首先说明:
[[email protected] ~]# rm -rf / //这条命令不可以执行 [[email protected] ~]# rm -rf /* //这条命令可以执行,别去试
ext4文件系统上误删除文件,可以用extundelete恢复。ext3恢复使用ext3grep。Windows恢复使用final data v2.0汉化版和easyrecovery等。
误删除文件后,第一件事是避免误删除的文件内容被覆盖,这时可以卸载需要恢复文件的分区或以只读的方式挂载。
(1).下载extundelete
https://sourceforge.net/ 开源软件发布中心
https://github.com/ github项目托管平台
(2).准备实验环境
VMare12 CentOS6.8 添加一块硬盘20G
不会看这里,Linux空硬盘从分区到挂载
这里创建sdb1分区,挂载到/newpar下。
还有将CentOS6.8的光盘镜像挂载到/mnt下。
(3).复制一些测试文件,然后删除,以备测试恢复。
这里为了更好的展示,安装一下tree。
[[email protected] ~]# rpm -ivh /mnt/Packages/tree-1.5.3-3.el6.x86_64.rpm warning: /mnt/Packages/tree-1.5.3-3.el6.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY Preparing... ########################################### [100%] 1:tree ########################################### [100%]
下面开始复制文件
[[email protected] ~]# cp /etc/passwd /newpar/ [[email protected] ~]# cp /etc/hosts /newpar/ [[email protected] ~]# echo abc > a.txt [[email protected] ~]# mkdir -p /newpar/a/b/c/ [[email protected] ~]# cp a.txt /newpar/a/ [[email protected] ~]# cp a.txt /newpar/a/b/ [[email protected] ~]# touch /newpar/a/b/test.txt [[email protected] ~]# tree /newpar/ /newpar/ ├── a │ ├── a.txt │ └── b │ ├── a.txt │ ├── c //空的 │ └── test.txt //空的 ├── hosts ├── lost+found └── passwd 4 directories, 5 files
下面开始删除
[[email protected] ~]# rm -rf /newpar/{a,hosts,passwd} [[email protected] ~]# ls /newpar/ lost+found
删完了,记得误删除第一步,卸载分区。如果是根目录看(7).扩展2
[[email protected] ~]# umount /newpar/ //不能在挂载点下卸载
使用df -a查看文件系统的挂载点
[[email protected] ~]# df -a Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/vg_centos6-lv_root 17938864 3958368 13062584 24% / proc 0 0 0 - /proc sysfs 0 0 0 - /sys devpts 0 0 0 - /dev/pts tmpfs 953652 72 953580 1% /dev/shm /dev/sda1 487652 40913 421139 9% /boot /dev/sr0 3824484 3824484 0 100% /mnt none 0 0 0 - /proc/sys/fs/binfmt_misc [[email protected] ~]# mkdir /cdrom [[email protected] ~]# mount /dev/sr0 /cdrom/ mount: block device /dev/sr0 is write-protected, mounting read-only [[email protected] ~]# df -a Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/vg_centos6-lv_root 17938864 3958372 13062580 24% / proc 0 0 0 - /proc sysfs 0 0 0 - /sys devpts 0 0 0 - /dev/pts tmpfs 953652 72 953580 1% /dev/shm /dev/sda1 487652 40913 421139 9% /boot /dev/sr0 3824484 3824484 0 100% /mnt none 0 0 0 - /proc/sys/fs/binfmt_misc /dev/sr0 3824484 3824484 0 100% /cdrom
(4).安装extundelete
将下载好的extundelete上传到服务器中。
[[email protected] ~]# ls anaconda-ks.cfg install.log 模板 文档 桌面 a.txt install.log.syslog 视频 下载 extundelete-0.2.4.tar.bz2 公共的 图片 音乐
解压
[[email protected] ~]# tar -jxvf extundelete-0.2.4.tar.bz2 //-j过滤bz2格式
准备依赖包(我的CentOS6.8镜像好像不全,其实还可以用rpm -ivh安装gcc-c++和e2fsprogs-devel)
[[email protected] extundelete-0.2.4]# yum -y install gcc-c++ [[email protected] extundelete-0.2.4]# yum -y install e2fsprogs-devel
安装extundelete
[[email protected] ~]# cd extundelete-0.2.4 [[email protected] extundelete-0.2.4]# ./configure //检查系统安装环境,为了生成Makefile文件 Configuring extundelete 0.2.4 Writing generated files to disk [[email protected] extundelete-0.2.4]# make -j 4 //编译,把源代码编译成可执行的二进制文件。-j 4使用4进程或4核同时编译,提高编译速度。根据实际配置修改 make -s all-recursive Making all in src extundelete.cc:571: 警告:未使用的参数‘flags’ [[email protected] extundelete-0.2.4]# make install //安装 Making install in src /usr/bin/install -c extundelete '/usr/local/bin' //在此目录下
(5).恢复文件
创建一个文件夹,将恢复的文件保存到文件夹内
[[email protected] ~]# umount /dev/sdb1 //确保卸载分区 umount: /dev/sdb1: not mounted [[email protected] ~]# mkdir test //创建test文件夹 [[email protected] ~]# cd test/ [[email protected] test]# ls
查看inode号
[[email protected] test]# extundelete /dev/sdb1 --inode 2 //ext4文件系统分区根目录的inode值为2,xfs文件系统分区根目录的inode值为64。 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 160 groups loaded. Group: 0 Contents of inode 2: 0000 | ed 41 00 00 00 10 00 00 60 7b 2e 5c 4e 7b 2e 5c | .A......`{./N{./ 0010 | 4e 7b 2e 5c 00 00 00 00 00 00 03 00 08 00 00 00 | N{./............ 0020 | 00 00 00 00 06 00 00 00 21 24 00 00 00 00 00 00 | ........!$...... 0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0080 | 1c 00 00 00 a8 37 a3 c1 a8 37 a3 c1 7c d2 20 60 | .....7...7..|. ` 0090 | 7a 72 2e 5c 00 00 00 00 00 00 00 00 00 00 00 00 | zr./............ 00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ Inode is Allocated File mode: 16877 Low 16 bits of Owner Uid: 0 Size in bytes: 4096 Access time: 1546550112 Creation time: 1546550094 Modification time: 1546550094 Deletion Time: 0 Low 16 bits of Group Id: 0 Links count: 3 Blocks count: 8 File flags: 0 File version (for NFS): 0 File ACL: 0 Directory ACL: 0 Fragment address: 0 Direct blocks: 9249, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 Indirect block: 0 Double indirect block: 0 Triple indirect block: 0 File name | Inode number | Deleted status . 2 .. 2 lost+found 11 passwd 12 Deleted hosts 13 Deleted a 262145 Deleted
1)通过inode恢复
根据上面的inode值,使用–restore-inode选项恢复passwd
[[email protected] test]# extundelete /dev/sdb1 --restore-inode 12 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 160 groups loaded. Loading journal descriptors ... 67 descriptors loaded. [[email protected] test]# ls -l 总用量 4 drwxr-xr-x. 2 root root 4096 1月 4 07:07 RECOVERED_FILES //可以看到一个新的文件夹 [[email protected] test]# cd RECOVERED_FILES/ [[email protected] RECOVERED_FILES]# ls file.12 //这就是恢复出来的文件 [[email protected] RECOVERED_FILES]# diff /etc/passwd file.12 //比较一下是否有不同。没有输出就是一样。
2)通过文件名恢复
也可以根据上面的文件名,使用–restore-file选项恢复passwd。这样还可以同时还原文件名
[[email protected] test]# extundelete /dev/sdb1 --restore-file passwd NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 160 groups loaded. Loading journal descriptors ... 67 descriptors loaded. Successfully restored file passwd [[email protected] test]# ls RECOVERED_FILES/ file.12 passwd //可以看到恢复出了一个名为passwd的文件 [[email protected] test]# diff RECOVERED_FILES/file.12 RECOVERED_FILES/passwd //两个文件内容是一样的
3)恢复某个目录
使用–restore-directory选项恢复文件夹a。注意:空目录和空文件无法恢复
[[email protected] test]# extundelete /dev/sdb1 --restore-directory a NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 160 groups loaded. Loading journal descriptors ... 67 descriptors loaded. Searching for recoverable inodes in directory a ... 7 recoverable inodes found. Looking through the directory structure for deleted files ... 3 recoverable inodes still lost. //3个可回收的inode仍然丢失 [[email protected] test]# tree RECOVERED_FILES/a/ RECOVERED_FILES/a/ ├── a.txt └── b └── a.txt //少了空文件夹c和空文件test.txt 1 directory, 2 files
4)恢复所有文件
使用–restore-all选项恢复所有文件。注意:空目录和空文件无法恢复
[[email protected] test]# rm -rf * [[email protected] test]# ls [[email protected] test]# extundelete /dev/sdb1 --restore-all NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 160 groups loaded. Loading journal descriptors ... 67 descriptors loaded. Searching for recoverable inodes in directory / ... 7 recoverable inodes found. Looking through the directory structure for deleted files ... 0 recoverable inodes still lost. [[email protected] test]# tree RECOVERED_FILES/ RECOVERED_FILES/ ├── a │ ├── a.txt │ └── b │ └── a.txt //少了空目录c和空文件test.txt ├── hosts └── passwd 2 directories, 4 files
(6).扩展1:
Linux文件系统由三部分组成:文件名,inode(存放文件元数据信息),block(真正存放数据)。Windows也由这三部分组成。
1)查看inode号
[[email protected] ~]# ls -i anaconda-ks.cfg 137428 anaconda-ks.cfg
查看inode中的文件属性。通过stat命令查看inode中包含的内容
[[email protected] ~]# stat anaconda-ks.cfg File: "anaconda-ks.cfg" Size: 1700 Blocks: 8 IO Block: 4096 普通文件 Device: fd00h/64768d Inode: 137428 Links: 1 Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2018-09-01 18:01:33.658648102 +0800 Modify: 2018-03-13 18:29:40.674999889 +0800 Change: 2018-03-13 18:29:48.813999887 +0800
2)Block块:真正存储数据的地方
为什么删除比复制块?因为一般的删除都是逻辑删除,只删除了文件名。当有新的文件占用inode和block,此时只有找专业的数据恢复公司,通过奇偶校验找回文件。
(7).扩展2:
如果想恢复根下删除的文件怎么办?
方法一:立即断电(因为正常关机会产生日志,防止日志对数据覆盖),然后把磁盘以只读方式挂在到另一台相同相同的电脑中进行恢复
方法二:把extundelete在另一台相同相同的电脑上安装好,然后复制到U盘中。把U盘插入服务器,恢复时将恢复的文件保存到U盘中(不要让恢复的数据写到根下,那样会覆盖之前删除的文件)
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/2810.html