How to check the records of deleted files in Linux?

In a Linux system, if you want to view the record of deleted files, you can do so through the following methods:

1. Using command line tools: using the “-la” option of the “ls” command can display detailed information about files, including permissions, owner, size, creation date, etc. If a file is deleted, in the output of the “ls” command, the deleted file will be displayed in grey and the first character of the permission characters will change to “-“.
2. Viewing operation logs: Linux systems will record a log of all user actions, which can be used to track records of file deletions. The operation log files are typically located in the /var/log directory, with common files being syslog, auth.log, etc. You can use the “cat” or “less” command to view the operation log files, and then search for relevant keywords such as “delete”, “rm”, etc.
3. Recovery tools can be used to attempt to recover accidentally deleted files. Some common recovery tools include extundelete, TestDisk, and Foremost. These tools work by scanning the metadata of the file system to locate deleted files and then attempt to recover them.

It is important to note that in Linux systems, file deletion is irreversible. Once a file is deleted, even recovery tools cannot guarantee full restoration of the content. Therefore, it is advisable to back up important files before deleting them to prevent data loss.