Recovering deleted files

Recovering deleted files with a little luck, lsof and / proc

Have you deleted a file by mistake from a console, when you were working with? I guess no a thousand curses cast by mistake and lost time when he has passed.

In this article we will discuss the utility 'lsof'. With this program, the information in / proc and a little luck, we can probably recover the file that magically disappeared from your system when you accidentally deleted. The 'little luck' of which we speak is that no a deleted file was being accessed by a program at the time of the deletion. Then we will see an example of how we perform this recovery.

First let's look a little like we can access the information or status of a file. For this program we can use the stat system. Let's see how it works:

First create a text file:

user @ test # echo "This is a text file of evidence"> file_example.txt

Then we can use stat to get the information from this file:

user @ # stat test file_example.txt
   File: `file_example.txt '
   Size: 39 Blocks: 8 IO Block: 4096 regular file
Device: 301h/769d Inode: 512495 Links: 1
Access: (0644/-rw-r--r--) Uid: (1000 / user) Gid: (1000 / user)
Access: 2008-02-04 22:28:57.000000000 +0100
Modify: 2008-02-04 22:28:57.000000000 +0100
Change: 2008-02-04 22:28:57.000000000 +0100

Some of this information may also be obtained using the ls command:

user @ test # ls-li file_example.txt
512495-rw-r - r - 1 root root 39 2008-02-04 22:28 file_example.txt

From this information, we are interested in this article is called Inode. According to Wikipedia, an inode (inode in English) can be defined as:

"... A data structure itself of the file systems traditionally used in UNIX operating systems such as Linux is the case. An inode contains features (permissions, dates, location, but not the name) of a regular file , directory, or any other object that may contain the file system.

The term "inode" generally refers to inodes disc (block mode devices) to store regular files, directories, and symlinks. The concept is particularly important for the recovery of damaged file systems.

Each is identified by an inode number, unique within the system files and directories contain a list of couples formed by inode number and name identification that allows access to the file in question: each file has one inode, but may have more than a different name or even in the same directory for easy location. "

In our case our file is inode 512,495, this is our ID file in the system. When you delete a file with the rm command, what we do is delete the reference to the inode in question during a time that inode will remain in our system but we can not see it and it appears that the deleted file has disappeared from our system.

If a program is accessing the file you have deleted are lucky. The program in question will have a reference to the inode of the deleted file and if not we close this program can restore the contents of that file. (A case study that many of us in the past is ever clear the log file of some services of the system (apache, postgresql, mysql. Etc) while the service is running)

Below is a full session since we delete a file until you recover:

We open our file example with less (for example)

@ # less user test file_example.txt

THIS IS A TEST FILE OF TEXT
file_example.txt (END)

Press Ctrl + z to suspend the program less without stopping (the program will continue to open our file access, but suspended)

@ # less user test file_example.txt

[1] + Stopped less file_example.txt

We note that our file is intact:

user @ test # ls-li file_example.txt
512495-rw-r - r - 1 root root 39 2008-02-04 22:28 file_example.txt

Erase ... accidentally ;-)

user @ test # rm test.txt files_de

We found that does not exist in our directory

user @ test # ls-li file_example.txt
ls: file_example.txt: No such file or directory

As mentioned above, if we have a log file so we are. We use lsof to see if any program is accessing the file you have deleted:

user @ test # lsof | grep file_example.txt
28,410 less user 4r REG 3.1 39 512495 / home / user / file_example.txt (deleted)

Should not be a surprise that this program less access our deleted file. The columns we are interested in this line are the first (PID program accessing the file, 28410), and the fourth, the 'file descriptor' (4r) with reference to our file inode (512495).

With this information we are going to virtual filesystem / proc with information from our system linux.

user @ test # ls-l / proc/28410/fd/4
lr-x ------ 1 user user 64 2008-02-04 22:38 / proc/28410/fd/4 -> / home / user / file_example.txt (deleted)

As expected, a reference to the deleted file. What I have to do now is to copy data to / proc/28410/fd/4 referring this. For this we can simply use the command cp

user @ test # cp / proc/28410/fd/4 file_example.txt.restaurado

Now no matter which program I run less because our deleted file already recovered.

user @ test # cat file_example.txt.restaurado
THIS IS A TEST FILE OF TEXT

In this article we must take a bit of luck to not lose our file, but in future we will see other articles techniques to use when luck is not on our side. That's it for today, you enjoy it

Navigation

• Crtunnel
• etc passwd
• Redundant dedicated server
• TCPD and Firewalls

• Browsing files
• cd as an expert
• Change the permissions
• Configuration of PostgreSQL
• Introduction to PostgreSQL
• Recovering deleted files
• Self units in Linux

• Green Hosting
• The world of web hosting

All Rights Reserved by Adding Security to Linux Distribution

Adding Security to Linux Distribution

protecting your server from the malicious