Lost and not found

Firework! In this article, I tried to analyze the purpose and main scenarios for using the lost+found directory in Linux.

Review

If we run fsck, a file system check and repair command, it can find pieces of data that are not referenced anywhere in the file system. In particular, data may be found that appears to be a complete file but has no name on the system—an inode without a corresponding file name. They still take up space, but are not accessible in the usual ways, so there is a special lost+found directory at the root of the file system where such files are placed.

So the directory in question serves as temporary storage for those rare cases where fsck can’t put everything back together after a filesystem has been corrupted.

Under what scenarios might files end up there?

The “lost+found” directory typically contains files that were deleted but were still open by some process when the system suddenly stopped (kernel panic or power failure) and therefore the data had not yet been erased.

Files may also appear there if the entire file system has been damaged due to a software or hardware error. In this case, this is a way to find data that was lost, but was found during system recovery. They’re unlikely to be complete and probably won’t make much sense, but there’s always a chance that something worthwhile will be gained.

Data recovery

To recover lost data, we need to run fsck in advance. Most Linux distributions perform this operation on boot if the machine does not shut down properly. Otherwise, we will have to run the utility manually. For example, let’s run fsck on a pre-mounted /dev/sda3.

fsck /dev/sda3
fsck from util-linux 2.37.2
fsck.fat 4.2 (2021-01-31)
/dev/sda3: 200 files, 38/130811 clusters

The /dev/sda3 partition will be checked, and the lost+found directory will appear in its root. Next, mount the partition and go to the newly created directory.

mkdir -p /tmp/home
mount /dev/sda3 /tmp/home
cd /tmp/home/lost+found

The files have lost their original names, so fsck renames them. We’re going to examine them using the file command, which extracts metadata from the headers.

file *
#4605470:          ASCII text
#4655470:          PNG image data, 943 x 436, 8-bit/color RGBA, non-interlaced
#4610801:          directory
#4613588:          PDF document, version 1.4, 1 pages

Now let’s assume that there is a need to restore a found PNG file. We will simply get its name via awk, and then copy it to the desired location:

cp "$(file * | grep PNG | awk '{print $1}' | cut -d':' -f1)" /tmp/home/username/image.png

In theory, there is a possibility that the data is corrupted and therefore more difficult to recover, but there is also a good chance that the integrity of the recovered data will be preserved.

Deleting and Recreating

Sometimes the contents of lost+found can take up a significant amount of disk memory, in which case you can get rid of it. We can delete this directory on all partitions using the find utility. Note that we need to make sure that all partitions are mounted and we have root access:

find "-iname" lost+found -type d -exec rm -r "{}" \;

However, it is necessary to clearly understand that lost+found is not an ordinary directory, because pre-allocated blocks are associated with it (simultaneous data recovery and making changes to the file system with the fsck utility can lead to data corruption).

Therefore, to recreate lost+found, you must use the special command mklost+found.

mklost+found 
mklost+found 1.46.4 (18-Aug-2021)
ls -l
drwx------ 2 xsh xsh 49152 Dec  7 20:46 lost+found

In this article, we briefly examined the purpose and use of the lost+found directory, as well as the procedure for deleting and creating it.

I hope you found the above materials interesting and useful, thank you for your time and attention, effective scripts, elegant solutions to you!

You might also want to read this:

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *