How to List Recently Deleted Files From a Directory

Last updated: October 28, 2024

Reviewed by: Korbin Brown
Baeldung Pro – Linux – NPI EA (cat = Baeldung on Linux)
announcement - icon

Learn through the super-clean Baeldung Pro experience:

>> Membership and Baeldung Pro.

No ads, dark-mode and 6 months free of IntelliJ Idea Ultimate to start with.

Partner – Orkes – NPI EA (tag=Kubernetes)
announcement - icon

Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.

Try a 14-Day Free Trial of Orkes Conductor today.

1. Overview

In Linux, identifying recently deleted files can be important for data recovery or system auditing. Although typical file listing commands, such as ls, don’t show deleted files, a mix of applications and techniques can be useful in identifying deletions.

In this tutorial, we’ll talk about how to list recently deleted files from a directory.

2. Using debugfs

debugfs communicates directly with the file system at the block level, allowing us to obtain low-level file system data, such as deleted file metadata. This strategy is useful when working with ext3 and ext4 file systems. Let’s install it using apt-get:

$ sudo apt-get install e2fsprogs

First, we use the command above to install debugfs with the e2fsprogs package. Also, we’ll need to know which partition the directory is located on before we can use debugfs. We can use the df command to determine this:

$ df /path/to/directory

In this example, we use the df command to determine the partition where the directory exists. The output will include the partition name, such as /dev/sda1. Then, we’ll use debugfs to open the partition:

$ sudo debugfs /dev/sda1

In this example, we opened the partition using the debugfs command, which displays an interactive interface where we can execute commands. Here, we’ll execute the lsdel command to display recently deleted files:

$ debugfs:  lsdel
Inode  Owner  Mode    Size      Deleted Time
12345  1000   100644  2048      Wed Oct 18 14:35:07 2024
23456  1000   100644  4096      Wed Oct 18 14:40:01 2024

Above, we use the lsdel command to obtain information, such as the inode number, file owner, file mode, size of the deleted file, and timestamp. The command output provides information that helps us determine which files were recently deleted from the directory. Additionally, this command helps us list recently deleted files and pick up critical information about them.

3. Using lsof

lsof is an efficient tool for listing all open files and processes on a Linux system. If a process is actively using a file, it could keep the file open even after its removal. This happens because Linux only frees up space for a deleted file when all associated processes have finished using it. Let’s install lsof using apt-get:

$ sudo apt-get install lsof

First, we run the command above to install lsof. Then, using the grep command, we can examine deleted files that are still open:

$ lsof | grep deleted
process_name  12345  user  DEL  /path/to/directory/file1.log (deleted)

In this example, the result displays a list of open files that current processes are still holding, despite having been deleted. The normal output consists of numerous fields, including the process name, process ID, user, and file location.

Finally, the lsof tool is important for tracking and managing deleted files that processes are still accessing.

4. Conclusion

In this article, we talked about tools such as debugfs and lsof that offer effective means for discovering hidden files. debugfs allows us to access low-level file system data, making it appropriate for ext3 and ext4 file systems, whereas lsof lets us track deleted files that are still in use by active processes.

By combining these techniques, we can effectively manage deleted files and ensure that no important information is lost unintentionally.