rajeshkumar created the topic: Recovering a Recently opended deleted files
Recovering a Recently opended deleted files
By using lsof, you can recover a deleted file that was opened already. This comes very handy when attacker gain access to the systems and has executed commands or has done some configuration changes, and then removes the log file(s) to erase evidence. A sysadmin can use this method to recover the filles which has been opened by some processess to check what all the hacker has changed.
The lsof – list open file is the command used for this:
lsof | grep “syslog” (List processess which has this file opened)
rsyslog 998 root 1w REG 8,3 141400 1237857 /var/log/syslog
Here the process 990 (PID) has opened the file ‘/var/log/syslog’ with the descriptor a ‘1’(1W).
To recover the content of the file, just run the following commands…
cat /proc/990/fd/1 > syslog.safe
you will have the content of the file stored in syslog.safe
Regards,
Rajesh Kumar
Twitt me @ twitter.com/RajeshKumarIn
- Implementing Managed IT Services: A Step-by-Step Guide - August 30, 2024
- DevOps Foundation Certification - August 29, 2024
- SRE Foundation Certification - August 29, 2024