Tip: Always wait for at least 2 minutes before deleting a newly created file.
Delete and undelete commands uses system metadata to track what all blocks are occupied.
When we create a file, the blocks are occupied in backend, however it gets reflected after 1-2 minutes to us.
Hence it is recommended to wait for 2 minutes and then run delete command to remove the newly created file saving its block information.
Create a new file and test the scenario
### Create a new file [root@ngelinux ~]# echo "hello this is test file 1" > ./ngelinux_file1.txt ### Check current time [root@ngelinux ~]# date Sun Feb 11 03:53:24 PST 2018 ### Try to delete the new file and in case it says empty file then press Ctrl+C [root@ngelinux ~]# delete ./ngelinux_file1.txt You are running this command with root This program DOES NOT GUARANTEE TO RECOVER ALL DATA Whatever data is KEPT ON BLOCKS & NOT OVERWRITTEN BY KERNEL CAN BE RECOVERED In case its overwritten then you will get the overwritten data and the old data can't be recovered unless you have backup :) Removing specified file ./ngelinux_file1.txt... The file is either empty(of zero size) or created just now. Wait for 2 minutes for its metadata to in place. Do you still want to contnue. Press enter to continue, or any other key to quit ? ^C[root@ngelinux ~]# ### Wait for 1 minute ### Now run delete command again [root@ngelinux ~]# delete ./ngelinux_file1.txt You are running this command with root This program DOES NOT GUARANTEE TO RECOVER ALL DATA Whatever data is KEPT ON BLOCKS & NOT OVERWRITTEN BY KERNEL CAN BE RECOVERED In case its overwritten then you will get the overwritten data and the old data can't be recovered unless you have backup :) Removing specified file ./ngelinux_file1.txt... ./ngelinux_file1.txt removed successfully. [root@ngelinux ~]# ### File is removed this time ### Check date again, its about 1 minute we have to wait at least. [root@ngelinux ~]# date Sun Feb 11 03:54:22 PST 2018
Try to recover the file
Since we have removed the file after metadata in place, it should recover if not overwritten.
Lets try it out.
[root@ngelinux ~]# undelete Starting now: Enter the file name to search in Database for restore, or press enter to view all files ? /usr/nglinux/deleteme/delete_v1.0/newfile1 638532 1 03-Feb-2018 23:59:03 /usr/nglinux/deleteme/delete_v1.0/testdir3/file3 0 1 04-Feb-2018 00:00:35 /usr/nglinux/deleteme/delete_v1.0/testdir3/file1 0 1 04-Feb-2018 00:00:37 /usr/nglinux/deleteme/delete_v1.0/testdir3/file2 0 1 04-Feb-2018 00:00:38 /usr/nglinux/deleteme/delete_v1.0/testdir3/file4 0 1 04-Feb-2018 00:00:39 /var/log/sa/sa21 m 340730 04-Feb-2018 00:05:05 /usr/nglinux/deleteperm/-h m 10-Feb-2018 08:45:00 /usr/nglinux/deleteme/-a m 10-Feb-2018 21:16:38 /usr/nglinux/deleteme/test 638631 3 10-Feb-2018 22:24:59 /home/nglinux/testfile2 3800746 1 10-Feb-2018 23:02:57 root /home/nglinux/abc1 3800748 1 10-Feb-2018 23:05:48 nglinux /usr/nglinux/deleteme/delete_v2.0/testfle1 0 1 11-Feb-2018 01:31:36 root /usr/nglinux/deleteme/delete_v2.0/joo1.txt 0 1 11-Feb-2018 01:43:58 root /usr/nglinux/deleteme/delete_v2.0/joo2.txt 638622 1 11-Feb-2018 01:45:22 root /home/nglinux/koo1.txt 3800750 1 11-Feb-2018 01:46:55 nglinux /home/nglinux/abc2 3800746 1 11-Feb-2018 01:54:59 nglinux /usr/nglinux/deleteme/delete_v2.0/tempfile3 638622 1 11-Feb-2018 02:14:28 root /home/nglinux/file22.txt 3800744 1 11-Feb-2018 02:20:10 nglinux /home/nglinux/file23.txt 3800745 1 11-Feb-2018 02:23:38 nglinux /root/core.17230 3851109 140 11-Feb-2018 02:25:29 root /home/nglinux/file23.txt2 3800745 1 11-Feb-2018 02:26:07 nglinux /root/./ngelinux_file1.txt 3800758 1 11-Feb-2018 03:54:00 root Enter the file name to search in Database for restore, or press enter to view all files ? ngelinux Searching filenames containing the string ngelinux .... Following files are found: 1. /root/./ngelinux_file1.txt deleted on 11-Feb-2018 at 03:54:00 of size 4 KB Enter the number of file which you want to try to restore or press Ctrl+C to exit ? 1 1+0 records in 1+0 records out 4096 bytes (4.1 kB) copied, 0.0227526 s, 180 kB/s dd if=/dev/sda1 of=/tmp/ngelinux_file1.txt bs=4096 count=4 skip=3800758 File ngelinux_file1.txt restored at /tmp/ngelinux_file1.txt... check if the contents are fine... else the data is over-written ### Check the recovered file [root@ngelinux ~]# cat /tmp/ngelinux_file1.txt hello this is test file 1 [root@ngelinux ~]#
If you remove the newly created file before its metadata in place, then it will not be recovered.