Once we run out of disk space, we frequently search the filesystem of our Linux computer for certain files we no longer require and delete them. Unfortunately, deleting files might be unsuccessful if there are active processes that have references to them. In this situation, we can halt each process that maintains an open reference before removing the files.
However, this might also be problematic. For instance, some programs shouldn't be terminated during working hours. As a solution, this article will provide a comprehensive tutorial covering all the necessary steps to help you find, remove, and recover deleted files with lsof.
Part 1. What Is the lsof Command?
The lsof command in Unix and Linux systems stands for "List Open Files." It is a powerful tool for reporting information about files that are open by active processes on a system. The lsof command provides information about open files used by processes, such as network sockets, regular files, directories, block special files, and special character files.
- The syntax of the lsof command is as follows:
The options used with the lsof command determine the information that will be displayed and the format in which it will be presented.
The lsof command has numerous options, and the table below lists the most commonly used arguments.
|lsof||Lists all open files|
|-b||Hides kernel blocks|
|/ [file system] /||Displays open files in a specified file system|
|/dev/tty*||Shows files associated with the terminal|
|-u [username]||Prints open files owned by a particular user|
|-u ^[username]||Prints open files owned by all users except a specific one|
|-c [process]||Lists all files used by a particular process|
|-p [process ID]||Displays all open files linked to a specific process ID|
|-p ^[process ID]||Shows open files used by all other process IDs|
|-R||Lists parent process IDs|
|+D [directory path]||Prints all open files in a directory|
|-i||Shows all files used by network connections|
|-i [IP version number]||Filters files based on their IP version|
|- i [udp or tcp]||Filters open files based on connection type (TCP or UDP)|
|-i :[port number]||Finds processes running on a specified port|
|-i :[port range]||Finds processes running on a range of ports|
|-t [file name]||Lists process IDs that have accessed a specific file|
|# kill -9 'lsof -t -u [user]'||Kills all processes owned by a user|
|-d mem||Displays all memory-mapped files|
|[path] | grep deleted||Prints locked deleted files|
|man||Opens the manual page|
Part 2. How To Find and Remove Files That Are Open But Have Been Deleted With lsof?
Let us first grasp the concept. A Linux file is a link to an inode, consisting of all of the file's properties of the data blocks on the disk that comprise the file's content. When you rm a file, you remove the link to its inode but not the inode itself; other processes may still use it. Only after they've finished, and all links have been removed is an inode and the data blocks it pointed to made available for writing.
Even if the file seems to disappear in the directory listing, the data is elsewhere if a process still has it open.
The/proc directory will come into play in the Linux process pseudo-filesystem. Every process on the system has its directory with its name, which contains many things, including an fd (file descriptor) subdirectory with links to all files the process has open. Even if a file has been deleted from the filesystem, a copy of the data is still present:
Step 1. To determine where to go, obtain the process id and file descriptor of the process that has the file open by using lsof. Once you've obtained that information from lsof, copy the data from /proc.
- Create a text file:
$ man lsof | col -b > myfile
Step 2. Then examine the contents of the file you just created:
- The less command should display a plaintext version of lsof's massive man page.
$ less myfile
Step 3. To suspend the less command, press Ctrl-Z.
- Check that your file is still present at the shell prompt:
$ ls -l myfile
-rw-r--r-- 1 jimbo jimbo 114383 Oct 31 16:14 myfile
$ stat myfile
Size: 114383 Blocks: 232 IO Block: 4096 regular file
Device: 341h/833d Inode: 1276722 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1010/ jimbo) Gid: ( 1010/ jimbo)
Access: 2006-10-31 16:15:08.423715488 -0400
Modify: 2006-10-31 16:14:52.684417746 -0400
Change: 2006-10-31 16:14:52.684417746 -0400
Step 4. Please remove it.
- This time it's no longer there.
$ rm myfile
$ ls -l myfile
ls: myfile: No such file or directory
$ stat myfile
stat: cannot stat `myfile': No such file or directory
At this point, you should not authorize the process of continuing to use the file to exit, as doing so will result in the file being lost forever.
Part 3. How To Recover Deleted Files Using lsof?
After finding and removing open files that have been deleted, we will recover them now by lsof. If a file has been deleted but is still open by a process, lsof can display information about the file, including its file descriptor, process ID, and full path.
Step 1. Take a look at what lsof has to say about it:
$ lsof | grep myfile
less 4158 jimbo 4r REG 3,65 114383 1276722 /home/jimbo/myfile (deleted)
The first column shows the command name associated with the process, the second column contains the process id, and the fourth column contains the file descriptor (the "r" indicates that it is a regular file). You know that process 4158 has the file open and the file descriptor 4. That's all you need to know to copy it out of /proc.
Step 2. Because you're restoring the file, you might think that using the -a flag with cp is the right thing to do — but it's NOT a good thing to do.
- Instead of copying the file's literal data, you'll be copying a now-broken symbolic link to the file as it was previously listed in its original directory:
$ ls -l /proc/4158/fd/4
lr-x------ 1 jimbo jimbo 64 Oct 31 16:18 /proc/4158/fd/4 -> /home/jimbo/myfile (deleted)
$ cp -a /proc/4158/fd/4 myfile.wrong
$ ls -l myfile.wrong
lrwxr-xr-x 1 jimbo jimbo 24 Oct 31 16:22 myfile.wrong -> /home/jimbo/myfile (deleted)
$ file myfile.wrong
myfile.wrong: broken symbolic link to `/home/jimbo/myfile (deleted)'
$ file /proc/4158/fd/4
/proc/4158/fd/4: broken symbolic link to `/home/jimbo/myfile (deleted)'
- So, instead of all of that, a simple cp will be enough:
$ cp /proc/4158/fd/4 myfile.saved
- Finally, double-check that you did everything correctly:
$ ls -l myfile.saved
-rw-r--r-- 1 jimbo jimbo 114383 Oct 31 16:25 myfile.saved
$ man lsof | col -b > myfile.new
$ cmp myfile.saved myfile.new
Part 4. A Simple Alternative to lsof to Recover Deleted Files in Linux
If you're looking for a user-friendly alternative to lsof for recovering deleted files, consider using a Linux file recovery software like Wondershare Recoverit. Unlike lsof, a command line tool, Recoverit has a simple graphical user interface (GUI) that makes it easy to use, even for people with little or no technical experience. With Recoverit, you can quickly scan your computer's hard drive and recover deleted files with just a few clicks.
Wondershare Recoverit - Your Safe and Reliable Linux Recovery Software
5,481,435 people have downloaded it.
Recovers lost or deleted documents, photos, videos, music, emails, and other 1000+ file types effectively, safely, and completely.
Compatible with all mainstream Linux distros, including Ubuntu, Linux Mint, Debian, Fedora, Solus, Opensuse, Manjaro, etc.
Assists in 500+ data loss scenarios, such as deletion, disk formatting, OS crash, power outage, virus attack, lost partition, and many more.
The simple point-and-click interface allows you to recover data from Linux hard drives in just a few clicks.
Works through a remote connection. You can recover lost data even when your Linux device is crashed.
We'll show you how to use Wondershare Recoverit in Linux to recover deleted data. If you find reading instructions hard to follow, here's a video clip with a more in-depth tutorial for you to watch.
For Windows Vista/7/8/10/11
For macOS X 10.10 - macOS 13
Step 1. Recoverit Linux Recovery
Launch the Wondershare Recoverit software on your Linux device. Then, select the NAS and Linux options on the main interface's left side. To continue, select Linux Recovery.
Step 2. Linux Remote Connection
In the new window that appears, fill it with the necessary information to establish a remote connection. Once finished, press Connect.
While you wait for the connection to be established, Recoverit will begin an automatic search for lost data on a Linux computer.
Step 3. Recovery Process
Depending on how much data is being scanned, the scanning procedure may take some time; the scanning status is displayed in the bottom bar. Recoverit's best feature is the ability to pause scanning whenever a file is to be restored.
When the scanning process is complete, Recoverit allows you to inspect the files to ensure they are the ones you want to recover. Select Recover to save the file to your Linux device.
The software will prompt you to select a location for the recovered files on your device. Make sure you go to a different location than where you lost your files previously.
For Windows Vista/7/8/10/11
For macOS X 10.10 - macOS 13
In conclusion, "lsof" is a useful command line utility for displaying information about files opened by processes in Unix-like systems. However, finding and recovering files that are open but have been deleted is a complex process and requires a certain level of technical expertise. In such cases, file recovery software like Recoverit can be a more user-friendly alternative, providing a simple GUI for quickly scanning and recovering deleted files.