Thursday, July 25, 2013

Recover Accidently Deleted Files from Linux

While working as an admin, there are some times where I would remove some important log files or configuration files accidently. If we are working on a GUI based Linux Environment we can recover the file form the Trash but when we are working on a Command line Linux mode its is a little complex. This article tells you how to recover a file that is accidently deleted in the linux command line mode.

Consider a Tomcat process which is sending the log details to a file named jboss.log .Consider this file was deleted.

One important thing to keep in mind is that we need to keep the process running which is using the deleted file or else the file will be completely deleted. so in the above case   ,if the file jboss.log is deleted and even then the tomcat process is running then we can recover the file.

Lsof (List of Open Files) is a command available in linux by which we can see what are the files that are opened currently by a process and with various other options. This command helps us in here in recovering the file.

If you just run the lsof

root@hunter-tmp $ lsof | head
init                1         root   cwd     unknown                                 /proc/1/cwd
init                1         root   rtd       unknown                                /proc/1/root

The output says
The Command, PID, and User columns represent the name of a process, process identifier (PID), and owner's name, respectively. The Device, SIZE/OFF, Node, and Name columns refer to the file itself, specifying the name of the disk, size of the file, inode (the file's identification on the disk), and actual name of the file

The FD and Type columns are the most important ones and provide more information on  how the file is being used. The FD column represents the file descriptor, which is how the application sees the file. The Type column gives more description about what form the file takes.

The cwd value refers to the application's current working directory, which is the directory that the application was started from. A number refers to the application's file descriptor, which is an integer returned upon opening the file.

So when we execute the losf and grep for the deleted file

root@hunter - $ lsof | grep jboss.log
java       1786   ds002   85w      REG    253,1    63186    1015840 /software/jboss/6.0/logs/ABC-A2/jboss.log (deleted)
java       4566   ds002   64w      REG    253,1        0       1015847 /software/jboss/6.0/logs/DEF-A2/jboss.log

We can see two files with the same name but the first says it was deleted. Now this is the file we need to recover.

As I said early a Integer digits refers to the application's file descriptor, which is an integer returned upon opening the file. Each application is initially opened with three file descriptors, 0 through 2, for the standard input, output, and error streams, respectively.

The u means the file has been opened in read/write mode, rather than read-only (r) or write-only (w). As such, most opened files from the application start at FD 3.

Now in the above case we can a Integer digit 85w. Thus, the data is available by looking at /proc/<PID>/fd/

When we go to this location we can see a lot of integer digits which are actually a file descriptor. Now we can also see a 85 file which is a symlink for the file that is deleted. We can just copy the contents of the 85 file (which are actually the contents of the file that we deleted) to another files and by this we have the contents of the file that is deleted.

Happy Learning