If a file has been deleted but is still open, that means the file still exists in the filesystem (it has an inode) but has a hard link count of 0. Since there is no link to the file, you cannot open it by name. There is no facility to open a file by inode either. Linux exposes open files through special symbolic links under /proc . These links are called /proc/12345/fd/42 where 12345 is the PID of a process and 42 is the number of a file descriptor in that process. A program running as the same user as that process can access the file (the read/write/execute permissions are the same you had as when the file was deleted). The name under which the file was opened is still visible in the target of the symbolic link: if the file was /var/log/apache/foo.log , then the target of the link is /var/log/apache/foo.log (deleted) . Thus you can recover the content of an open deleted file given the PID of a process that has it open and the descriptor that it's opened on like thi
catatan pengetahuan hasil emak emak