How to find which files and folders were deleted recently in Linux?

linux unix centos

121,730

Solution 1

…changed recently in Linux?

Use find to search by modification time. For example, to find files touched in the last 3 days:

find /home/sam/officedocuments -mtime -3

For "older than 3 days", use +3.

…deleted recently in Linux?

Pretty much impossible. When a file is deleted, it's simply gone. On most systems, this is not logged anywhere.

Solution 2

You should probably install Inotify Tools. then you can use the inotifywait command to listen for events happening for the specified directory.

Specifically if you want to watch for deleted files and folder use this

inotifywait -m -r -e delete dir_name

and log this output in some file.

Hope this solves your problem

121,730

sumit

Updated on September 18, 2022

Comments

sumit over 1 year
I am having one particular folder (/home/sam/officedocuments) which is having hundreds of folders and files. I think I deleted some files and folders by mistake but I'm not sure.

How to find which files / folders were:
- deleted recently in Linux?
- changed recently in Linux?
I just want to know which files and folders were deleted. Recovering those deleted files and folders is not important for me.

OS: CentOS
sumit over 11 years

Thanks. For 3 days, I need to use 3...what I need to use for last 30 minutes?
sumit over 11 years

Does Linux always asks for confirmation before deleting any file / folder?
Sampo Sarrala - codidact.org over 11 years

"Pretty much impossible" This is just plain wrong and because of this I have to downvote this. Deletion times are stored in some filesystems, example of such fs is ext3 filesystem. ext3grep might help when hunting down. I got superuser.com/a/433785/132604 that has some information and links to utilities that could be used to find (possibly recover too) deleted files and information about them. When you delete file, in most filesystems, it is not actually removed but marked as space that could be overwritten in demand.
ganesh over 11 years

You might be able to restore files from a backup and compare a list of those files with the ones on the filesystem. That would yield a list of missing and newly created files. Grawity's answer already show you can filter on time, thus you can limit that to only the deleted files.
Sampo Sarrala - codidact.org over 11 years

Just don't say "gone forever"... see comments on another answer. Now I feel like this: xkcd.com/386 :)
Sampo Sarrala - codidact.org over 11 years

Sound like best approach for this. There's promising cli-app/daemon named iwatch that you might want to include in your answer. +1 for using right tools to solve problem.
tetram over 9 years

ravi, @SampoSarrala - is this applicable if I want to watch files in the / root, taking into account mounting/unmounting drives? I would guess, in that case the only thing viable for keeping a deletion log would be a kernel module that would hook into unlink (see stackoverflow.com/questions/8588386/…); also man inotifywait states: "--recursive: Warning: ... this option while watching ... a large tree, it may take quite a while. Also, ..., the maximum amount of inotify watches per user will be reached. The default maximum is 8192;"
Seldom 'Where's Monica' Needy almost 8 years

@sdaau dmesg [| tail] should show you [recent] mounts/unmounts, if that's what you're asking.
Nagev about 6 years

I wonder if there is also a way to find out which process deleted the file (say a cron job) where applicable. Have a case of files mysteriously disappearing...