Before we start the recovery of deleted file lets understands some concepts.
When you start a new process, three file descriptors are created by default. These three file descriptors are called the standard file descriptors and are given the numbers 0, 1, 2. If you remember the Unix Philosophy, it says that everything in a UNIX/LINUX system is considered a file.
The Kernel maintains a Kernel File Table for every open file by any process. Each entry in this kernel file table is identified by our File Descriptor. Hence, any file opened by any process would have a file descriptor and that file would have its entry maintained in the kernel file table until it is closed. Another interesting fact is, even if the same file on the disk is opened by two different processes, they would have their own separate file table entries in the kernel file table with separate file descriptor values. This is needed to store the mode of open, current file position, etc for each opened instance of the file.
Generally, an entry in the kernel file table would consist of:
- File Descriptor
- Current File Position
- inode info
- vnode info
- file metadata
- etc
However, every process also has its own File Descriptor (FD) table, which is basically a data structure identifying the opened file instance and includes a pointer to the entry in the kernel file table. Each entry in this FD table is of the opened file in the process.
At the userspace level, the file pointer is used to read/write onto a file. Whereas, at the system level, it uses the lower level variable file descriptor.
Here is an abstract illustration:
Step to Recover Deleted File:
Step: 1 list or find the deleted file using lsof command as shown below:
In above output, the line highlighted with yellow color has different column such as process name, process ID, owner, a file descriptor (6), major, minor number and file name associated with the process.
Step: 2 before we recover /var/lib/nfs/etab.tmp (deleted) file. Let’s verify whether file is available or not as shown below.
Step: 3 let’s verify if “FD” corresponding to deleted file is available inside /proc.
Notice in above o/p that we are able to see fd – 6 means its available in /proc table.
Step: 4 now lets get restore it as shown
Step: 5 Verify if you got your file or not.
I hope that will help!!
Good article 🙂
thanks