乐趣区

关于云计算:Linux恢复删除后数据文件

简介

在应用 Linux 零碎时,有时候会不小心误删除数据,因为 Linux 零碎也没有与 Windows 零碎下回收站相似的性能,个别会认为该文件将无奈找回。
本文次要以 CentOS7 操作系统为例,介绍如何应用开源工具 Extundelete 疾速复原被误删除掉的数据。

原理

在 Linux 下,基于开源的数据恢复工具有很多,常见的有 debugfs、R-Linux、ext3grep、extundelete 等,比拟罕用的有 ext3grep 和 extundelete,这两个工具的复原原理根本一样,只是 extundelete 性能更加弱小。

Extundelete 是基于 linux 的开源数据恢复软件,可能利用 inode 信息联合日志去查问该 inode 所在的 block 地位,以次来查找和复原所需的数据,该工具最给力的一点就是反对 ext3/ext4 双格局分区复原,基于整个磁盘的复原性能较为弱小。

在数据被误删除后,第一工夫要做的是卸载被删除数据所在的磁盘或磁盘分区。因为将文件删除后,仅仅是将文件的 inode 结点中的扇区指针清零,理论文件还存储在磁盘上,如果磁盘以读写模式挂载,这些已删除的文件的数据块就可能被操作系统重新分配进来,在这些数据块被新的数据笼罩后,这些数据就真的失落了,复原工具也回力无天。所以,以只读模式挂载磁盘能够尽量升高数据块中数据被笼罩的危险,以进步复原数据胜利的几率。

在理论线上复原过程中,切勿将 extundelete 装置到您误删的文件所在硬盘,这样会有肯定几率将须要复原的数据彻底笼罩,切记操作前做好快照备份。

装置依赖包

yum -y install  bzip2  e2fsprogs-devel  e2fsprogs  gcc-c++  make

部署 extundelete 工具

wget  http://zy-res.oss-cn-hangzhou.aliyuncs.com/server/extundelete-0.2.4.tar.bz2
tar -xvjf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4                                #进入程序目录
./configure                                         #如下图示意装置胜利
make && make install

默认文件装置在 usr/local/bin

创立文件

[root@ecs-prod-wiki extundelete-0.2.4]# mkdir /testDeleteFile
[root@ecs-prod-wiki extundelete-0.2.4]# cd /testDeleteFile
[root@ecs-prod-wiki testDeleteFile]#  touch helloWorld.txt
[root@ecs-prod-wiki testDeleteFile]# echo "hello world" > helloWorld.txt
[root@ecs-prod-wiki testDeleteFile]# cat helloWorld.txt
hello world

记录文件的 md5 值

md5sum helloWorld.txt
6f5902ac237024bdd0c176cb93063dc4  helloWorld.txt

删除文件

[root@ecs-prod-wiki testDeleteFile]# rm helloWorld.txt  -f

来到磁盘

[root@ecs-prod-wiki testDeleteFile]# cd
[root@ecs-prod-wiki ~]#

卸载磁盘

完结应用某分区的过程树,保障磁盘没过程应用

[root@ecs-prod-wiki ~]# fuser -k /testDeleteFile/
[root@ecs-prod-wiki ~]#

卸载磁盘

[root@ecs-prod-wiki ~]# umount /dev/vdb
[root@ecs-prod-wiki ~]#

任何的文件复原工具,在应用前,均要将要复原的分区卸载或挂载为只读,避免数据被笼罩应用

应用 Extundelete 工具复原文件

  • 查找删除的文件
[root@ecs-prod-wiki ~]# extundelete --inode 2 /dev/vdb
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 160 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 74 bd 89 5c 23 be 89 5c | .A......t..\#..\
0010 | 23 be 89 5c 00 00 00 00 00 00 03 00 08 00 00 00 | #..\............
0020 | 00 00 08 00 0a 00 00 00 0a f3 01 00 04 00 00 00 | ................
0030 | 00 00 00 00 00 00 00 00 01 00 00 00 21 24 00 00 | ............!$..
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 c8 05 c3 b3 c8 05 c3 b3 ac 60 11 00 | .............`..
0090 | 0a bc 89 5c 00 00 00 00 00 00 00 00 00 00 00 00 | ...\............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1552530804
Creation time: 1552530979
Modification time: 1552530979
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 3
Blocks count: 8
File flags: 524288
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 127754, 4, 0, 0, 1, 9249, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name                                       | Inode number | Deleted status
.                                                 2
..                                                2
lost+found                                        11
helloWorld.txt                                    12             Deleted

为查找某 i 节点中的内容,应用 2 则阐明为整个分区搜寻,如果须要进入目录搜寻,只须要指定目录 I 节点即可。这是能够看到删除的文件名和 inode

  • 复原文件
[root@ecs-prod-wiki ~]# /usr/local/bin/extundelete  --restore-inode 12  /dev/vdb
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 160 groups loaded.
Loading journal descriptors ... 58 descriptors loaded.

此时会在执行命令的同级目录下呈现 RECOVERED_FILES 目录,查看是否复原。

[root@ecs-prod-wiki ~]# ll RECOVERED_FILES/
总用量 4
-rw-r--r-- 1 root root 12 3 月  14 10:42 file.12
  • 通过 md5 值查看文件是否一样
[root@ecs-prod-wiki ~]# md5sum RECOVERED_FILES/file.1
6f5902ac237024bdd0c176cb93063dc4  RECOVERED_FILES/file.12  ## helloWorld.txt 文件的 md5 值请参阅 3.3.4 节,其具体值为:  6f5902ac237024bdd0c176cb93063dc4  helloWorld.txt

–restore-inode 12 # –restore-inode 按指定的 I 节点复原
–extundelete –restore-all # –restore-all 全副复原

原创作者:爱折腾的邦邦

本文由博客群发一文多发等经营工具平台 OpenWrite 公布

退出移动版