Recovering a Recently opended deleted files

rajeshkumar created the topic: Recovering a Recently opended deleted files
Recovering a Recently opended deleted files
By using lsof, you can recover a deleted file that was opened already. This comes very handy when attacker gain access to the systems and has executed commands or has done some configuration changes, and then removes the log file(s) to erase evidence. A sysadmin can use this method to recover the filles which has been opened by some processess to check what all the hacker has changed.

The lsof – list open file is the command used for this:

lsof | grep “syslog” (List processess which has this file opened)

rsyslog 998 root 1w REG 8,3 141400 1237857 /var/log/syslog

Here the process 990 (PID) has opened the file ‘/var/log/syslog’ with the descriptor a ‘1’(1W).

To recover the content of the file, just run the following commands…

cat /proc/990/fd/1 > syslog.safe

you will have the content of the file stored in syslog.safe
Regards,
Rajesh Kumar
Twitt me @ twitter.com/RajeshKumarIn

Tagged :