Recover Deleted Linux Files While Their Processes Remain Open

Why Deleted Files May Still Be Recoverable

When a program accesses a file, the operating system assigns a file descriptor and keeps the underlying inode alive even after the directory entry is removed with rm. As long as a process holds that descriptor, the file’s data remains reachable through the /proc/<pid>/fd interface.

Scenario Covered

The article focuses on the case where the file has been deleted but the process that opened it is still running, which often explains why disk space is not immediately reclaimed on servers.

Step‑by‑Step Demonstration

Create a test file and write some content.

vim rumenz.txt
123
# save and quit
cat rumenz.txt
123

Keep the file open with tail -f so the process stays alive. tail -f rumenz.txt Delete the file from another terminal. rm -f rumenz.txt Identify the process that still holds the deleted file using lsof . Install lsof if necessary ( yum install lsof or apt-get install lsof ).

lsof | grep delete | grep rumenz
# Example output:
# tail  10222  root  3r  REG  253,1  4  70911074 /root/test/rumenz.txt (deleted)

Inspect the process’s file‑descriptor directory to locate the deleted file.

cd /proc/10222/fd
ls -al
# Output shows a link like:
# 3 -> /root/test/rumenz.txt (deleted)

Recover the file by copying the descriptor to a new file.

cp 3 /root/test/rumenz.txt
cat /root/test/rumenz.txt
# Displays the original content "123"

Underlying Reason

The OS separates the directory entry from the actual data blocks. Deleting a file removes only the directory entry (the inode link), but any open file descriptor still points to the same inode, allowing I/O operations to continue. By accessing the descriptor via /proc, the file can be duplicated before the descriptor is closed.