Recovering deleted file held by any process

1.Find the process id of the process or service which is using the file using htop,top,ps/service servicename status.

2.Do not kill the process or restart the service this will make the process/service release the files opened by it which were deleted.

3.In my case process id is 1658.

4.Now execute this command

ls -ll /proc/1658/fd

total 0
l-wx------ 1 root root 64 Jun  9 12:53 0 -> /dev/null
lrwx------ 1 root root 64 Jun  9 12:53 10 -> socket:[1740638]
lr-x------ 1 root root 64 Jun  9 12:53 11 -> /dev/random
lr-x------ 1 root root 64 Jun  9 12:53 12 -> /dev/urandom
lr-x------ 1 root root 64 Jun  9 12:53 3 -> /usr/java/jdk1.6.0_35/jre/lib/rt.jar
l-wx------ 1 root root 64 Jun  9 12:53 6 -> /logs/vussd.log
lr-x------ 1 root root 64 Jun  9 12:53 7 -> /usr/java/jdk1.6.0_35/jre/lib/resources.jar
lr-x------ 1 root root 64 Jun  9 12:53 8 -> /usr/java/jdk1.6.0_35/jre/lib/charsets.jar

5.Now lets delete the /logs/vussd.log log file used by this process using .

rm -f /logs/vussd.log.

6.Now again execute the step 4 command

ls -ll /proc/1658/fd

l-wx------ 1 root root 64 Jun  9 12:53 0 -> /dev/null
lrwx------ 1 root root 64 Jun  9 12:53 10 -> socket:[1740638]
lr-x------ 1 root root 64 Jun  9 12:53 11 -> /dev/random
lr-x------ 1 root root 64 Jun  9 12:53 12 -> /dev/urandom
lr-x------ 1 root root 64 Jun  9 12:53 3 -> /usr/java/jdk1.6.0_35/jre/lib/rt.jar
l-wx------ 1 root root 64 Jun  9 12:53 6 -> /logs/vussd.log (deleted)
lr-x------ 1 root root 64 Jun  9 12:53 7 -> /usr/java/jdk1.6.0_35/jre/lib/resources.jar
lr-x------ 1 root root 64 Jun  9 12:53 8 -> /usr/java/jdk1.6.0_35/jre/lib/charsets.jar
lrwx------ 1 root root 64 Jun  9 12:55 9 -> socket:[1740796]

7.Now we can see that file  /logs/vussd.log  is deleted.as file descriptor says /logs/vussd.log (deleted).

8.Now lets cross check

ls -ll /logs/
total 0

the output shows there is no file in /logs directory.

9.At this point do not kill the process or restart the service else the file held open in /proc directory will get released.

10.Now copy the deleted file using below command.

cp /proc/1658/fd/6  /tmp/vussd.log.

like wise we can recover any file which is held open by a process/service.

Advertisements
This entry was posted in Linux. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s