August 10, 2022


Networking, PBX, IT, DIY Solution

How to recover files deleted by mistake under Linux system?

5 min read

How to recover files deleted by mistake under Linux system?


How to recover files deleted by mistake under Linux system?


1. Scenarios where Linux deletes data by mistake

In actual work, some people may accidentally delete the files on the Linux server by mistake.

And the more senior the engineer is, the easier it is to make such a mistake, and the speed of typing the code is fast enough rm -rf.

When newcomers operate documents, they are often trembling and repeatedly confirming, but it is not easy to make mistakes.

If you are also an engineer with many years of work experience, also remind yourself: be much careful when deleting something.

We need to distinguish between two scenarios to recover accidentally deleted files:

  • Scenario 1: The deleted file is being used by the process
  • Scenario 2: The file is not used by any process

Data recovery in the first scenario is relatively simple.




2. Scenario 1 Data Recovery Experiment

Scenario 1:

The deleted file is being used by other processes. We first create a separate directory testdel to complete our experiments.

Then use the echo command to create a file test-recovery.txt and put it in the testdel directory.

The content of the file is: “test file delete recovery”.

Here comes the point: we use the command tail to monitor this file all the time, which means that the file is always occupied by the tail process.


$ mkdir ./testdel;
$ echo "test file delete recovery" > ./testdel/test-recovery.txt;
$ tail -f ./testdel/test-recovery.txt;

At this point, we open a new Linux terminal and complete the file deletion operation.

After the file is deleted, lsno files can be viewed in this directory using the name.


$ rm -fr ./testdel/test-recovery.txt;
$ ls -l ./testdel

Next, let’s restore the file, execute the lsof command below, and in its return result, we can see that test-recovery.txt (deleted) has been deleted, but there is a process tail that uses it, and the process number of the tail process is 1535.


$ lsof | grep test-recovery.txt;
tail 1535 kafka 3r REG 253,2 26 34095906 /home/kafka/testdel/test-recovery.txt (deleted)

Then we use cd /proc/1535/fdthe command to enter the file directory of the process. 1535 is the process id of the tail process.

This file directory contains several files that the process is opening and using.


How to recover files deleted by mistake under Linux system?


We see the file named 3, which is the file we just “deleted by mistake”, so we restore it back using the cp command below.

At this point, the accidental deletion and recovery of files referenced by a process is completed.


cp ./3 /home/kafka/testdel/test-recovery.txt;




3. Scenario 2 Data Recovery

For scenario 2, if no program uses the file, it is a little more troublesome to restore the file after the file is deleted.

First of all, we need to distinguish the file format of the disk directory mounted by the current operating system.

For example, the cat /etc/fstabfollowing results are obtained by executing it.


How to recover files deleted by mistake under Linux system?


In addition to the xfs disk file format, Linux also commonly uses the ext4 disk file format.

Each disk file format, data recovery method, and tools used are different.

In view of the problem of space, I will not introduce it in this article, please follow me and I will continue to update!




4. Why data can be recovered?


The first case :

when a file is being used by a program, Linux has two counters for the file

  • i_count counter: The file may be used by multiple processes. Each process uses the file, and the i_count value will increase by 1. Conversely, if the process releases the reference to the file, the counter is decremented by 1
  • The function of i_nlink is to record the number of hard links generated by the file (in Linux, you can use the ln command to create a hard link to the file).


When the above two counters are both 0, the file actually belongs to the state that no process uses it, and it is deleted directly.

If a process uses it, then the i_count value of the file is not 0, and it can be retrieved in the /proc/<process id>/fddirectory


The second case :

no process uses the deleted file at this time, and the two counters i_count and i_link of the deleted file are both 0 at this time.

At this time, we need to understand a concept.

  • Operating system file deletion: Deleting a file at the operating system level just deletes the inode information of the file. After deleting the inode information, the file is invisible to the operating system and the user of the operating system.
  • Physical deletion of disk files: We know that a physical disk is composed of data blocks, so if we want to restore a file, we need to find the block unit of the data block that stores the file. The block that actually stores the file on the disk has not been deleted for the time being (accurately). is said to be temporarily not covered).


It should be noted that:

Will the content of the file storing the block unit of the data block always exist?

The answer is no, because the content of the data block is deleted, so the data block can be reused by other processes to write data.

So, when you find that you deleted a very important file by mistake, the first thing you need to do is to unmout the disk from the operating system, or stop all processes from writing data to the disk .

Because the writing data operation may occupy and overwrite the data block where your “misdeleted file” is located, once the data block is overwritten by the written data, your data file will never be found again.



Copyright © All rights reserved. | Newsphere by AF themes.