How to Recover Accidentally Deleted Linux Files with lsof and extundelete

Preface

Deleting files on any system must be done with caution because accidental removal of important files can cause significant personal or corporate loss. Linux, like Windows, offers tools to recover mistakenly deleted files.

Note that recovery is not guaranteed to be 100 % successful; always back up important data and avoid writing new data to the directory of the deleted file before recovery.

1. lsof

Principle

The

lsof

command cannot directly restore files, but it lists information about files opened by processes. By examining the

/proc

filesystem you can recover files that have been deleted but are still held open by a process.

Because

/proc

reflects in‑memory mappings, a file that has been removed from disk can still be read from memory while a process keeps it open.

Important notes

Run as root, since

lsof

needs access to kernel memory and various files.

Only files that are deleted but still open by a process can be recovered.

If an entire directory was deleted and none of its files are open, this method cannot recover them.

lsof output fields

<code>COMMAND   PID   USER   FD   DEVICE   SIZE   NODE   NAME</code>

Recovery steps with lsof

<code>lsof /mnt</code>

Identify the PID and file descriptor (FD) of the process that still holds the deleted file, then copy the data:

<code>cd /proc/31284/fd/</code>
<code>cat 4 > /mnt/ferris_train.less</code>

2. extundelete

Principle

extundelete reads the journal of an ext3/ext4 partition to attempt recovery of files that have been removed.

Advantages

Compared with ext3grep, extundelete supports both ext3 and ext4, works faster, and has a broader scope.

Official resources

Website: http://extundelete.sourceforge.net

Download: extundelete‑0.2.4.tar.bz2 (latest version released January 2013).

Important notes

After data deletion, unmount the affected disk or partition.

If the root partition is affected, boot into single‑user mode and mount it read‑only to avoid overwriting data.

Overwritten data cannot be recovered.

Recovery may still fail; always keep backups and use

rm

carefully.

Installation

Dependencies

<code># CentOS</code>
<code>yum install e2fsprogs-devel e2fsprogs* gcc*</code>
<code># Ubuntu</code>
<code>apt-get install build-essential e2fslibs-dev</code>

Compile and install

<code>wget http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2</code>
<code>tar xf extundelete-0.2.4.tar.bz2</code>
<code>cd extundelete-0.2.4</code>
<code>./configure</code>
<code>make</code>
<code>make install</code>

Recovery operations with extundelete

Identify the filesystem type of the partition to be recovered:

<code>df -Th</code>

Unmount the partition to avoid further writes:

<code>umount /mnt</code>

List deletable files (the last column shows "Deleted"):

<code>extundelete /dev/vdb1 --inode 2</code>

Restore a specific directory (empty directories cannot be restored):

<code>extundelete /dev/vdb1 --restore-directory ferris</code>

Restore a single file (small files may fail):

<code>extundelete /dev/vdb1 --restore-file openssh-7.7p1.tar.gz</code>

Restore all deleted files without specifying names:

<code>extundelete /dev/vdb1 --restore-all</code>

After a successful restore, a

RECOVERED_FILES

directory is created in the current working directory containing the recovered data.