mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-01-13 22:30:37 +08:00
geekpi
GitHub
commit
5cf92ade99
@ -1,148 +0,0 @@
|
||||
translating---geekpi
|
||||
|
||||
HOW TO RECOVER DELETED FILES STILL RUNNING WITH ACTIVE PROCESSES ON LINUX
|
||||
============================================================
|
||||
|
||||
A quick guide for recovering deleted files which still have running processes on your Linux system using Terminal.
|
||||
|
||||
In many cases, deleted files are applicable to recover even if the file has an active process and currently used by a single or multiple users. On Linux system every currently running process gets ID and it will be stated as a process identifier “PID” and all stacked up in /proc directory. This exactly what we need to recover deleted files which still running and it has a PID. So, here’s how we are going to do that.
|
||||
|
||||
Let’s say you have opened a compressed file and later on you have deleted this file. For the demonstration purpose, the compressed file is called “opengapps.zip” that would be the file we will open and deleted afterward.
|
||||
|
||||
### CALCULATE THE MD5 HASH OF THE ORIGINAL FILE
|
||||
|
||||
We will calculate the MD5 for this file before deleting it. So, we could compare the original MD5 hash to the MD5 hash of the recovered file. This process will guarantee that the integrity of the compressed file we have recovered is the same and it’s not corrupted.
|
||||
|
||||
```
|
||||
md5sum opengapps.zip >> md5-opengapps.txt
|
||||
```
|
||||
|
||||
To display the content of the text file
|
||||
|
||||
```
|
||||
cat md5-opengapps.txt
|
||||
```
|
||||
|
||||
```
|
||||
Terminal Output
|
||||
86489b68b40d144f0e00a0ea8407f7c0 opengapps.zip
|
||||
```
|
||||
|
||||
After checking the MD5 hash for the compressed file. We will keep the compressed file opened and we will delete it. Afterward, we will start with the recovering process of that file with the following steps:
|
||||
|
||||
```
|
||||
rm opengapps.zip
|
||||
```
|
||||
|
||||
### THE RECOVERING PROCESS FOR A DELETED FILE
|
||||
|
||||
As we have mentioned earlier the running processes are available in the /proc directory. We can search for that process we need inside that directory with the following command:
|
||||
|
||||
Since we already know that the filename includes .zip file extension we could search using .zip extension. It will limit the output result and display the required process.
|
||||
|
||||
```
|
||||
ps -axu | grep .zip
|
||||
```
|
||||
|
||||
```
|
||||
Terminal Output
|
||||
m 13119 0.8 1.0 121788 30788 ? Sl 06:17 0:00 file-roller /home/m/Downloads/Compressed/opengapps.zip
|
||||
m 13164 0.0 0.0 5108 832 pts/20 S+ 06:18 0:00 grep --color=auto .zip
|
||||
```
|
||||
|
||||
Then we will navigate to the directory which includes the process with PID **13119** and open /fd directory.
|
||||
|
||||
```
|
||||
cd /proc/13119/fd
|
||||
```
|
||||
|
||||
/fd (file descriptor) directory includes multiple files including the file we need to recover. That file is connected with a hard link to the original one we kept running in the background. All files inside /fd directory comes with numbers for the “file name”. So, to identify which one of these files is linked to the original one, we will list the /fd directory contents with long listing format option.
|
||||
|
||||
```
|
||||
ls -l
|
||||
```
|
||||
|
||||
```
|
||||
Terminal Output
|
||||
total 0
|
||||
lr-x------ 1 m m 64 Jul 14 06:17 0 -> /dev/null
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 1 -> socket:[26161]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 10 -> anon_inode:[eventfd]
|
||||
lr-x------ 1 m m 64 Jul 14 06:17 11 -> anon_inode:inotify
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 12 -> socket:[5752671]
|
||||
lr-x------ 1 m m 64 Jul 14 06:17 13 -> /home/m/Downloads/Compressed/opengapps.zip (deleted)
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 2 -> socket:[26161]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 3 -> anon_inode:[eventfd]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 4 -> anon_inode:[eventfd]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 5 -> socket:[5751361]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 6 -> anon_inode:[eventfd]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 7 -> anon_inode:[eventfd]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 8 -> socket:[5751363]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 9 -> socket:[5751365]
|
||||
```
|
||||
|
||||
As you can see in the terminal output, that the original file “opengapps.zip” has been deleted and it is still linked to a file name **13** with the process PID **13119**. However, we still can recover it by copying the file linked to it to a safe location.
|
||||
|
||||
```
|
||||
cp 13 /home/m/Downloads/Compressed
|
||||
```
|
||||
|
||||
After the file has been copied. we will return the directory which includes the recovered file and rename it with the following command.
|
||||
|
||||
```
|
||||
mv 13 opengapps-recovered.zip
|
||||
```
|
||||
|
||||
### CALCULATE THE MD5 HASH OF THE RECOVERED FILE
|
||||
|
||||
Since we had recovered the file. let’s check the integrity of the file, just to make sure the file is not corrupted and it’s as same as the original one. Earlier we have saved the MD5 hash for the original file.
|
||||
|
||||
```
|
||||
md5sum opengapps-recovered.zip >> md5-opengapps.txt
|
||||
```
|
||||
|
||||
This command will check MD5 hash for the file and it will overwrite the text file to include the MD5 hash for the new recovered file to easily compare both MD5 hashes.
|
||||
|
||||
Time to display the contents of the text file to compare both MD5 hashes of the original file and recovered file.
|
||||
|
||||
```
|
||||
cat md5-opengapps.txt
|
||||
```
|
||||
|
||||
```
|
||||
Terminal Output
|
||||
86489b68b40d144f0e00a0ea8407f7c0 opengapps.zip
|
||||
86489b68b40d144f0e00a0ea8407f7c0 opengapps-recovered.zip
|
||||
```
|
||||
|
||||
The MD5 hash for the recovered file is the same. So, we successfully recovered the file we had deleted earlier and it has been recovered with the same file integrity and works fine.
|
||||
|
||||
[][5]
|
||||
|
||||
**Note:** in some cases, some files are not visible with **ps -axu** command. So, try to check the application running that file to recover the file from it running process.
|
||||
|
||||
Let’s say we have a video with .avi extension running using Totem media player. All you need to check the PID of the Totem application and go through the same instructions mentioned in this example.
|
||||
|
||||
To find out the PID of a running application use the following command followed by the application name.
|
||||
|
||||
```
|
||||
pidof application name
|
||||
```
|
||||
Support Us By Sharing
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: http://www.linuxnov.com/recover-deleted-files-still-running-active-processes-linux/
|
||||
|
||||
作者:[mhnassif ][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:http://www.linuxnov.com/author/mhnassif/
|
||||
[1]:http://www.linuxnov.com/author/mhnassif/
|
||||
[2]:http://www.linuxnov.com/category/how-to/
|
||||
[3]:http://www.linuxnov.com/category/shell-cli/
|
||||
[4]:http://www.linuxnov.com/recover-deleted-files-still-running-active-processes-linux/#comments
|
||||
[5]:http://www.linuxnov.com/wp-content/uploads/2017/07/Recovering-a-deleted-file-using-terminal-LinuxNov.png
|
||||
@ -0,0 +1,146 @@
|
||||
如何在 Linux 中恢复仍在活动进程中的已删除文件
|
||||
============================================================
|
||||
|
||||
使用终端恢复你 Linux 系统上仍在运行进程的已删除文件的快速指南。
|
||||
|
||||
许多情况下,删除的文件都可以恢复,即使该文件具有活动进程,并且目前被单个或多个用户使用。在 Linux 系统中,每个当前正在运行的进程都会获得 ID,并将其显示为进程标识符 “PID”,并将它们存放在 /proc 目录中。这正是我们需要恢复仍在运行的已删除的文件,并且它具有PID。所以,这就是我们如何做到这一点的。
|
||||
|
||||
假设你打开了一个压缩文件,之后你已经删除了这个文件。为了演示目的,压缩文件称为 “opengapps.zip”,这将是之后我们将打开和删除的文件。
|
||||
|
||||
### 计算原始文件的 MD5 哈希
|
||||
|
||||
删除之前,我们将计算该文件的 MD5。这样我们可以将原来的 MD5 哈希值与恢复文件的 MD5 哈希进行比较。这个过程将保证我们恢复的压缩文件的完整性是一样的,它没有被破坏。
|
||||
|
||||
```
|
||||
md5sum opengapps.zip >> md5-opengapps.txt
|
||||
```
|
||||
|
||||
要显示文本文件的内容。
|
||||
|
||||
```
|
||||
cat md5-opengapps.txt
|
||||
```
|
||||
|
||||
```
|
||||
终端输出
|
||||
86489b68b40d144f0e00a0ea8407f7c0 opengapps.zip
|
||||
```
|
||||
|
||||
检查压缩文件的 MD5 哈希值之后。我们将保持打开的压缩文件,并将其删除。之后,我们将从文件的恢复过程开始,步骤如下:
|
||||
|
||||
```
|
||||
rm opengapps.zip
|
||||
```
|
||||
|
||||
### 删除文件的恢复过程
|
||||
|
||||
正如我们前面提到的,运行的进程在 /proc 目录中。我们可以使用以下命令搜索该目录中需要的进程:
|
||||
|
||||
由于我们已经知道文件名包括 .zip 扩展名,因此我们可以使用 .zip 扩展名进行搜索。它将限制输出结果并显示所需的进程。
|
||||
|
||||
```
|
||||
ps -axu | grep .zip
|
||||
```
|
||||
|
||||
```
|
||||
终端输出
|
||||
m 13119 0.8 1.0 121788 30788 ? Sl 06:17 0:00 file-roller /home/m/Downloads/Compressed/opengapps.zip
|
||||
m 13164 0.0 0.0 5108 832 pts/20 S+ 06:18 0:00 grep --color=auto .zip
|
||||
```
|
||||
|
||||
然后我们将进入到包含 PID **13119** 的目录并打开 /fd 目录。
|
||||
|
||||
```
|
||||
cd /proc/13119/fd
|
||||
```
|
||||
|
||||
/fd (文件描述符)目录包含多个文件,包括我们需要恢复的文件。该文件链接到我们在后台运行的原始硬链接。 /fd 目录中的所有文件都带有作为“文件名”的数字。因此,要确定这些文件中的哪一个链接到原始文件,我们将用详细列表选项列出 /fd 目录。
|
||||
|
||||
```
|
||||
ls -l
|
||||
```
|
||||
|
||||
```
|
||||
终端输出
|
||||
total 0
|
||||
lr-x------ 1 m m 64 Jul 14 06:17 0 -> /dev/null
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 1 -> socket:[26161]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 10 -> anon_inode:[eventfd]
|
||||
lr-x------ 1 m m 64 Jul 14 06:17 11 -> anon_inode:inotify
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 12 -> socket:[5752671]
|
||||
lr-x------ 1 m m 64 Jul 14 06:17 13 -> /home/m/Downloads/Compressed/opengapps.zip (deleted)
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 2 -> socket:[26161]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 3 -> anon_inode:[eventfd]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 4 -> anon_inode:[eventfd]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 5 -> socket:[5751361]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 6 -> anon_inode:[eventfd]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 7 -> anon_inode:[eventfd]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 8 -> socket:[5751363]
|
||||
lrwx------ 1 m m 64 Jul 14 06:17 9 -> socket:[5751365]
|
||||
```
|
||||
|
||||
正如你在终端输出中看到的,原始文件 “opengapps.zip” 已被删除,但它仍然链接到一个文件名 **13**,并具有进程 PID **13119**。但是,我们仍然可以通过将链接文件复制到安全的地方来恢复。
|
||||
|
||||
```
|
||||
cp 13 /home/m/Downloads/Compressed
|
||||
```
|
||||
|
||||
文件复制后。我们将返回包含恢复文件的目录,并使用以下命令重命名它。
|
||||
|
||||
```
|
||||
mv 13 opengapps-recovered.zip
|
||||
```
|
||||
|
||||
### 计算恢复文件的 MD5 哈希
|
||||
|
||||
由于我们已经恢复了该文件。让我们检查该文件的完整性,这只是为了确保文件没有损坏,并且和原来一样。早先我们保存了原始文件的 MD5 哈希值。
|
||||
|
||||
```
|
||||
md5sum opengapps-recovered.zip >> md5-opengapps.txt
|
||||
```
|
||||
|
||||
该命令将检查文件的 MD5 哈希值,并在文件中追加新恢复文件的 MD5 哈希值,以轻松比较两个 MD5 哈希值。
|
||||
|
||||
可以显示文本文件的内容来比较原始文件和恢复文件的 MD5 哈希值。
|
||||
|
||||
```
|
||||
cat md5-opengapps.txt
|
||||
```
|
||||
|
||||
```
|
||||
终端输出
|
||||
86489b68b40d144f0e00a0ea8407f7c0 opengapps.zip
|
||||
86489b68b40d144f0e00a0ea8407f7c0 opengapps-recovered.zip
|
||||
```
|
||||
|
||||
恢复文件的 MD5 哈希是一样的。所以,我们成功地恢复了我们以前删除的文件,并且恢复后文件完整性一致,并且工作正常。
|
||||
|
||||
[][5]
|
||||
|
||||
**注意:** 在某些情况下,某些文件无法通过 **ps -axu** 命令看到。 所以,尝试检查运行的程序,并从中恢复文件。
|
||||
|
||||
假设我们有一个使用 Totem 媒体播放器播放中的以 .avi 为扩展名的视频。你需要做的就是检查 Totem 的 PID,并按照本示例中提到的相同说明进行操作。
|
||||
|
||||
要查找正在运行的程序的 PID,请使用以下命令,后面跟程序的名称。
|
||||
|
||||
```
|
||||
pidof application name
|
||||
```
|
||||
通过分享支持我们
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: http://www.linuxnov.com/recover-deleted-files-still-running-active-processes-linux/
|
||||
|
||||
作者:[mhnassif ][a]
|
||||
译者:[geekpi](https://github.com/geekpi)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:http://www.linuxnov.com/author/mhnassif/
|
||||
[1]:http://www.linuxnov.com/author/mhnassif/
|
||||
[2]:http://www.linuxnov.com/category/how-to/
|
||||
[3]:http://www.linuxnov.com/category/shell-cli/
|
||||
[4]:http://www.linuxnov.com/recover-deleted-files-still-running-active-processes-linux/#comments
|
||||
[5]:http://www.linuxnov.com/wp-content/uploads/2017/07/Recovering-a-deleted-file-using-terminal-LinuxNov.png
|
||||
Loading…
Reference in New Issue
Block a user