简介
在应用 Linux 零碎时,有时候会不小心误删除数据,因为 Linux 零碎也没有与 Windows 零碎下回收站相似的性能,个别会认为该文件将无奈找回。
本文次要以 CentOS7 操作系统为例,介绍如何应用开源工具 Extundelete 疾速复原被误删除掉的数据。
原理
在 Linux 下,基于开源的数据恢复工具有很多,常见的有 debugfs、R-Linux、ext3grep、extundelete 等,比拟罕用的有 ext3grep 和 extundelete,这两个工具的复原原理根本一样,只是 extundelete 性能更加弱小。
Extundelete 是基于 linux 的开源数据恢复软件,可能利用 inode 信息联合日志去查问该 inode 所在的 block 地位,以次来查找和复原所需的数据,该工具最给力的一点就是反对 ext3/ext4 双格局分区复原,基于整个磁盘的复原性能较为弱小。
在数据被误删除后,第一工夫要做的是卸载被删除数据所在的磁盘或磁盘分区。因为将文件删除后,仅仅是将文件的 inode 结点中的扇区指针清零,理论文件还存储在磁盘上,如果磁盘以读写模式挂载,这些已删除的文件的数据块就可能被操作系统重新分配进来,在这些数据块被新的数据笼罩后,这些数据就真的失落了,复原工具也回力无天。所以,以只读模式挂载磁盘能够尽量升高数据块中数据被笼罩的危险,以进步复原数据胜利的几率。
在理论线上复原过程中,切勿将 extundelete 装置到您误删的文件所在硬盘,这样会有肯定几率将须要复原的数据彻底笼罩,切记操作前做好快照备份。
装置依赖包
yum -y install bzip2 e2fsprogs-devel e2fsprogs gcc-c++ make
部署 extundelete 工具
wget http://zy-res.oss-cn-hangzhou.aliyuncs.com/server/extundelete-0.2.4.tar.bz2
tar -xvjf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4 #进入程序目录
./configure #如下图示意装置胜利
make && make install
默认文件装置在 usr/local/bin
创立文件
[root@ecs-prod-wiki extundelete-0.2.4]# mkdir /testDeleteFile
[root@ecs-prod-wiki extundelete-0.2.4]# cd /testDeleteFile
[root@ecs-prod-wiki testDeleteFile]# touch helloWorld.txt
[root@ecs-prod-wiki testDeleteFile]# echo "hello world" > helloWorld.txt
[root@ecs-prod-wiki testDeleteFile]# cat helloWorld.txt
hello world
记录文件的 md5 值
md5sum helloWorld.txt
6f5902ac237024bdd0c176cb93063dc4 helloWorld.txt
删除文件
[root@ecs-prod-wiki testDeleteFile]# rm helloWorld.txt -f
来到磁盘
[root@ecs-prod-wiki testDeleteFile]# cd
[root@ecs-prod-wiki ~]#
卸载磁盘
完结应用某分区的过程树,保障磁盘没过程应用
[root@ecs-prod-wiki ~]# fuser -k /testDeleteFile/
[root@ecs-prod-wiki ~]#
卸载磁盘
[root@ecs-prod-wiki ~]# umount /dev/vdb
[root@ecs-prod-wiki ~]#
任何的文件复原工具,在应用前,均要将要复原的分区卸载或挂载为只读,避免数据被笼罩应用
应用 Extundelete 工具复原文件
- 查找删除的文件
[root@ecs-prod-wiki ~]# extundelete --inode 2 /dev/vdb
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 160 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 74 bd 89 5c 23 be 89 5c | .A......t..\#..\
0010 | 23 be 89 5c 00 00 00 00 00 00 03 00 08 00 00 00 | #..\............
0020 | 00 00 08 00 0a 00 00 00 0a f3 01 00 04 00 00 00 | ................
0030 | 00 00 00 00 00 00 00 00 01 00 00 00 21 24 00 00 | ............!$..
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 c8 05 c3 b3 c8 05 c3 b3 ac 60 11 00 | .............`..
0090 | 0a bc 89 5c 00 00 00 00 00 00 00 00 00 00 00 00 | ...\............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1552530804
Creation time: 1552530979
Modification time: 1552530979
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 3
Blocks count: 8
File flags: 524288
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 127754, 4, 0, 0, 1, 9249, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
helloWorld.txt 12 Deleted
为查找某 i 节点中的内容,应用 2 则阐明为整个分区搜寻,如果须要进入目录搜寻,只须要指定目录 I 节点即可。这是能够看到删除的文件名和 inode
- 复原文件
[root@ecs-prod-wiki ~]# /usr/local/bin/extundelete --restore-inode 12 /dev/vdb
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 160 groups loaded.
Loading journal descriptors ... 58 descriptors loaded.
此时会在执行命令的同级目录下呈现 RECOVERED_FILES 目录,查看是否复原。
[root@ecs-prod-wiki ~]# ll RECOVERED_FILES/
总用量 4
-rw-r--r-- 1 root root 12 3 月 14 10:42 file.12
- 通过 md5 值查看文件是否一样
[root@ecs-prod-wiki ~]# md5sum RECOVERED_FILES/file.1
6f5902ac237024bdd0c176cb93063dc4 RECOVERED_FILES/file.12 ## helloWorld.txt 文件的 md5 值请参阅 3.3.4 节,其具体值为: 6f5902ac237024bdd0c176cb93063dc4 helloWorld.txt
–restore-inode 12 # –restore-inode 按指定的 I 节点复原
–extundelete –restore-all # –restore-all 全副复原
原创作者:爱折腾的邦邦
本文由博客群发一文多发等经营工具平台 OpenWrite 公布