Print | Rate this content

Linux Operating System - Using lsof to Recover Deleted Files

Information

If an open file is deleted accidentally, it is possible to use lsof to recreate a copy of the file; provided this is done before the file is closed by the application holding it open.

Details

If you have inadvertently removed a file from the filesystem it is still recoverable if the application using the file it still running. This is because the inode is still open and therefore the data blocks are still on the disk until the application closes the file or exits.

Through the use of lsof and /proc the file system entry for the file can be recreated.

The easiest way to explain this is by way of an example.

  1. Make a file:

    /> cd /tmp

    tmp> ls -lR / > /tmp/myfile

    tmp> ls -l myfile

    -rw-r--r-- 1 fred ftp 11567585 Nov 23 08:44 myfile

    tmp> stat myfile

    File: `myfile'Size: 11567585Blocks: 22640IO Block: 4096 regular fileDevice: 900h/2304dInode: 48871Links: 1Access: (0644/-rw-r--r--)Uid: ( 1900/fred)Gid: (50/ftp)Access: 2006-11-23 08:44:32.000000000 +0000Modify: 2006-11-23 08:44:26.000000000 +0000 Change: 2006-11-23 08:44:26.000000000 +0000

  2. Run something to hold the file open:

    scum 97 tmp> less myfile &

    [1] + Suspended (tty output) less myfile

  3. "Accidentally" remove the file:

    tmp> rm myfile

    tmp> ls -l myfile

    ls: myfile: No such file or directory

  4. Use lsof to show the open file descriptor of the process:

    tmp> lsof | grep myfile

    less11230fred4rREG9,0 1156758548871 /tmp/myfile (deleted)

    The second column is the PID of the process that has this file open and the fourth field the file descriptor that the process is using to access the file.

  5. Locate the open file descriptor in /proc:

    tmp> ls -l /proc/11230/fd/4

    lr-x------ 1 fred ftp 64 Nov 23 08:49 /proc/11230/fd/4 -> /tmp/myfile (deleted)

  6. The open file can now be copied back to its original location:

    tmp> cp /proc/11230/fd/4 myfile

    tmp> ls -l myfile

    -rw-r--r-- 1 fred ftp 11567585 Nov 23 08:54 myfile

    tmp> stat myfile

    File: `myfile'Size: 11567585Blocks: 22640IO Block: 4096 regular fileDevice: 900h/2304dInode: 48878Links: 1Access: (0644/-rw-r--r--)Uid: ( 1900/fred)Gid: (50/ftp)Access: 2006-11-23 08:54:28.000000000 +0000Modify: 2006-11-23 08:54:28.000000000 +0000 Change: 2006-11-23 08:54:28.000000000 +0000

NOTE: Note the new file has a different inode than the original as it is a copy NOT the original one opened by the process. This may be important as any changes made by the application to the original after this copy has been made will not be recovered.

This procedure should also work on operating systems that implement fd access via /proc such IBM AIX and Sun Solaris. It does not work with Tru64 UNIX or HP-UX.

Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!
Document title: Linux Operating System - Using lsof to Recover Deleted Files
Document ID: emr_na-c00833030-4
How helpful was this document?
How can we improve this document?
Note: Only English language comments can be accepted at this time.
Please wait while we process your request.