This answer quotes ChatGPT
In Linux, wtmp and utmp log files record user login and logout information. These log files are stored in /var/log/wtmp and /var/run/utmp files. If you empty these log files with the echo command, the information that was originally stored in the log files will be overwritten, so it is not easy to recover the log files.
Although these log files are themselves binary files, there are tools that can be used to analyze and view them, such as the last and who commands that can read login and logout information from the log files. If the wtmp and utmp files are cleared, you can run the last command to view the previous login information, but the logged out user information cannot be restored.
In addition to using the last and who commands to view the historical login information, you can also use the backup and restore method to recover the deleted log files. If the system backs up these log files regularly, and the backup is made before the log files are emptied, the original log files can be restored from the backup. Otherwise, recovering these log files will be difficult because the information they store has already been overwritten. Therefore, to avoid data loss, you are advised to periodically back up log files and save backup data.
