recover lost stuff from memory

September 10th, 2007

This has happened to you before. I'm painstakingly typing a long email on gmail and I'm not sure that I should send it yet, cause it feels like I'm forgetting to mention something. So I want to save it as a draft so I can finish it later. Somehow I hit Discard instead. Gmail flashes the notice your message has been discarded, but I don't usually read those messages, so I navigate away from the page, and *just* as I click the link the meaning of the message dawns on me. Shit. Now it's too late to undo the action. Son of a.

Okay, relax, perhaps all is not lost. A couple of weeks ago I went over how you can find stuff on disk by searching the raw data. The same *can* be done with memory. See, just because my message is gone and gmail doesn't display it anymore doesn't mean it's not still possibly somewhere in memory. It just isn't being displayed anywhere.

There are two ways to access physical memory. The two interfaces are /dev/mem and /proc/kcore. As root, you can read from these. (However, if you try writing to them you'll probably mess up your system.) They are not identical, and it seems that /dev/mem doesn't let me access memory above 896MB (High Memory Support in linux kernel parlance), so just use /proc/kcore.

To find that lost message in raw memory, it helps if you can remember a phrase from it. Then do

cat /proc/kcore | grep -a --color -C1 "a phrase from it"

This will search the memory treating it like text, and highlight the phrase when it's found. It also prints "one line" above and below the line where the text was found (although considering this is binary data, the notion of "a line" is somewhat diffuse). Anyway, you probably now have enough context to get your whole message. If not, increase it to -C2 and so on.

This way I was able to recover my message.

In principle, you can also recover lost files this way, provided they are still in memory, but searching for binary data within binary data is a bit trickier, so it would take a clever approach.

:: random entries in this category ::

10 Responses to "recover lost stuff from memory"

  1. erik says:

    This actually only happened to me once. Every since I've been so paranoid I double check before I hit either save or discard

  2. numerodix says:

    Yeah, me too. But once is too one time to many. Besides, it also works for cases like you're typing something in a browser and it crashes. Firefox is smart about this and saves the text, but others don't. Or any other application for that matter.

  3. Dieter says:

    Wow, this is a great trick!
    I've been thinking something like this should be possible on Linux, but I didn't know it was this simple!

  4. hbo999 says:

    Really great. However, may I know where to execute the command line cat /proc/kcore | grep -a --color -C1 "a phrase from it"? Sorry for my very basic question.

  5. numerodix says:

    I guess you're asking how to run this command. You run it on the command line. Here's an introduction to that: http://www.freesoftwaremagazine.com/articles/command_line_intro

  6. hbo999 says:

    Thanks. However what you replied is for Linux system. I'm using Windows XP. I tried to run the command above at cmd, but it didn't work. Is there a way to run the command in XP? Thanks a million.

  7. numerodix says:

    I'm afraid not. This is a linux topic blog, btw. You'll find very little information about Windows here.

  8. AI says:

    I dont see why it doesn't work on my mac..
    I would be so grateful if you can explain how to do it on mac.. (?)

  9. [...] recover lost stuff from memory ~ numerodix blog – August 25th %(postalicious-tags)( tags: blog data linux lost memory ram recover file deleted undelete tip trick grep )% [...]

  10. roy stanley says:

    what about recovering pictures?