This has happened to you before. I'm painstakingly typing a long email on gmail and I'm not sure that I should send it yet, cause it feels like I'm forgetting to mention something. So I want to save it as a draft so I can finish it later. Somehow I hit
Discard instead. Gmail flashes the notice your message has been discarded, but I don't usually read those messages, so I navigate away from the page, and *just* as I click the link the meaning of the message dawns on me. Shit. Now it's too late to undo the action. Son of a.
Okay, relax, perhaps all is not lost. A couple of weeks ago I went over how you can find stuff on disk by searching the raw data. The same *can* be done with memory. See, just because my message is gone and gmail doesn't display it anymore doesn't mean it's not still possibly somewhere in memory. It just isn't being displayed anywhere.
There are two ways to access physical memory. The two interfaces are
root, you can read from these. (However, if you try writing to them you'll probably mess up your system.) They are not identical, and it seems that
/dev/mem doesn't let me access memory above 896MB (
High Memory Support in linux kernel parlance), so just use
To find that lost message in raw memory, it helps if you can remember a phrase from it. Then do
cat /proc/kcore | grep -a --color -C1 "a phrase from it"
This will search the memory treating it like text, and highlight the phrase when it's found. It also prints "one line" above and below the line where the text was found (although considering this is binary data, the notion of "a line" is somewhat diffuse). Anyway, you probably now have enough context to get your whole message. If not, increase it to
-C2 and so on.
This way I was able to recover my message.
In principle, you can also recover lost files this way, provided they are still in memory, but searching for binary data within binary data is a bit trickier, so it would take a clever approach.