zzOzz/gist:1a12485befeb1ffd600732ffa8923761

## gistfile1.txt
If a running program still has the deleted file open, you can recover the file through the open file descriptor in /proc/[pid]/fd/[num]. To determine if this is the case, you can attempt the following:

$ lsof | grep "/path/to/file"
If the above gives output of the form:

progname 5383 user 22r REG 8,1 16791251 265368 /path/to/file
take note of the PID in the second column, and the file descriptor number in the fourth column. Using this information you can recover the file by issuing the command:

$ cp /proc/5383/fd/22 /path/to/restored/file
If you're not able to find the file with lsof, you should immediately remount the file system which housed the file read-only:

$ mount -o remount,ro /dev/[partition]
or unmount the file system altogether:

$ umount /dev/[partition]
The reason for this is that as soon as the file has been unlinked, and there are no remaining hard links to the file in question, the underlying file system may free the blocks previously allocated for the deleted file, at which point the blocks may be allocated to another file and their contents overwritten. Ceasing any further writes to the file system is therefore time critical if any recovery is to be possible. If the file system is the root file system or cannot be made read-only or unmounted for some other reason, it might be necessary to shutdown the system (if possible) and continue the recovery from a live environment where you can leave the target file system read-only.

After writes to the file system have been prevented, there is no immediate hurry to attempt the actual recovery. To play it safe, you might want to make a backup of the file system to perform the actual recovery on:

$ dd bs=4M if=/dev/[partition] of=/path/to/backup
The next steps now depend on the file system type. Assuming a typical Ubuntu installation, you most likely have a ext3 or ext4 file system. In this case, you may attempt recovery using extundelete. Recovery may be attempted safely on either the backup, or the raw device, as long as it is not mounted (or it is mounted read-only). DO NOT ATTEMPT RECOVERY FROM A LIVE FILE SYSTEM. This will most likely bring the file system to an inconsistent state.

extundelete will attempt restore any files it finds to a subdirectory of the current directory named RECOVERED_FILES. Typical usage to restore all deleted files from a backup would be:

$ extundelete /path/to/backup --restore-all
	If a running program still has the deleted file open, you can recover the file through the open file descriptor in /proc/[pid]/fd/[num]. To determine if this is the case, you can attempt the following:

	$ lsof \| grep "/path/to/file"
	If the above gives output of the form:

	progname 5383 user 22r REG 8,1 16791251 265368 /path/to/file
	take note of the PID in the second column, and the file descriptor number in the fourth column. Using this information you can recover the file by issuing the command:

	$ cp /proc/5383/fd/22 /path/to/restored/file
	If you're not able to find the file with lsof, you should immediately remount the file system which housed the file read-only:

	$ mount -o remount,ro /dev/[partition]
	or unmount the file system altogether:

	$ umount /dev/[partition]
	The reason for this is that as soon as the file has been unlinked, and there are no remaining hard links to the file in question, the underlying file system may free the blocks previously allocated for the deleted file, at which point the blocks may be allocated to another file and their contents overwritten. Ceasing any further writes to the file system is therefore time critical if any recovery is to be possible. If the file system is the root file system or cannot be made read-only or unmounted for some other reason, it might be necessary to shutdown the system (if possible) and continue the recovery from a live environment where you can leave the target file system read-only.

	After writes to the file system have been prevented, there is no immediate hurry to attempt the actual recovery. To play it safe, you might want to make a backup of the file system to perform the actual recovery on:

	$ dd bs=4M if=/dev/[partition] of=/path/to/backup
	The next steps now depend on the file system type. Assuming a typical Ubuntu installation, you most likely have a ext3 or ext4 file system. In this case, you may attempt recovery using extundelete. Recovery may be attempted safely on either the backup, or the raw device, as long as it is not mounted (or it is mounted read-only). DO NOT ATTEMPT RECOVERY FROM A LIVE FILE SYSTEM. This will most likely bring the file system to an inconsistent state.

	extundelete will attempt restore any files it finds to a subdirectory of the current directory named RECOVERED_FILES. Typical usage to restore all deleted files from a backup would be:

	$ extundelete /path/to/backup --restore-all