rootninja

. This little utility lists open files, directories, blocks, character files, etc. You can filter the results to show only files open by a specific process or user, or other complications…

What if there’s no open file to be found, then what? If you were looking for some sort of media file, it might be easy to use a memory based distro with tools like Photorec digital picture recovery or use more complicated forensics software to find anything. Something like Sleuth Kit comes to mind.

But what if it’s just text? You don’t need to navigate additional hurdles. With a little standard output redirection, your trusty grep is all you need.

Beware, this is the elegance out the window - 10 ton hammer - brute force nuclear option, but as long as the data hasn’t been physically written over, it’ll just work!

grep -a -B100 -A1000 ’some identifying text here’ /dev/sda1 > fileout.txt

Go grab some coffee or a bite to eat and come back a while later…

If all went well, you have a file that contains some gibberish above and below your text file. Load it in an editor and carve out the bad stuff… Done.

I’ve had to do this recently when I accidentally deleted a file over an NFS mount. Luckily I had access to the server and recovered the file from the nfs export’s underlying device without further complications such as installing more software, unmounting the file systems, or any other hassles.