deleted files by account

Alicelinux

New Member
Joined
Sep 23, 2018
Messages
23
Reaction score
0
Credits
0
I want to list all the binary execuatable and document files deleted by account mter for the past month in red hat linux, can this be done? thanks
 


wizardfromoz

Administrator
Staff member
Gold Supporter
Joined
Apr 30, 2017
Messages
8,118
Reaction score
6,999
Credits
31,260
See your previous Thread

Wizard
 
OP
A

Alicelinux

New Member
Joined
Sep 23, 2018
Messages
23
Reaction score
0
Credits
0
Hi, I checked the link, it didn't mention how to check deleted files by user, i trt -mtime 10, to check modified files within 10 days, but it is not deleted file ? pls respond, thanks
 

JasKinasis

Well-Known Member
Joined
Apr 25, 2017
Messages
1,621
Reaction score
2,324
Credits
12,328
AFAIK, the only way to do it would be to use something like debugfs - which has a command called lsdel, which can be used to search for deleted files. I've never used debugfs though - so you might want to do a few web-searches and look it up.

Debugfs can also be used to restore deleted files, but if the machine has been in use a lot since the hack/intrusion you mentioned in one of your other threads - it is possible that the space formerly occupied by deleted files has already been completely overwritten . So you might only get a partial list of deleted file-names, if anything at all.

Other than that, I'm not sure what to suggest!
 

JasKinasis

Well-Known Member
Joined
Apr 25, 2017
Messages
1,621
Reaction score
2,324
Credits
12,328
One other thing.....
i trt -mtime 10, to check modified files within 10 days

FYI - When you use a positive value for find options like atime, ctime or mtime - it means EXACTLY.

So your search using -mtime 10 would cause find to search for files that were modified EXACTLY 10 days ago.

If you want to find files that were modified within the last 10 days, you would have to use -mtime -10 instead!
 

atanere

Well-Known Member
Joined
Apr 6, 2017
Messages
2,628
Reaction score
2,781
Credits
41
Data recovery isn't something that I am skilled at, so Googling around may give you more/better solutions. One thing Google found was this article that describes using a program called testdisk. I installed it, and with some brief experimenting I see that it does show deleted files highlighted in red as shown in the article. But this program looks quite powerful and can do other things, so use it very carefully.

Also, the more time that passes, the less chance you have of finding deleted files. When new data is written to the same space on the hard drive, the deleted files will likely be lost forever.

Good luck!
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation

Members online


Top