Tip: Always wait for at least 2 minutes before deleting a newly created file.

Delete and undelete commands uses system metadata to track what all blocks are occupied.

When we create a file, the blocks are occupied in backend, however it gets reflected after 1-2 minutes to us.

Hence it is recommended to wait for 2 minutes and then run delete command to remove the newly created file saving its block information.

Create a new file and test the scenario

### Create a new file
[root@ngelinux ~]# echo "hello this is test file 1" > ./ngelinux_file1.txt

### Check current time
[root@ngelinux ~]# date
Sun Feb 11 03:53:24 PST 2018

### Try to delete the new file and in case it says empty file then press Ctrl+C
[root@ngelinux ~]# delete ./ngelinux_file1.txt 

You are running this command with root

This program DOES NOT GUARANTEE TO RECOVER ALL DATA
Whatever data is KEPT ON BLOCKS & NOT OVERWRITTEN BY KERNEL CAN BE RECOVERED

In case its overwritten then you will get the overwritten data and the old data can't be recovered unless you have backup :)
Removing specified file ./ngelinux_file1.txt... 
The file is either empty(of zero size) or created just now.
Wait for 2 minutes for its metadata to in place.
Do you still want to contnue. Press enter to continue, or any other key to quit ?
^C[root@ngelinux ~]# 

### Wait for 1 minute
### Now run delete command again
[root@ngelinux ~]# delete ./ngelinux_file1.txt 

You are running this command with root

This program DOES NOT GUARANTEE TO RECOVER ALL DATA
Whatever data is KEPT ON BLOCKS & NOT OVERWRITTEN BY KERNEL CAN BE RECOVERED

In case its overwritten then you will get the overwritten data and the old data can't be recovered unless you have backup :)
Removing specified file ./ngelinux_file1.txt... 
./ngelinux_file1.txt removed successfully.
[root@ngelinux ~]# 

### File is removed this time
### Check date again, its about 1 minute we have to wait at least.
[root@ngelinux ~]# date
Sun Feb 11 03:54:22 PST 2018

Try to recover the file

Since we have removed the file after metadata in place, it should recover if not overwritten.
Lets try it out.

[root@ngelinux ~]# undelete 
Starting now:
Enter the file name to search in Database for restore, or press enter to view all files ? 

/usr/nglinux/deleteme/delete_v1.0/newfile1 638532 1 03-Feb-2018  23:59:03
/usr/nglinux/deleteme/delete_v1.0/testdir3/file3 0 1 04-Feb-2018  00:00:35
/usr/nglinux/deleteme/delete_v1.0/testdir3/file1 0 1 04-Feb-2018  00:00:37
/usr/nglinux/deleteme/delete_v1.0/testdir3/file2 0 1 04-Feb-2018  00:00:38
/usr/nglinux/deleteme/delete_v1.0/testdir3/file4 0 1 04-Feb-2018  00:00:39
/var/log/sa/sa21 m 340730 04-Feb-2018  00:05:05
/usr/nglinux/deleteperm/-h m  10-Feb-2018  08:45:00
/usr/nglinux/deleteme/-a m  10-Feb-2018  21:16:38
/usr/nglinux/deleteme/test 638631 3 10-Feb-2018  22:24:59
/home/nglinux/testfile2 3800746 1 10-Feb-2018  23:02:57 root
/home/nglinux/abc1 3800748 1 10-Feb-2018  23:05:48 nglinux
/usr/nglinux/deleteme/delete_v2.0/testfle1 0 1 11-Feb-2018  01:31:36 root
/usr/nglinux/deleteme/delete_v2.0/joo1.txt 0 1 11-Feb-2018  01:43:58 root
/usr/nglinux/deleteme/delete_v2.0/joo2.txt 638622 1 11-Feb-2018  01:45:22 root
/home/nglinux/koo1.txt 3800750 1 11-Feb-2018  01:46:55 nglinux
/home/nglinux/abc2 3800746 1 11-Feb-2018  01:54:59 nglinux
/usr/nglinux/deleteme/delete_v2.0/tempfile3 638622 1 11-Feb-2018  02:14:28 root
/home/nglinux/file22.txt 3800744 1 11-Feb-2018  02:20:10 nglinux
/home/nglinux/file23.txt 3800745 1 11-Feb-2018  02:23:38 nglinux
/root/core.17230 3851109 140 11-Feb-2018  02:25:29 root
/home/nglinux/file23.txt2 3800745 1 11-Feb-2018  02:26:07 nglinux
/root/./ngelinux_file1.txt 3800758 1 11-Feb-2018  03:54:00 root
Enter the file name to search in Database for restore, or press enter to view all files ? 
ngelinux
Searching filenames containing the string ngelinux ....


Following files are found:
1. /root/./ngelinux_file1.txt deleted on 11-Feb-2018 at 03:54:00 of size 4 KB
Enter the number of file which you want to try to restore or press Ctrl+C to exit ?
1

1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.0227526 s, 180 kB/s
dd if=/dev/sda1 of=/tmp/ngelinux_file1.txt bs=4096 count=4 skip=3800758
File ngelinux_file1.txt restored at /tmp/ngelinux_file1.txt... check if the contents are fine... else the data is over-written

### Check the recovered file
[root@ngelinux ~]# cat /tmp/ngelinux_file1.txt 
hello this is test file 1
[root@ngelinux ~]# 

If you remove the newly created file before its metadata in place, then it will not be recovered.

Leave a Reply

avatar
  Subscribe  
Notify of