Skip to main content

Bring back deleted files with lsof

There you are, happily playing around with an audio file you've spent all afternoon tweaking, and you're thinking, "Wow, doesn't it sound great? Lemme just move it over here." At that point your subconscious chimes in, "Um, you meant mv, not rm, right?" Oops. I feel your pain -- this happens to everyone. But there's a straightforward method to recover your lost file, and since it works on every standard Linux system, everyone ought to know how to do it.

Briefly, a file as it appears somewhere on a Linux filesystem is actually just a link to an inode, which contains all of the file's properties, such as permissions and ownership, as well as the addresses of the data blocks where the file's content is stored on disk. When you rm a file, you're removing the link that points to its inode, but not the inode itself; other processes (such as your audio player) might still have it open. It's only after they're through and all links are removed that an inode and the data blocks it pointed to are made available for writing.

This delay is your key to a quick and happy recovery: if a process still has the file open, the data's there somewhere, even though according to the directory listing the file already appears to be gone.

This is where the Linux process pseudo-filesystem, the /proc directory, comes into play. Every process on the system has a directory here with its name on it, inside of which lies many things -- including an fd ("file descriptor") subdirectory containing links to all files that the process has open. Even if a file has been removed from the filesystem, a copy of the data will be right here:

/proc/process id/fd/file descriptor

To know where to go, you need to get the id of the process that has the file open, and the file descriptor. These you get with lsof, whose name means "list open files." (It actually does a whole lot more than this and is so useful that almost every system has it installed. If yours isn't one of them, you can grab the latest version straight from its author.)

Once you get that information from lsof, you can just copy the data out of /proc and call it a day.

This whole thing is best demonstrated with a live example. First, create a text file that you can delete and then bring back:

$ man lsof | col -b > myfile

Then have a look at the contents of the file that you just created:

$ less myfile

You should see a plaintext version of lsof's huge man page looking out at you, courtesy of less.

Now press Ctrl-Z to suspend less. Back at a shell prompt make sure your file is still there:

$ ls -l myfile  -rw-r--r--  1 jimbo jimbo 114383 Oct 31 16:14 myfile  $ stat myfile    File: `myfile'    Size: 114383          Blocks: 232        IO Block: 4096   regular file  Device: 341h/833d       Inode: 1276722     Links: 1  Access: (0644/-rw-r--r--)  Uid: ( 1010/    jimbo)   Gid: ( 1010/    jimbo)  Access: 2006-10-31 16:15:08.423715488 -0400  Modify: 2006-10-31 16:14:52.684417746 -0400  Change: 2006-10-31 16:14:52.684417746 -0400  

Yup, it's there all right. OK, go ahead and oops it:

$ rm myfile  $ ls -l myfile  ls: myfile: No such file or directory  $ stat myfile  stat: cannot stat `myfile': No such file or directory  $  

It's gone.

At this point, you must not allow the process still using the file to exit, because once that happens, the file will really be gone and your troubles will intensify. Your background less process in this walkthrough isn't going anywhere (unless you kill the process or exit the shell), but if this were a video or sound file that you were playing, the first thing to do at the point where you realize you deleted the file would be to immediately pause the application playback, or otherwise freeze the process, so that it doesn't eventually stop playing the file and exit.

Now to bring the file back. First see what lsof has to say about it:

$ lsof | grep myfile  less      4158    jimbo    4r      REG       3,65   114383   1276722 /home/jimbo/myfile (deleted)  

The first column gives you the name of the command associated with the process, the second column is the process id, and the number in the fourth column is the file descriptor (the "r" means that it's a regular file). Now you know that process 4158 still has the file open, and you know the file descriptor, 4. That's everything you have to know to copy it out of /proc.

You might think that using the -a flag with cp is the right thing to do here, since you're restoring the file -- but it's actually important that you don't do that. Otherwise, instead of copying the literal data contained in the file, you'll be copying a now-broken symbolic link to the file as it once was listed in its original directory:

$ ls -l /proc/4158/fd/4  lr-x------  1 jimbo jimbo 64 Oct 31 16:18 /proc/4158/fd/4 -> /home/jimbo/myfile (deleted)  $ cp -a /proc/4158/fd/4 myfile.wrong  $ ls -l myfile.wrong  lrwxr-xr-x  1 jimbo jimbo 24 Oct 31 16:22 myfile.wrong -> /home/jimbo/myfile (deleted)  $ file myfile.wrong  myfile.wrong: broken symbolic link to `/home/jimbo/myfile (deleted)'  $ file /proc/4158/fd/4  /proc/4158/fd/4: broken symbolic link to `/home/jimbo/myfile (deleted)'  

So instead of all that, just a plain old cp will do the trick:

$ cp /proc/4158/fd/4 myfile.saved

And finally, verify that you've done good:

$ ls -l myfile.saved  -rw-r--r--  1 jimbo jimbo 114383 Oct 31 16:25 myfile.saved  $ man lsof | col -b > myfile.new  $ cmp myfile.saved myfile.new  

No complaints from cmp -- your restoration is the real deal.

Incidentally, there are a lot of useful things you can do with lsof in addition to rescuing lost files.

source: http://archive09.linux.com/articles/58142

Popular posts from this blog

Privacy Policy

Another Pratama Privacy Statement What follows is the Privacy Statement for all Another Pratama websites (a.k.a. blogs) including all the websites run under the computer.pratama.us domain. Please read this statement regarding our blogs. If you have questions please ask us via our contact form. Email Addresses You may choose to add your email address to our contact list via the forms on our websites. We agree that we will never share you email with any third party and that we will remove your email at your request. We don’t currently send advertising via email, but in the future our email may contain advertisements and we may send dedicated email messages from our advertisers without revealing your email addresses to them. If you have any problem removing your email address please contact us via our contact form. Ownership of Information Another Pratama is the sole owner of any information collected on our websites. Comments/Message Boards Most Another Pratama websites contain com...

Extend a LVM partition after increasing its virtual disk on Virtualbox

No Linux machine at work? the easy way could be to simply install Virtualbox in one of the PC, create a VDI and install Ubuntu 14.04 in it. But the day will come when you need more space! Here is how to resize it: Resize Virtualbox VDI Open Virtualbox, make sure to shutdown your virtual machine. Then open a terminal (here windows): 1 2 3 4 cd “ C : \ Program Files \ Oracle \ VirtualBox ” VBoxManage list vms VBoxManage clonehd uuid 0000000000000000 backup . vdi VBoxManage modifyhd uuid 0000000000000000 -- resize 204800 This is the Virtualbox official manual  of available commands. And  this is a website  to convert Gb into Mb (–resize takes Mb as input, 200Gb = 204800Mb). Boot Gparted to resize the partition After a default install of Ubuntu Server on one physical disk, you will have a SWAP partition, and then an extended partition in which you’ll have your LVM partition (So 3 partitions).  Download Gparted  .iso,...

DirectX Standard Multimedia Development on Windows

In the past, game programmers create their own plot between device and the software. Because Computer Architecture is complicated, so it hard to obtain the desired speed for real animation, manufactures of sound cards and display adapter had to write drive for various display adaptor, it made the development of game is really hard. And if you know, most computer games were written for MS-DOS. Maybe you remember game Mario Bross, F1, Prince of Persia and others. Then Microsoft released MS Windows, so the game developer made game for its OS. And for the easier of programmer made their game, Microsoft give an idea that made programmer can make a standard plot to connect with hardware. This idea introduce in 1995 and at last it become a standard for develop multimedia on Windows platform named DirectX.