Recover Deleted Linux Files With lsof

One of the more neat things you can do with the versatile utility lsof is useit to recover a file you've just accidentally deleted.

A file in Linux is a pointer to an inode, which contains the filedata (permissions, owner and where its actual content lives on the disk). Deleting thefile removes the link, but not the inode itself - if another process has it open, theinode isn't released for writing until that process is done with it.

To try this out, create a test text file, save it and then type lesstest.txt. Open another terminal window, and type rm testing.txt. If youtry ls testing.txt you'll get an error message. But! less still has areference to the file. So:

> lsof | grep testing.txt less 4607 juliet 4r REG 254,4 21 8880214 /home/juliet/testing.txt (deleted)

The important columns are the second one, which gives you the PID of the process that has thefile open (4607), and the fourth one, which gives you the file descriptor (4). Now, we golook in /proc, where there will still be a reference to the inode, from whichyou can copy the file back out:

> ls -l /proc/4607/fd/4 lr-x------ 1 juliet juliet 64 Apr 7 03:19 /proc/4607/fd/4 -> /home/juliet/testing.txt (deleted) > cp /proc/4607/fd/4 testing.txt.bk

Note: don't use the -a flag with cp, as this willcopy the (broken) symbolic link, rather than the actual file contents.

Now check the file to make sure you've got what you think you have, and you'redone!

FROM: http://www.linuxplanet.com/linuxplanet/tips/6767/1/

REF: 

1. Finding open files with lsof

http://www.ibm.com/developerworks/aix/library/au-lsof.html

2. lsof – The most powerful, versitile, and underused Unix command

http://www.benharold.com/?p=14

3. 15 Linux lsof Command Examples (Identify Open Files)

http://www.thegeekstuff.com/2012/08/lsof-command-examples/