Linux系统运维之Linux下使用extundelete恢复误删除文件-职坐标

Linux系统运维之Linux下使用extundelete恢复误删除文件

白羽 2018-07-11 来源：网络阅读 1471 评论 0

摘要：本文将带你了解Linux系统运维之Linux下使用extundelete恢复误删除文件，希望本文对大家学Linux有所帮助。

当发现某个分区的数据被误删除后，要做的第一件事是立刻卸载被误删除文件所在的分区，或者重新以只读方式挂载此分区。

这么做的原因其实很简单：删除一个文件，就是将文件inode节点中的扇区指针清除，同时，释放这些数据对应的数据块，而真实的文件还存留在磁盘分区中。但是这些被删除的文件不一定会一直存留在磁盘中，当这些释放的数据块被操作系统重新分配时，那些被删除的数据就会被覆盖。因此，在数据误删除后，马上卸载文件所在分区可以降低数据块中数据被覆盖的风险，进而提高成功恢复数据的机率。

操作系统版本：CentOS release 6.4 (Final) 软件版本：extundelete-0.2.4.tar.bz2

1.使用rz命令上传extundelete-0.2.4.tar.bz2到/tmp文件夹下并解压软件。

[root@localhost tmp]# tar -jxvf extundelete-0.2.4.tar.bz2

2.进入到extundelete解压的目录下面，执行编译安装。

[root@localhost test]# cd /tmp
[root@localhost tmp]# ls
extundelete-0.2.4 lrzsz-0.12.20 pulse-0Wu68Rqve4hx
extundelete-0.2.4.tar.bz2 lrzsz-0.12.20.tar.gz virtual-root.b6Z0Gt
[root@localhost tmp]# cd extundelete-0.2.4
[root@localhost extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
configure: error: Can't find ext2fs library #根据提示找到ext2fs库文件进行安装
[root@localhost extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
Writing generated files to disk

[root@localhost extundelete-0.2.4]# make
make -s all-recursive
Making all in src
[root@localhost extundelete-0.2.4]# make install
Making install in src
/usr/bin/install -c extundelete '/usr/local/bin'

3.新添加一块硬盘/dev/sdb1并划分区格式化挂载到/test，新建文件和目录如下。

[root@localhost /]# tree test
test
├── 1.txt
├── a
│ ├── a.txt
│ └── b
│ ├── a.txt
│ └── c
│ ├── a.txt
│ └── d
├── a.txt
├── hosts
├── kong.txt
├── lost+found
└── passwd

5 directories, 8 files

4.进入到挂载目录/test，然后删除挂载点里面的文件并卸载磁盘。

[root@localhost /]# rm -rf a a.txt 1.txt hosts kong.txt passwd
[root@localhost /]# ls /test
lost+found
[root@localhost /]# umount /test

5.使用extundelete查看/dev/sdb1目录和文件的inode号。

[root@localhost ~]# extundelete /dev/sdb1 --inode 2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 41 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 f4 6e 9d 5a f2 6e 9d 5a | .A.......n.Z.n.Z
0010 | f2 6e 9d 5a 00 00 00 00 00 00 03 00 08 00 00 00 | .n.Z............
0020 | 00 00 00 00 00 00 00 00 39 03 00 00 00 00 00 00 | ........9.......
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0090 | bd 68 9d 5a 00 00 00 00 00 00 00 00 00 00 00 00 | .h.Z............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1520266996
Creation time: 1520266994
Modification time: 1520266994
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 3
Blocks count: 8
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 825, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0

File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
1.txt 12 Deleted
a 8017 Deleted
hosts 13 Deleted
passwd 14 Deleted
a.txt 15 Deleted
kong.txt 16 Deleted

6.使用extundelete命令进行文件和目录的恢复。

(1)通过inode号恢复（文件名会有变更）；

[root@localhost test]# extundelete /dev/sdb1 --restore-inode 12
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 41 groups loaded.
Loading journal descriptors ... 101 descriptors loaded.
[root@localhost test]# ls
RECOVERED_FILES
[root@localhost test]# cd RECOVERED_FILES/
[root@localhost RECOVERED_FILES]# ls
file.12
[root@localhost RECOVERED_FILES]# cat file.12
1111

(2)通过文件名恢复；

[root@localhost RECOVERED_FILES]# extundelete /dev/sdb1 --restore-file passwd
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 41 groups loaded.
Loading journal descriptors ... 101 descriptors loaded.
Successfully restored file passwd
[root@localhost RECOVERED_FILES]# cd RECOVERED_FILES/
[root@localhost RECOVERED_FILES]# cat passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

(3)通过目录名称恢复(空目录是不会被恢复的);

[root@localhost test]# extundelete /dev/sdb1 --restore-directory a
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 41 groups loaded.
Loading journal descriptors ... 101 descriptors loaded.
Searching for recoverable inodes in directory a ...
13 recoverable inodes found.
Looking through the directory structure for deleted files ...
7 recoverable inodes still lost.
[root@localhost test]# ls
RECOVERED_FILES
[root@localhost test]# cd RECOVERED_FILES/
[root@localhost RECOVERED_FILES]# ls
a
[root@localhost RECOVERED_FILES]# tree a
a
├── a.txt
└── b
├── a.txt
└── c
└── a.txt

2 directories, 3 files

(4)恢复所有文件和目录，不包括空文件和空目录；

[root@localhost test]# extundelete /dev/sdb1 --restore-all
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 41 groups loaded.
Loading journal descriptors ... 101 descriptors loaded.
Searching for recoverable inodes in directory / ...
13 recoverable inodes found.
Looking through the directory structure for deleted files ...
1 recoverable inodes still lost.
[root@localhost test]# ls
RECOVERED_FILES
[root@localhost test]# cd RECOVERED_FILES/
[root@localhost RECOVERED_FILES]# ls
1.txt a a.txt hosts kong.txt passwd
[root@localhost RECOVERED_FILES]# tree
.
├── 1.txt
├── a
│ ├── a.txt
│ └── b
│ ├── a.txt
│ └── c
│ └── a.txt
├── a.txt
├── hosts
├── kong.txt
└── passwd