Recover deleted files on Linux server

reminisce · November 10, 2018, 4:12am

Hi Guys,

Greetings!.

I have executed the cronjob that runs the shell script which is in directory.When the cronjob was executed , I found that the directory where the script resides has got deleted.

Note: The directory was deleted with other use not root user.

The issue is files were not been taken any backup before running cronjob and those are important files .

For the files which need recovery, I followed some links that suggested some steps to find out the files which were lost and recovery process without a need of open source data recovery tools.

In one of the youtube link ,the admin provided some steps to get back the lost files.

As first step, below command needs to be executed :
ps -aux | grep <filename>
Please find the ps command attachment for reference

As an output, I could find the file and process id .

When i go for next step, with the process id and run this: cd /proc/<pid>
I got an error as file not found as shown in proc command attachment:

Can you please suggest the steps to recover the files.

Thank you,
Reminisce

Neo · November 10, 2018, 5:41am

Sorry you deleted your directory.

There is no really easy way to recover deleted files on Linux; but some have had success with:

debugfs

Linux 2.6 - man page for debugfs (linux section 8)

reminisce · November 10, 2018, 6:01am

Hi Neo,

The files which are deleted on the server is used for testing the applications. So I need to be careful before performing any unmounting process.

As I am new to do these steps to recover the files.

Can you help me with this?

Thanks,
Reminisce

Neo · November 10, 2018, 7:31am

The trick is to use a tool to find the inode of the deleted file and then recover it.

So, maybe you should first create a file and note the inode number:

linux:/tmp# echo 'This is a test' > file.txt
linux:/tmp# ls -li file.txt
8259623 -rw-r--r-- 1 root root 15 Nov 10 06:27 file.txt

Now you have the inode number of file.txt

Next, you need to know what is the name of your filesystem where your file was deleted, perhaps using df -Th or

mount

if you do not know.

Try the above in the /tmp directory, post back your output and also post back your results and the name of your filesystem ( /dev/md2 /dev/sda1 etc)

We will go from there.

reminisce · November 10, 2018, 8:03am

Thanks Neo.

I have followed the steps one by one as mentioned below:

i. Created the file in /tmp directory
ii. listed inode number of the created file : testk.txt
iii. Used the df -h <deleted dir path>

[root@ip-XX-XX-XX-XX tmp]# echo "test" > testk.txt
[root@ip-XX-XX-XX-XX tmp]# ls -li testk.txt
12876576 -rw-r--r--. 1 root root 5 Nov 10 12:47 testk.txt
[root@ip-XX-XX-XX-XX tmp]# df -h /home/user
Filesystem      Size  Used Avail Use% Mounted on
/dev/xvda2       50G   19G   32G  37% /

Done with the steps. Please suggest the next steps to perform.

Thanks,
Reminisce

Neo · November 10, 2018, 8:16am

Before we proceed, we need to know what filesystem you are using.

So, please let us know the filesystem ( ext2 , ext2 , etc) you are using on /dev/xvda2

reminisce · November 10, 2018, 8:37am

This is the filesystem that is mounted on:
/dev/xvda2 on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

I could not see any extension file system in the server .may be its because it is remote server.

Thanks,
Mounika M

bakunin · November 10, 2018, 10:26am

That is irrelevant - dead is dead and deleted is deleted.

That may help as long as the process is running: when a file is deleted the system routine unlink() is used, which deletes the inode (and thus every possibility to access the files data). As long as at least one process still has this file opened, though, the unlink() is postponed, so the process still can access the file even though "from outside" the file already ceases to exist.

This means, if you can somehow get "inside" the process in question and if you can bring the process to write the file (or, at least, its inode information) then you can use this to restore the file, otherwise it is lost.

You might have luck with trying TestDisk as long as you haven't done anything further on that filesystem. My suggestion is to unmount it as soon as possible (preferably: NOW!) because the longer it is in use the bigger the chance that data which are still there (but unaccessible right now) will be overwritten (=definitely and ultimately lost forever).

I hope this helps.

bakunin

Neo · November 10, 2018, 9:37pm

For debugfs to work on linux systems you need to use lsdel (list deleted files), for example:

linux:/tmp# debugfs /dev/md0 

debugfs 1.44.1 (24-Mar-2018)
debugfs:  lsdel
debugfs:

However, according to the man page:

This means that debugfs should not work for a zfs file system.

I do not use the xfs filesystem on any server, so I cannot help on xfs .

I suggest you find something similar to debugfs that works on the xfs filesystem which will help you locale deleted files (if the the deleted inode entries have not yet been cleared).

Neo · November 10, 2018, 9:41pm

Hint: Try searching for: