1. Overview

In this tutorial, we’ll take a look at the lost+found directory that many a sysadmin has come across when navigating the Linux file hierarchy. We’ll see why this directory exists and the purpose it serves. We’ll also touch on the subject of recovering data from the lost+found directory.

Finally, we’ll use the find command to find the lost+found directories on the disk and delete them.

2. The lost+found Directory

The lost+found directory is a construct used by the fsck system utility. It’s a special directory that contains data that has become obsolete. The fsck utility creates it on a Linux machine with partitions of the Extended File System (ext2-ext4). However, they’re also created on other file systems like UFS and ZFS on UNIX derivatives.

The fsck utility creates the lost+found directory at the root of a volume. So, we can have multiple lost+found directories – one for each of the volumes.

2.1. The Purpose of the lost+found Directory

The lost+found directory contains files that have been deleted or lost in a disk operation. The files inside this directory have an inode, but they’re missing the corresponding filename that normally enables us to access files on the system. However, we can still access or restore a file’s data if its integrity is intact

The files inside this directory would have been regular files once with an inode and a filename. However, in rare cases, when a process opens a file for an operation, and somehow another process deletes the file when it’s still being used by the old process, it becomes just a data fragment. So, when there’s an improper shutdown or a kernel panic while the data is being used by the process, the data becomes obsolete.

Since the references to the file no longer exist and the file is no longer accessible normally, fsck turns the data back into a new file and deposits it in the lost+found directory.

Since we have already deleted the file, we need not care about it and can safely ignore it. On the other hand, if there is damage to the filesystem due to a hardware or a software bug, it’s up to the users to run an fsck check and find these files after fsck places them in the lost+found directory. Afterward, we can recover the data from these files, which may or may not be helpful to us, depending on how bad the filesystem damage was.

2.2. The mklost+found Utility

If we somehow accidentally delete the lost+found directory, we should use mklost+found instead of using mkdir. The mklost+found command creates the lost+found directory in the current directory and preallocates some space for fsck, so fsck doesn’t have to allocate data blocks in the filesystem during recovery. This is because recovering data and making changes to the filesystem simultaneously might corrupt the data. For that reason, we should avoid using mkdir and use mklost+found instead.

Using mklost+found is pretty straightforward. We just need to cd into the volume and run the command without any options:

$ mklost+found 
mklost+found 1.46.4 (18-Aug-2021)
$ ls -l
drwx------ 2 xsh xsh 49152 Dec  7 20:46 lost+found

Moreover, tools like mkfs also create the directory when we create a new partition on the disk.

3. Recovering Data from the lost+found Directory

The fsck utility makes it easy for us to recover the lost data. To recover lost data, we need to have run fsck before. Most Linux distros would run the fsck command on boot if the machine didn’t properly shut down. Otherwise, we’ll have to run it manually.

We have to make sure the partition we’re running fsck on is unmounted because running fsck on mounted partitions can be very harmful. For example, let’s run fsck on a /dev/sda3, which maps to the /home partition:

$ fsck /dev/sda3
fsck from util-linux 2.37.2
fsck.fat 4.2 (2021-01-31)
/dev/sda3: 200 files, 38/130811 clusters

The fsck command runs a check on /dev/sda1 and creates a lost+found directory at the partition’s root. Next up, we’re going to mount the partition and navigate to the lost+found directory:

$ mkdir -p /tmp/home
$ mount /dev/sda3 /tmp/home
$ cd /tmp/home/lost+found

The files have lost their original filenames, so fsck renames them with a random number. Therefore, we’re going to look into the data to make some sense out of it. First, we’ll use the file command, which extracts the metadata from the file’s headers:

$ file *
#4605470:          ASCII text
#4655470:          PNG image data, 943 x 436, 8-bit/color RGBA, non-interlaced
#4610801:          directory
#4613588:          PDF document, version 1.4, 1 pages

If we have a lot of files, then it can be overwhelming to go through each file’s metadata. Therefore, we can grep some useful information from the file command’s output and operate on it:

$ file * | grep PNG
#4655470: PNG image data, 943 x 436, 8-bit/color RGBA, non-interlaced

Now, let’s say we want to recover the first PNG file. We’ll simply get its filename through awk and copy the file to a location:

$ cp "$(file * | grep PNG | awk '{print $1}' | cut -d':' -f1)" /tmp/home/username/image.png

Theoretically, it’s possible that the data might be corrupted and, therefore, harder to recover, but there’s also a good chance that the integrity of the recovered data will be intact.

4. Finding and Deleting the lost+found Directory

Sometimes, the data inside the lost+found directory might be huge, and we might not need it. However, we must be aware that the lost+found is different from an ordinary directory because fsck will not create it during recovery as it has preallocated blocks associated with it. Although it’s not recommended to delete the lost+found directory, there’s no harm in deleting the data if we want to make space on the disk.

We can remove the lost+found directories on all partitions using the find tool. Note that we’ll need to make sure that all the partitions are mounted and that we have root access:

$ find "-iname" lost+found -type d -exec rm -r "{}" \;

5. Conclusion

In this article, we saw the use of the lost+found directory and why it exists on Linux filesystems. We also saw how we could create a lost+found directory using mklost+found. Afterward, we briefly went through recovering data from the lost+found directory.

Finally, we saw how to find and remove the lost+found directory to make some space.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.