Monday, September 30, 2013

Recover a file with LSOF....

Just a quick and dirty of how to recover a file in LSOF.



lsof (List Open Files) is a *nix tool that will show open files and network connections. Of course, it's also available for OS X.
You can recover deleted files with it.
If you have ever deleted a file by mistake you can recover the deleted file. 
For example, to recover a missing messages log used by Syslog you can search for it via this command:
bash:~  lsof | grep messages
You should see something similar to:
syslogd   15328      root    2w      REG              253,2   1419873               983175 /var/log/messages.5 (deleted)
You want to find what is marked as deleted in parenthesis.  The process (15328) still has the file open. Without this process keeping the file open we would have lost the file permanently. This is important. Once the process stops, you won't be able to trace the file this way, so avoid rebooting or stopping the process entirely, until after you've recovered the lost file.

We can view the missing info by looking inside the proc filesystem, the process id (15328), and in the file descriptor (fd). The fd is found in the 4th entry, above (2w in this example):
bash:~  cat /proc/15328/fd/2
This outputs the contents the deleted messages.5 file. As you can see, the data is still there. Now, just redirect the contents back to /var/log/messages.5:
bash:~  cat /proc/15328/fd/2 > /var/log/messages.5
That's all there is to it. You have recovered the file with all the data back to its original location. You should also restart the process, writing to the file(s) recovered.
This is just one of many examples of how lsof can be very useful. Be sure to check out the Man pages and other docs.