Recover Deleted Linux Files: From Open Descriptors to Extundelete

Background

Linux does not provide a visible recycle bin like Windows, so recovering deleted files requires manual techniques. The article covers two situations: (1) the deleting process is still running and keeps the file descriptor open, and (2) the process has exited, requiring a third‑party recovery tool.

Case 1: Process Still Running

An example demonstrates creating a file testdelete.py, appending data with cat >> testdelete.py, and then deleting it with rm -f ./testdelete.py. Although the file disappears from the directory, the process still holds the file descriptor.

Steps to recover:

Use lsof | grep deleted to locate the deleted file and its owning PID.

Copy the file from the process’s file descriptor directory:

cp /proc/<em>PID</em>/fd/1 /desired/path/filename

Example commands:

echo "hello  py" > testdelete.py</code><code>cat >> testdelete.py</code><code>rm -f ./testdelete.py</code><code>lsof | grep deleted</code><code>cp /proc/20464/fd/1 /tmp/testdelete.py

After copying, the file is restored and can be verified with cat /tmp/testdelete.py.

Case 2: Process No Longer Exists

When no process holds the deleted file, tools like extundelete are needed. The procedure includes:

Stop all activity on the affected partition to prevent inode overwriting (unmount, stop services, disconnect network if necessary).

Optionally create a raw backup of the partition using dd if=/dev/vdb1 of=/path/backup.img.

Install extundelete (download source, extract, configure, make, install).

Run extundelete with appropriate options to restore files, directories, all files, or specific inodes.

Key commands:

umount /dev/vdb1</code><code>wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2</code><code>tar jxvf extundelete-0.2.4.tar.bz2</code><code>cd extundelete-0.2.4</code><code>./configure</code><code>make</code><code>make install</code><code>extundelete /dev/vdb1 --restore-file passwd</code><code>extundelete /dev/vdb1 --restore-directory deletetest</code><code>extundelete /dev/vdb1 --restore-all</code><code>extundelete /dev/vdb1 --restore-inode 14

Recovered files are placed in a RECOVERED_FILES directory. Note that restored inodes may receive generic filenames and should be renamed as needed.

Conclusion

The article provides practical commands for both scenarios, emphasizing the importance of acting quickly, avoiding further writes to the disk, and using the appropriate recovery method based on whether the original process is still alive.