How to list deleted files in UNIX?

pspriyanka · May 13, 2016, 6:46am

Hi All,

Its an interview question. I just want to know the answer of below question.

1) How to list deleted files in unix

Corona688 · May 13, 2016, 11:24am

Generally, you can't.

pspriyanka · May 16, 2016, 4:43am

thanks... but if we want it from recycle bin then , is there any way.

or recycle bin (such things) are not available in unix??

sorry this may b silly question but I am new to unix

bdittmar · May 17, 2016, 4:43am

Hello,

in *nix deleted is deleted, no recycle bin like WIN !

Regards

Skrynesaver · May 17, 2016, 4:48am

Diff from your backup?

pspriyanka · May 17, 2016, 5:19am

hi skrynesaver,

if we don't took an backup in that case I am trying to search an deleted files ...

gull04 · May 17, 2016, 6:15am

Hi,

Without a backup there is not really any way to recover or list the deleted files, once you delete files in Unix/Linux recovery is very difficult. I have had some luck with both "photorec" and "testdisk", but the system was not usable for a number of weeks while the recovery was ongoing.

Also I would say to you that if any new files have been created, it is almost certain that there have been a number of "inodes" and "data areas" over written.

Regards

Gull04

RavinderSingh13 · May 17, 2016, 7:13am

Hello Priyanka,

Yes, we do not have recycle bin in *NIX. We could use soft deletion(usually backup is the BEST option but in case you doesn't have it). We could redefine rm command for the particular user, by changing it in user's DOT profile(eg--> ~/.bashrc). Following are the steps which we could do for same.
I- Create a script let's say soft_deletion_script.ksh , which will be having following commands in it.

 #!/bin/sh
 mv "$@" /path/to/trash/folder

II- Add this into your DOT profile as follows.

 alias rm Singh/is/King/move_to_trash.sh

III- To empty your trash periodically, you can configure a cron jobs.
In above code [/path/to/trash/folder/ is the folder where you wanted to keep your delete files.

NOTE: This should be tested into a TEST environment.

Thanks,
R. Singh

Skrynesaver · May 17, 2016, 9:38pm

Interesting idea Ravinder...

On point III you could use find /path/to/trash/folder/ -mtime +7 -exec rm {} \; in a cron job in order to delete files over a week old (or adjust to suit )...

agent.kgb · May 18, 2016, 6:05pm

what do you mean 'list deleted files'? a file is just a name pointing to some data on the disk. if you delete a file ( rm ) you don't delete data. At least I can't remember right now a filesystem, which deletes data at the same time you delete a pointer to it. You can have many pointers to the same data. In UNIX world they are called hard links or links. If your data has several links and you remove just one of them, you effectively did nothing, except removing this name. If you removed the last link to the data, the data is marked 'free' and can be rewritten, but it doesn't mean it will be rewritten. You can use tools such file system debugger to find data on the disk and give them a new name (link). Or if a program, which uses the deleted file, is still running, you can restore the file on most of the UNIX systems.

Vit0_Corleone · May 22, 2016, 11:00pm

If some process has the file still open you can recover it, otherwise no chance.
chekc the link below for more details
Recovering Deleted Files With lsof

chakrapani · August 21, 2016, 2:48pm

This article

data recovery - Unix/Linux undelete/recover deleted files - Unix & Linux Stack Exchange

seems to have good answers

gull04 · August 22, 2016, 3:34am

Hi,

I had read this article before, there are a couple of assumptions.

Your system uses a Journal File System.
The system is in the main quiet.

Even if your system uses a JFS of some type, it may be that it is not active - as an example GFS allows you to journal at a file level but it has to be turned on.

On a very busy system it may well be that the inode and data space are reallocated very quickly so the data is over written. As an example, I worked in a wafer fab in the late 90's early 00's. One of the systems was used to control multiple disk less clients and was in receipt of many thousands of files an hour, recovering a file on this system would have been impossible even if it did have a JFS.

Regards

Gull04

apmcd47 · August 23, 2016, 4:56am

It depends on how you deleted the files in Unix. And what tools you have at your disposal. If you use the built in rm then it is lost, but see below. If you use the desktop file manager (dolphin for KDE, thunar for xfce, etc) then they will be in a "trash folder" accessible by the file manager. As RavinderSingh13 points out you can write your own tool that can save "deleted" items until you properly flush them away.

But no matter how you delete them, if your system has locate and the locate database has not been refreshed yet (it normally refreshes overnight), you could try this:

$ locate "$PWD" | sort > /tmp/myfiles
$ find "$PWD" -print | sort > /tmp/myfiles2
$ comm -23 /tmp/myfiles /tmp/myfiles2

I'm not sure the sort is required with locate. What you will get is a list of lines unique to first file, or if you prefer, a list of files that have been removed since the last refresh of the locate database.
This assumes the files were there overnight, otherwise locate won't list them.

You don't ask about recovering files, but provided the file system is backed up every night the files can be restored from the backup "tape".

Andrew