Linux下使用extundelete恢复误删除文件
当发现某个分区的数据被误删除后,要做的第一件事是立刻卸载被误删除文件所在的分区,或者重新以只读方式挂载此分区。
这么做的原因其实很简单:删除一个文件,就是将文件inode节点中的扇区指针清除,同时,释放这些数据对应的数据块,而真实的文件还存留在磁盘分区中。但是这些被删除的文件不一定会一直存留在磁盘中,当这些释放的数据块被操作系统重新分配时,那些被删除的数据就会被覆盖。因此,在数据误删除后,马上卸载文件所在分区可以降低数据块中数据被覆盖的风险,进而提高成功恢复数据的机率。
操作系统版本:CentOS release 6.4 (Final) 软件版本:extundelete-0.2.4.tar.bz2
1.使用rz命令上传extundelete-0.2.4.tar.bz2到/tmp文件夹下并解压软件。
[root@localhost tmp]# tar -jxvf extundelete-0.2.4.tar.bz2
2.进入到extundelete解压的目录下面,执行编译安装。
[root@localhost tmp]# ls
extundelete-0.2.4 lrzsz-0.12.20 pulse-0Wu68Rqve4hx
extundelete-0.2.4.tar.bz2 lrzsz-0.12.20.tar.gz virtual-root.b6Z0Gt
[root@localhost tmp]# cd extundelete-0.2.4
[root@localhost extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
configure: error: Can't find ext2fs library #根据提示找到ext2fs库文件进行安装
[root@localhost extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
Writing generated files to disk
make -s all-recursive
Making all in src
[root@localhost extundelete-0.2.4]# make install
Making install in src
/usr/bin/install -c extundelete '/usr/local/bin'
3.新添加一块硬盘/dev/sdb1并划分区格式化挂载到/test,新建文件和目录如下。
[root@localhost /]# tree test
test
├── 1.txt
├── a
│ ├── a.txt
│ └── b
│ ├── a.txt
│ └── c
│ ├── a.txt
│ └── d
├── a.txt
├── hosts
├── kong.txt
├── lost+found
└── passwd
5 directories, 8 files
4.进入到挂载目录/test,然后删除挂载点里面的文件并卸载磁盘。
[root@localhost /]# rm -rf a a.txt 1.txt hosts kong.txt passwd
[root@localhost /]# ls /test
lost+found
[root@localhost /]# umount /test
5.使用extundelete查看/dev/sdb1目录和文件的inode号。
6.使用extundelete命令进行文件和目录的恢复。
(1)通过inode号恢复(文件名会有变更);
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 41 groups loaded.
Loading journal descriptors ... 101 descriptors loaded.
[root@localhost test]# ls
RECOVERED_FILES
[root@localhost test]# cd RECOVERED_FILES/
[root@localhost RECOVERED_FILES]# ls
file.12
[root@localhost RECOVERED_FILES]# cat file.12
1111
(2)通过文件名恢复;
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 41 groups loaded.
Loading journal descriptors ... 101 descriptors loaded.
Successfully restored file passwd
[root@localhost RECOVERED_FILES]# cd RECOVERED_FILES/
[root@localhost RECOVERED_FILES]# cat passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
(3)通过目录名称恢复(空目录是不会被恢复的);
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 41 groups loaded.
Loading journal descriptors ... 101 descriptors loaded.
Searching for recoverable inodes in directory a ...
13 recoverable inodes found.
Looking through the directory structure for deleted files ...
7 recoverable inodes still lost.
[root@localhost test]# ls
RECOVERED_FILES
[root@localhost test]# cd RECOVERED_FILES/
[root@localhost RECOVERED_FILES]# ls
a
[root@localhost RECOVERED_FILES]# tree a
a
├── a.txt
└── b
├── a.txt
└── c
└── a.txt
2 directories, 3 files
(4)恢复所有文件和目录,不包括空文件和空目录;
[root@localhost test]# extundelete /dev/sdb1 --restore-all
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 41 groups loaded.
Loading journal descriptors ... 101 descriptors loaded.
Searching for recoverable inodes in directory / ...
13 recoverable inodes found.
Looking through the directory structure for deleted files ...
1 recoverable inodes still lost.
[root@localhost test]# ls
RECOVERED_FILES
[root@localhost test]# cd RECOVERED_FILES/
[root@localhost RECOVERED_FILES]# ls
1.txt a a.txt hosts kong.txt passwd
[root@localhost RECOVERED_FILES]# tree
.
├── 1.txt
├── a
│ ├── a.txt
│ └── b
│ ├── a.txt
│ └── c
│ └── a.txt
├── a.txt
├── hosts
├── kong.txt
└── passwd