26

I am having one particular folder (/home/sam/officedocuments) which is having hundreds of folders and files. I think I deleted some files and folders by mistake but I'm not sure.

How to find which files / folders were:

  • deleted recently in Linux?
  • changed recently in Linux?

I just want to know which files and folders were deleted. Recovering those deleted files and folders is not important for me.

OS: CentOS

djsmiley2kStaysInside
  • 6,643
  • 2
  • 31
  • 43
sumit
  • 425
  • 2
  • 5
  • 8
  • 1
    You should tell us what filesystem you are using. For example with ext2, ext3 and ext4 You could probably use `ext3grep` utility to find out information about deleted files. With some scripting it should be possible to put together simple application that lists deleted files based on specific directory. These utilities however needs raw access to disk and as such are extremely dangerous if not used properly (_non-blocking read only operations should be completely safe if you remember that writing to disk same time could cause current operation to return broken/incorrect data_). – Sampo Sarrala - codidact.org Jan 08 '13 at 21:59
  • If you use command line to delete the files then the [history](https://www.geeksforgeeks.org/history-command-in-linux-with-examples/) command is your friend. History command will show you recently used commands. – Aven Desta Mar 27 '21 at 16:45
  • surprised noone mentioned testdisk yet ^^ – xeruf Oct 08 '22 at 21:27

3 Answers3

12

You should probably install Inotify Tools. then you can use the inotifywait command to listen for events happening for the specified directory.

Specifically if you want to watch for deleted files and folder use this

inotifywait -m -r -e delete dir_name

and log this output in some file.

Hope this solves your problem

Irfan
  • 241
  • 3
  • 7
  • 24
ravi
  • 121
  • 3
  • 2
    Sound like best approach for this. There's promising cli-app/daemon named [iwatch](http://iwatch.sourceforge.net) that you might want to include in your answer. +1 for using right tools to solve problem. – Sampo Sarrala - codidact.org Jan 10 '13 at 09:29
  • ravi, @SampoSarrala - is this applicable if I want to watch files in the `/` root, taking into account mounting/unmounting drives? I would guess, in that case the only thing viable for keeping a deletion log would be a kernel module that would hook into `unlink` (see http://stackoverflow.com/questions/8588386/intercepting-file-system-system-calls); also `man inotifywait` states: "--recursive: _Warning: ... this option while watching ... a large tree, it may take quite a while. Also, ..., the maximum amount of inotify watches per user will be reached. The default maximum is 8192;_" – sdaau Jan 31 '15 at 15:27
  • @sdaau `dmesg [| tail]` should show you [recent] mounts/unmounts, if that's what you're asking. – Seldom 'Where's Monica' Needy May 20 '16 at 17:03
  • 1
    I wonder if there is also a way to find out which process deleted the file (say a cron job) where applicable. Have a case of files mysteriously disappearing... – Nagev Feb 20 '18 at 09:51
1

…changed recently in Linux?

Use find to search by modification time. For example, to find files touched in the last 3 days:

find /home/sam/officedocuments -mtime -3

For "older than 3 days", use +3.

…deleted recently in Linux?

Pretty much impossible. When a file is deleted, it's simply gone. On most systems, this is not logged anywhere.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • 1
    Thanks. For 3 days, I need to use `3`...what I need to use for last `30` minutes? – sumit Jan 08 '13 at 21:00
  • Does Linux always asks for confirmation before deleting any file / folder? – sumit Jan 08 '13 at 21:06
  • 19
    _"Pretty much impossible"_ This is just plain wrong and because of this I *have to* downvote this. Deletion times are stored in some filesystems, example of such fs is `ext3` filesystem. ext3grep might help when hunting down. I got http://superuser.com/a/433785/132604 that has some information and links to utilities that could be used to find (_possibly recover too_) deleted files and information about them. When you delete file, in most filesystems, it is not actually removed but marked as space that could be overwritten in demand. – Sampo Sarrala - codidact.org Jan 08 '13 at 21:43
  • You might be able to restore files from a backup and compare a list of those files with the ones on the filesystem. That would yield a list of missing and newly created files. Grawity's answer already show you can filter on time, thus you can limit that to only the deleted files. – Hennes Jan 08 '13 at 21:47
0

Linux does not generally ask for confirmation before removing files, assuming you're using rm from the command line.

To find files modified in the last 30 minutes, use touch --date="HH:MM" /tmp/reference to create a file called reference with a timestamp from 30 minutes ago (where HH:MM corresponds to 30 minutes ago). Then use find /home/sam/officedocuments -newer /tmp/reference to find files newer than the reference.

If you deleted files using a GUI tool, they may still be in some kind of "trash can". It depends on what you're using for a desktop environment. If you used rm from the command line, then try one of the utilities mentioned in this answer. (Hat tip to @Sampo for that link.)

Community
  • 1
bstpierre
  • 1,282
  • 2
  • 20
  • 39