Every thing in Linux is a File. A file in turn is actually a pointer to inode which contain the actual data on the disk, permissions, ownership. Now what happens when a file is deleted ? Only the link is removed by not the inode or the actual data. if a process is using the file, or if the file is open , the inode is not released for overwriting util the process is done with the file. Such files will remain in the server memory (RAM).
Lets discuss how to recover such deleted files which is being used by a process.
Lets do it with an example.
Create a test file.
# touch testfile.txt
Echo some random data on it.
# cat /dev/random > testfile.txt
Open the file using some command like below.
# less testfile.txt
# ps -ef | grep -i less
less 4607 root 4r REG 254,4 21 8880214 /root/testing.txt (deleted)
All the open files remain in the memory and hence in the /proc filesystem. The important columns in the above output are the second one, which gives you the PID of the process that has the file open (4607), and the fourth one, which gives you the file descriptor (4). Now, we go look in /proc, where there will still be a reference to the inode, from which you can copy the file back.
# ls -l /proc/4607/fd/4 lr-x------ 1 root root 64 Apr 7 03:19 /proc/4607/fd/4 -> /root/testing.txt (deleted)
To recover the deleted file in memory, just copy as below.
#cp /proc/4607/fd/4 testing.txt.bk
Hurray you got your file back. Just make sure not to use "-a" switch while copying the file as this will copy the broken softlink.