下载安装 extundelete 之前要安装两个软件包 e2fsprogs 和 e2fsprogs-libs
安装顺序:e2fsprogs --> e2fsprogs-libs --> extundelete 逐一编译安装
[root@crushlinux ~]# wget http://jaist.dl.sourceforge.net/project/e2fsprogs/e2fsprogs/1.41.14/e2fsprogs-1.41.14.tar.gz
[root@crushlinux ~]# wget http://jaist.dl.sourceforge.net/project/e2fsprogs/e2fsprogs/1.41.14/e2fsprogs-libs-1.41.14.tar.gz
[root@crushlinux ~]# wget http://jaist.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
[root@crushlinux ~]# tar xf e2fsprogs-1.41.14.tar.gz -C /usr/src/
[root@crushlinux ~]# cd /usr/src/e2fsprogs-1.41.14/
[root@crushlinux e2fsprogs-1.41.14]# ./configure
[root@crushlinux e2fsprogs-1.41.14]# make && make install
[root@crushlinux ~]# tar xf e2fsprogs-libs-1.41.14.tar.gz -C /usr/src/
[root@crushlinux ~]# cd /usr/src/e2fsprogs-libs-1.41.14/
[root@crushlinux e2fsprogs-libs-1.41.14]# ./configure
[root@crushlinux e2fsprogs-libs-1.41.14]# make && make install
[root@crushlinux ~]# tar xf extundelete-0.2.4.tar.bz2 -C /usr/src/
[root@crushlinux ~]# cd /usr/src/extundelete-0.2.4/
[root@crushlinux extundelete-0.2.4]# ./configure
[root@crushlinux extundelete-0.2.4]# make && make install
模拟实验环境:
新添加一块硬盘并对其进行分区格式化成ext4,将其挂在到/backupdata目录上,建立测试文件和目录。
[root@crushlinux ~]# fdisk /dev/sdb
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-2610, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-2610, default 2610): +200M
Command (m for help): w
[root@crushlinux ~]# partprobe /dev/sdb
[root@crushlinux ~]# mkfs.ext4 /dev/sdb1
[root@crushlinux ~]# mkdir /backupdata/
[root@crushlinux ~]# mount /dev/sdb1 /backupdata/
[root@crushlinux ~]# mkdir /backupdata/gnutool-delete
[root@crushlinux ~]# cd /backupdata/gnutool-delete
[root@crushlinux gnutool-delete]# man 7 man > file1.txt
[root@crushlinux gnutool-delete]# man 7 man > file2.txt
[root@crushlinux gnutool-delete]# mkdir folder; cd folder; man 7 man >file1.txt
[root@crushlinux folder]# cd ../
获取文件校验码
[root@crushlinux gnutool-delete]# md5sum file*
06da9233bf8c0836e4d45e28dfb2b511 file1.txt
06da9233bf8c0836e4d45e28dfb2b511 file2.txt
[root@crushlinux gnutool-delete]# md5sum folder/file1.txt
06da9233bf8c0836e4d45e28dfb2b511 folder/file1.txt
[root@crushlinux gnutool-delete]# cd ../
删除测试文件或目录
[root@crushlinux backupdata]# rm -rf gnutool-delete/
将设备卸载或者改成只读,防止数据被覆盖使用
[root@crushlinux backupdata]# cd ../
[root@crushlinux /]# umount /backupdata/ 或者
[root@crushlinux ~]# mount -o remount,ro /dev/sdb1
查询恢复数据信息,注意这里的--inode 2 这里会扫描分区 :
[root@crushlinux /]# extundelete /dev/sdb1 --inode 2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 26 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 04 00 00 37 79 29 53 3a 79 29 53 | .A......7y)S:y)S
0010 | 3a 79 29 53 00 00 00 00 00 00 03 00 02 00 00 00 | :y)S............
0020 | 00 00 00 00 02 00 00 00 d3 10 00 00 00 00 00 00 | ................
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 1024
Access time: 1395226935
Creation time: 1395226938
Modification time: 1395226938
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 3
Blocks count: 2
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 4307, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
gnutool-delete 12 Deleted
Deleted status标记为 Deleted 是已经删除的文件或目录
默认恢复到当前所在目录下的 RECOVERED_FILES 目录中去。准备一个可以读写的分区,注意不要再丢失数据的分区哦!
[root@crushlinux /]# extundelete /dev/sdb1 --restore-all
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 26 groups loaded.
Loading journal descriptors ... 43 descriptors loaded.
Searching for recoverable inodes in directory / ...
5 recoverable inodes found.
Looking through the directory structure for deleted files ...
0 recoverable inodes still lost.
[root@crushlinux /]# cd RECOVERED_FILES/gnutool-delete/
[root@crushlinux gnutool-delete]# ls
file1.txt file2.txt folder
查看校验码与之前所得是否完全一致
[root@crushlinux gnutool-delete]# md5sum file*
06da9233bf8c0836e4d45e28dfb2b511 file1.txt
06da9233bf8c0836e4d45e28dfb2b511 file2.txt
[root@crushlinux gnutool-delete]# md5sum folder/file1.txt
06da9233bf8c0836e4d45e28dfb2b511 folder/file1.txt
1、恢复所有文件
extundelete /dev/sdb1 –restore-all
2、恢复目录
extundelete /dev/sdb1 —-restore-directory /backupdata/gnutool-delete
3、恢复文件
extundelete /dev/sdb1 —-restore-files /backupdata/gnutool-delete/file1.txt
4、恢复多个文件
创建一个空白文件,内容为要恢复的文件列表,一个文件一行哦!
vim restore
/backupdata/gnutool-delete/file1.txt
/backupdata/gnutool-delete/file2.txt
/backupdata/gnutool-delete/folder/file1.txt
extundelete /dev/sdb1 —-restore-files 'restore'
5、根据时间恢复
假如删除的时间大概是2014-05-04 14:30
[root@crushlinux ~]# date -d "may 04 14:30" +%s
1399185000 得出秒数
恢复此时间后删除的所有文件
/usr/local/bin/extundelete /dev/sdb1 --after 1399185000 --restore-all
6、根据文件的inode恢复
extundelete /dev/sdb1 --restore-inode 77883
7、查看命令帮助
extundelete --help
应用总结:extundelete基于整个磁盘的恢复功能较为强大,基于目录和文件的恢复还不够完善。如果误删除了文件,记住对磁盘不要进行任何操作,保留好现场哦!
切记:硬盘有价,数据无价!!
恢复Linux误删除文件系列之通过文件打开的PID和文件的句柄来恢复
环境描述:
当前系统中有多个用户登录,其中一个用户对某个文件进行修改,另一个用户对文件执行了删除操作。
例如通过cat命令往文件里输入内容
[root@rhel6 ~]# cat >> /tmp/restore
hello
hi
haha
而在另一个终端删除这个文件
[root@rhel6 ~]# rm -rf /tmp/restore
解决方法:
通过文件打开的PID和打开文件的句柄来恢复
[root@rhel6 ~]# lsof |grep -i delete |grep restore
cat 23308 root 1w REG 8,5 14 73 /tmp/restore (deleted)
[root@rhel6 ~]# cd /proc/23308/fd
fd/ fdinfo/
[root@rhel6 ~]# cd /proc/23308/fd
[root@rhel6 fd]# ls
0 1 2
[root@rhel6 fd]# cp 1 /tmp/restore
[root@rhel6 fd]# cat /tmp/restore
hello
hi
haha
ok文件恢复了~~
切记:硬盘有价,数据无价!!
本文出自 “Crushlinux” 博客,请务必保留此出处http://crushlinux.blog.51cto.com/2663646/1407622
