rajeshkumar created the topic: Recovering a Recently opended deleted files
Recovering a Recently opended deleted files
By using lsof, you can recover a deleted file that was opened already. This comes very handy when attacker gain access to the systems and has executed commands or has done some configuration changes, and then removes the log file(s) to erase evidence. A sysadmin can use this method to recover the filles which has been opened by some processess to check what all the hacker has changed.
The lsof – list open file is the command used for this:
lsof | grep “syslog” (List processess which has this file opened)
rsyslog 998 root 1w REG 8,3 141400 1237857 /var/log/syslog
Here the process 990 (PID) has opened the file ‘/var/log/syslog’ with the descriptor a ‘1’(1W).
To recover the content of the file, just run the following commands…
cat /proc/990/fd/1 > syslog.safe
you will have the content of the file stored in syslog.safe
Regards,
Rajesh Kumar
Twitt me @ twitter.com/RajeshKumarIn
I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services — all in one place.
Explore Hospitals