris

Restore a single file (small files may fail):

extundelete /dev/vdb1 --restore-file openssh-7.7p1.tar.gz

Restore all deleted files without specifying names: extundelete /dev/vdb1 --restore-all After a successful restore, a RECOVERED_FILES directory is created in the current working directory containing the recovered data.