3

I keep a text file of useful commands and info I collect as I'm learning linux. I had been opening it in vim whenever I came across something good to add, but that was getting tedious. So today I was using cat >> to append things to it, figuring I'd go back later to organize it. (I'm working without a GUI so every little thing helps.) I'd either use cat or just do a command >> file.

I tried to view the file and accidentally did a cat > textfile and blanked the file.

Looking at my .zsh_history as I write this, more precisely what I did was cat> textfile | tail. Apparently I took out the space instead of one of the redirect "greater than" symbols.

What I've Tried

I realized right away what I had done and I didn't do anything more in that terminal; cat is still sitting there waiting with an empty line. Based on this question, I tried this answer in another tty terminal:

Suggested Answer:

sudo grep -i -a -B100 -A100 'string' /dev/sda1 > file.txt

My Attempt:

grep -F -a -B3000 -A3000 'string' /dev/sdb2 > /media/EXTERNAL_HDD_MOUNT/grepResults

I thought I'd leave it overnight and see what it came up with in the morning, but was surprised to see it finished at almost exactly an hour. The OS is installed on USB/C flash drive with the main partition 186 GB (not persistent live, just normal installed). It's running on a machine that currently doesn't have any internal hard drives. It's come up with 11 MB of something so I'll have to extract the readable strings and see what I get (another thing I have to learn how to do).

One of my questions is does it make any difference if and how I kill/stop/terminate the cat process? I know it doesn't work without a newline, but it does its thing right away regardless and the file already appears empty when I peek with other viewers.

Another question (or x y problem) is can I potentially recover it from /proc? That was another suggestion on that 2010 question that I thought looked promising. I found the PID and it has a directory in /proc but I don't know what I'm looking at when I go in there, and I don't know how to go about it.

Oh, one other thing I did was fc -p. I was afraid any command I did could cause something to be written to the drive. ZSH history is one of the few things I'm aware of at this point, so I googled and attempted to stop it.

Any grep advice is also appreciated. I realized my "MyCommands" file is just full of special characters, so I tried to avoid those in selecting my unique string to search for, just to not be adding extra variables into the mix and complicate things more for myself. I save it as a .bat just because I like the syntax highlighting in that format.

terdon
  • 242,166
Bob
  • 31
  • 1
    Harm is done however you kill your cat. Could the accepted answer in https://unix.stackexchange.com/questions/80270/unix-linux-undelete-recover-deleted-files help you ? – MC68020 Oct 28 '22 at 09:55
  • 1
    For plaintext files, you can also use strings -t d /dev/disk | grep or strings -w … instead of using grep directly. If you are using special characters (non-ASCII UTF-8) try on a sample file first if strings prints them at all. On SSD you also have to umount / disable fstrim first, otherwise with TRIM it's just gone… – frostschutz Oct 28 '22 at 10:07
  • 2
    Unless you immediately powered of the host you probably won't be able to recover the file. At best you might get some fragments. The best advice I can offer would only help avoid a similar situation in the future. Back up everything important. Use version control. I put my homedir in git in a way that it ignores everything but I can easily add files to the repo and commit changes to these important files often. Even with that, periodically copy all backups to another machine. It's a real bummer, I know, but if that drive is still spinning in the original running system, you're kinda hosed. – brunson Oct 28 '22 at 19:06
  • I think I got it! Thanks to all of you for your replies. Thank you @frostschutz, I knew I had seen a simple method somewhere but I could not recall the name 'strings'. It turns out I had the relevant data by the time I asked the question; I just didn't spot it when I mouse-scrolled through it with vim. Had I known how easy extracting with 'strings' is, I may have just dumped the whole drive. Strings extracted 9 versions of it out of the raw data I had, 7 or 8 of which are completely intact, with just a few missing or out-of-order lines in the others. – Bob Nov 04 '22 at 20:10
  • . . . I did have a Dropbox backup that was only a day or two old, but I had added a fair amount of work in that time. I had had to turn off dropbox because I was renaming large directories and it would try to reupload and redownload the whole thing. Its CLI implementation is pretty terrible (e.g. it would not exclude directories no matter how I entered the command, nor give any error or confirmation messages). Anyway, I see lines in the recovered data that are more recent than the last Dropbox or manual copy I had, so this was a success (we'll see if 100%). – Bob Nov 04 '22 at 20:46
  • 1
    I went down the rabbit hole without knowing I already had what I needed. The pipes went from cat -> zsh -> tail. I had gone after the cat and now had to catch it by the tail. I was looking into dev/mem and /kmem, memory dumps, and manipulating pipes by the time I discovered I had it. @MC68020's suggestion was coming up next, thank you. I may try it anyway because this has been an invaluable learning experience; these are valuable tools to have in your arsenal. – Bob Nov 05 '22 at 01:01
  • @brunson, yes, immediately pulling the plug is what I would have instinctively done 20 years ago. But in spite of having done so recently, for some reason it didn't even occur to me this time (despite the power strip switch being within arm's reach). Something about having the system on a tiny flash drive doesn't feel real. Ironically, this was my rescue system, so it already had fstrim disabled, no automount, and not even a screen saver. I turn off the monitor when I leave the room like it's 40 years ago. – Bob Nov 05 '22 at 01:21

0 Answers0