How to Recover Deleted Files in Linux?

4
222
linux training yoinsights surat

Before we start recovery of deleted file lets understand some concepts.

When you start a new process, three file descriptors are created by default. These three file descriptors are called the standard file descriptors and are given the numbers 0, 1, 2. If you remember the Unix Philosophy, it says that everything in a UNIX/LINUX system is considered a file.

Process allocation

The Kernel maintains a Kernel File Table for every open file by any process. Each entry in this kernel file table is identified by our File Descriptor. Hence, any file opened by any process would have a file descriptor and that file would have its entry maintained in the kernel file table until it is closed. Another interesting fact is, even if the same file on the disk is opened by two different processes, they would have their own separate file table entries in the kernel file table with separate file descriptor values. This is needed to store the mode of open, current file position, etc for each opened instance of the file.

Generally, an entry in the kernel file table would consist of:

  • File Descriptor
  • Current File Position
  • inode info
  • vnode info
  • file metadata
  • etc

Kernel File Table

However, every process also has its own File Descriptor (FD) table, which is basically a data structure identifying the opened file instance and includes a pointer to the entry in the kernel file table. Each entry in this FD table is of the opened file in the process.

At the userspace level, the file pointer is used to read/write onto a file. Whereas, at the system level, it uses the lower level variable file descriptor.
Here is an abstract illustration:

Step to Recover Deleted File:

Step: 1 list or find the deleted file using lsof command as shown below:

list deleted file

In above output, the line highlighted with yellow colour have different column such as process name, process ID, owner, file descriptor (6), major, minor number and file name associated with process.

Step: 2 before we recover /var/lib/nfs/etab.tmp (deleted) file. Let’s verify whether file is available or not as shown below.

verify file

Step: 3  let’s verify if “FD” corresponding to deleted file is available inside /proc.

verify FD

Notice in above o/p that we are able to see fd – 6 means its available in /proc table.

Step: 4 now  lets get restore it as shown

restore file

Step: 5 Verify if you got your file or not.

Verify file restored

I hope that will help!!

4 COMMENTS

  1. It is really a great and useful piece of info. I am glad that you just shared this helpful info with us. Please keep us up to date like this. Thanks for sharing.

LEAVE A REPLY

Please enter your comment!
Please enter your name here