Stopping Disk Writes Immediately After Accidental File Deletion On Linux
Understanding File Deletion in Linux
When a file is deleted in Linux, the operating system does not immediately erase the data. Instead, it removes the file’s entry from the file system index and makes the storage sectors containing the file’s data available for future writes. Until those sectors are overwritten by new files, recovery of the deleted data is possible using specialized tools.
File recovery likelihood depends on how soon the sectors are reused. The sooner other files claim the freed sectors, the less likely recovery becomes. Therefore, preventing further writes after an accidental deletion is crucial.
How file deletion works
The rm command in Linux removes directory entries and inode references to a file. The data blocks on disk are not wiped or overwritten by rm. They merely become available for storage of other files.
The filesystem indexes and allocation structures are updated after rm runs. But the file’s data still resides on disk until replacements write over it.
When data is actually erased
The deleted file’s raw data blocks remain intact until the filesystem reuses those blocks for new writes. Simple deletion does not modify or erase file data content stored on the physical media.
However, if the storage is solid state, like flash memory, TRIM and garbage collection processes may actively erase deleted file block contents after rm runs.
Recovery possibilities
Recovery likelihood depends heavily on whether the deleted file’s data blocks get overwritten. If no new data writes to those blocks, full recovery is often possible days or weeks later.
But even partial overwrites make recovery harder. The sooner fresh writes claim the deleted file’s blocks, the less likely tools can recover anything.
Freezing the File System
To prevent deleted file data from getting overwritten, the filesystem housing the deleted file must enter a read-only state. No writes should occur while undeletion tools attempt recovery on deleted files.
Unmounting drives
The cleanest write prevention tactic is unmounting the partition where deletion occurred. This detaches the filesystem from the directory tree entirely.
The umount command stops processes from writing to the detached filesystem. However, filesystem journaling may still flush data buffered before unmounting.
Remounting drives read-only
Unmounting may break productivity by halting processes. Remounting the filesystem read-only with mount -o remount,ro retains access while disallowing writes.
This technique stops further changes to data blocks but still permits reads. Existing file handles retain read access after remounting.
Using mount options to disable writes
Common mount options like ro, noatime, or nodiratime also restrict writes to a mounted filesystem. These options reconfigure the mount at runtime to reduce block changes.
The sync option disables delayed writes, forcing changes to commit immediately to disk instead of buffering them. This faces risks of long delays for common operations.
Checking for Open File Handles
Even a read-only remount cannot stop writes from processes holding open file handles at the time. These handles let processes write previously opened files.
Identifying processes with open handles
The lsof tool lists open files handles across running processes. It reveals which applications and processes actively accessing the filesystem.
Filtering lsof output down to the affected mount points shows what process locks and writes might continue changed data despite remounts.
Forcibly closing file handles
To fully lock down writes, forcibly terminate processes maintaining write handles. Commands like fuser and pkill help spot and shut down process file access.
Killing matching processes ensures no background handles leak writes across a read-only remount. But this faces risks of data damage or loss if processes cannot restart cleanly.
Recovering Deleted Files
Once you stop mount writes, temp files and redundant copies often supply easy undeletes. But for full recovery, dig into the frozen filesystem using utilities that inspect raw data.
Using debugfs to access old data
The debugfs tool exposes raw access to data blocks within an unmounted ext3/ext4 filesystem. It permits copying certain deleted file segments by searching through inodes.
Manual debugfs recovery requires deep Linux filesystem expertise. But the work it does can salvage data even after you reboot the frozen system mount.
File recovery tools and techniques
Beyond manual debugfs, many utilities exist like extundelete or foremost to automate recovery operations. TestDisk and PhotoRec operate at the partition level to resurrect damaged filesystems.
Clone hard disk images using dd or hardware duplicators to preserve the frozen state. Then scan these copies to extract deleted file data without risk of eliminating overwrite evidence.
Preventing Accidental Deletions
While recovery proceeds best by stopping writes immediately, prefer prevention whenever possible. Configure protections against deletions, enforce permissions and ownership diligently, and track content changes.
Setting up permissions correctly
Restrict delete access to authorized users only, particularly on shared systems. Set sticky bits on directories using chmod +t to avoid crosses deletions between users.
Restrict broad recursive deletes. Delete permissions on a folder do not imply recurse rights, set these carefully with chmod -R limited to administrative groups.
Using version control systems
Version control systems record full change history enabling restores. This does not stop accidental loss but facilitates rollbacks.
Combining permissions, ownership policies, and version control yields thorough deletion protection well beyond relying solely on recovery.
Enabling trash functionality
Desktop user filesystems often use trash folders to help avoid permanent deletes. These delays give administrators a window to restore discarded files.
Trash functionality simply moves rather than removing files immediately. But this small friction cue cuts mistaken permanent deletion frequency significantly.
