extundelete工具恢复误删文件

 linux删除文件时其实删的是文件名,数据还是存储在硬盘中的。在误删除文件后不做其他操作(比如创建新的文件),然后用umount卸载掉存储该数据的硬盘,再进行恢复操作,可以通过一些工具来恢复被误删的文件,以extundelete文件恢复工具为例: 

extundelete是文件恢复工具,支持ext3/ext4双格式分区恢复。

extundelete工具的下载地址:https://sourceforge.net/projects/extundelete/

安装extundelete工具前先安装依赖包:yum install e2fsprogs* -y

rz -y(从windows中下载extundelete软件包)

tar jxf extundelete-0.2.4.tar.bz2

cd extundelete-0.2.4.tar.bz2

./confgiure

make 

make install

此时extundelete工具已经安装好了。下面我们模拟恢复误删文件。

 

首先添加一块测试的硬盘

然后开机查看一下硬盘是否成功加载到系统中

 

创建ext4文件系统并挂载到/data中:

mkfs -t ext4 /dev/sdb

mkdir /data

mount /dev/sdb /data/

向/data目录写入数据

删除/data中的数据rm -rf /data/*

卸载硬盘umount /data/并用extundelete /dev/sdb --inode 2查看可恢复文件

[root@liuhui ~]# umount /data/
[root@liuhui ~]# extundelete /dev/sdb --inode 2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 160 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 28 6a 9c 5b 24 6a 9c 5b | .A......(j.[$j.[
0010 | 24 6a 9c 5b 00 00 00 00 00 00 02 00 08 00 00 00 | $j.[............
0020 | 00 00 00 00 05 00 00 00 21 24 00 00 00 00 00 00 | ........!$......
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 68 dc ee 16 68 dc ee 16 44 83 ba de | ....h...h...D...
0090 | 9a 68 9c 5b 00 00 00 00 00 00 00 00 00 00 00 00 | .h.[............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1536977448
Creation time: 1536977444
Modification time: 1536977444
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 2
Blocks count: 8
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 9249, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0

File name | Inode number | Deleted status
. 2
.. 2
lost+found 11 Deleted     
passwd 12 Deleted
test 262145 Deleted

 

检测到被删除的文件又三个


开始恢复数据。

注意:恢复过程不要在误删分区进行,谨防inode.block块相互覆盖

以恢复/data/passwd为例:extundelete /dev/sdb --restore-file passwd

恢复成功后会在当前目录下生成一个RECOVERED_FILES目录,在这个目录里就可以看到被误删后得到恢复的文件

 

 

也可以用inode恢复passwd文件,从上extundelete /dev/sdb --inode 2执行结果可 知passwd的inode为12

注:用inode恢复后的文件名会跟之前的文件名不一样

 用md5sum校验RECOVERED_FILES/file.12是否跟源配置文件/etc/passwd相同

 结果是一样的。证明已经恢复成功了

恢复/data中的全部文件用:extundelete /dev/sdb --restore-all这个命令

 

posted @ 2018-09-18 07:06  运维cainiao  阅读(5338)  评论(0编辑  收藏  举报