Linux中利用extundelete恢复误删除的数据
1.下载:https://sourceforge.net/projects/extundelete/files/latest/download?source=top3_dlp_t5
2.yum -y install e2fsprogs-libs e2fsprogs e2fsprogs-devel gcc gcc-c++ autoconf automake
3.tar jxvf extundelete-0.2.4.tar.bz2
4.cd extundelete-0.2.4
5../configure && make && make install
6.extundelete --help
7.实验:
首先挂载一个新的分区 [root@Virtual Server-100 src]# mkfs.ext4 /dev/sdb1 [root@Virtual Server-100 src]# pwd /usr/local/src/ [root@Virtual Server-100 src]# mkdir test [root@Virtual Server-100 src]# mount /dev/sdb1 test/ [root@Virtual Server-100 src]# cp /etc/passwd test/ [root@Virtual Server-100 src]# cp -r shell/ test/ [root@Virtual Server-100 src]# mkdir test/yhl [root@Virtual Server-100 src]# echo "Welcome to test" > test/yhl/1.txt [root@Virtual Server-100 src]# cd test/ [root@Virtual Server-100 test]# md5sum passwd b182c9886c816aa0b4fc77ca6585d42e passwd [root@Virtual Server-100 test]# md5sum yhl/1.txt eb39646285ff90dd31f24bd9f0a34257 yhl/1.txt [root@Virtual Server-100 test]# ls shell/ yhl/ shell/: 6.sh check_system.sh hanyi.sh if2.sh if4.sh new.sh.bak p_s1.sh root.sh yanse.sh yuhulin.sh yunsuan.sh case.sh chengji.sh if1.sh if3.sh new.sh ppp python.sh test youxi.sh yunsuan-1.sh yhl/: 1.txt [root@Virtual Server-100 test]# rm -rf * 恢复: 1,卸载删除文件的分区 [root@Virtual Server-100 test]# umount /usr/local/src/test/ umount: /usr/local/src/test: device is busy. (In some cases useful info about processes that use the device is found by lsof(8) or fuser(1)) 提示设备忙,用下面方法卸载就可以卸载 [root@Virtual Server-100 test]# fuser -m -v -i -k /usr/local/src/test/ [root@Virtual Server-100 ~]# umount /usr/local/src/test/ 查看能恢复的数据 [root@Virtual Server-100 ~]# extundelete /dev/sdb1 --inode 2 (因为根分区的inode值是2) File name | Inode number | Deleted status . 2 .. 2 shell 130305 Deleted passwd 12 Deleted yhl 1042433 Deleted 首先测试恢复单个文件 [root@Virtual Server-100 ~]# extundelete /dev/sdb1 --restore-file passwd //restore-file表示恢复文件 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 153 groups loaded. Loading journal descriptors ... 79 descriptors loaded. Successfully restored file passwd [root@Virtual Server-100 ~]# cd RECOVERED_FILES/ //恢复成功之后默认会创建这个文件,恢复的文件在这个目录下面 [root@Virtual Server-100 RECOVERED_FILES]# ls passwd [root@Virtual Server-100 RECOVERED_FILES]# md5sum passwd //进行MD5校验,和删除之前对比是一样的,说明恢复成功 b182c9886c816aa0b4fc77ca6585d42e passwd 测试恢复目录 [root@Virtual Server-100 RECOVERED_FILES]# extundelete /dev/sdb1 --restore-directory /shell NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 153 groups loaded. Loading journal descriptors ... 79 descriptors loaded. Searching for recoverable inodes in directory /shell ... 26 recoverable inodes found. Looking through the directory structure for deleted files ... 5 recoverable inodes still lost. [root@Virtual Server-100 RECOVERED_FILES]# ls passwd RECOVERED_FILES [root@Virtual Server-100 RECOVERED_FILES]# cd RECOVERED_FILES/ [root@Virtual Server-100 RECOVERED_FILES]# ls shell 可以看见这个目录,但是有一个问题是恢复回来的文件权限和之前的发生了变化,需要你重新修改权限(我测试的时候是这样的) 恢复所有数据 [root@Virtual Server-100 shell]# extundelete /dev/sdb1 --restore-all NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 153 groups loaded. Loading journal descriptors ... 79 descriptors loaded. Searching for recoverable inodes in directory / ... 26 recoverable inodes found. Looking through the directory structure for deleted files ... 1 recoverable inodes still lost. [root@Virtual Server-100 shell]# cd RECOVERED_FILES/ [root@Virtual Server-100 RECOVERED_FILES]# ls passwd shell yhl [root@Virtual Server-100 yhl]# ls 1.txt [root@Virtual Server-100 yhl]# cat 1.txt Welcome to test [root@Virtual Server-100 yhl]# md5sum 1.txt eb39646285ff90dd31f24bd9f0a34257 1.txt [root@Virtual Server-100 shell]# du -sh RECOVERED_FILES/* 4.0K RECOVERED_FILES/passwd 96K RECOVERED_FILES/shell 8.0K RECOVERED_FILES/yhl 可以看出,数据恢复成功
首先挂载一个新的分区 [root@Virtual Server-100 src]# mkfs.ext4 /dev/sdb1 [root@Virtual Server-100 src]# pwd/usr/local/src/ [root@Virtual Server-100 src]# mkdir test [root@Virtual Server-100 src]# mount /dev/sdb1 test/ [root@Virtual Server-100 src]# cp /etc/passwd test/ [root@Virtual Server-100 src]# cp -r shell/ test/ [root@Virtual Server-100 src]# mkdir test/yhl [root@Virtual Server-100 src]# echo "Welcome to test" > test/yhl/1.txt [root@Virtual Server-100 src]# cd test/ [root@Virtual Server-100 test]# md5sum passwd b182c9886c816aa0b4fc77ca6585d42e passwd [root@Virtual Server-100 test]# md5sum yhl/1.txt eb39646285ff90dd31f24bd9f0a34257 yhl/1.txt [root@Virtual Server-100 test]# ls shell/ yhl/ shell/: 6.sh check_system.sh hanyi.sh if2.sh if4.sh new.sh.bak p_s1.sh root.sh yanse.sh yuhulin.sh yunsuan.sh case.sh chengji.sh if1.sh if3.sh new.sh ppp python.sh test youxi.sh yunsuan-1.sh yhl/: 1.txt [root@Virtual Server-100 test]# rm -rf * 恢复: 1,卸载删除文件的分区 [root@Virtual Server-100 test]# umount /usr/local/src/test/ umount: /usr/local/src/test: device is busy. (In some cases useful info about processes that use the device is found by lsof(8) or fuser(1)) 提示设备忙,用下面方法卸载就可以卸载 [root@Virtual Server-100 test]# fuser -m -v -i -k /usr/local/src/test/ [root@Virtual Server-100 ~]# umount /usr/local/src/test/ 查看能恢复的数据 [root@Virtual Server-100 ~]# extundelete /dev/sdb1 --inode 2 (因为根分区的inode值是2) File name | Inode number | Deleted status . 2 .. 2 shell 130305 Deleted passwd 12 Deleted yhl 1042433 Deleted 首先测试恢复单个文件 [root@Virtual Server-100 ~]# extundelete /dev/sdb1 --restore-file passwd //restore-file表示恢复文件 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 153 groups loaded. Loading journal descriptors ... 79 descriptors loaded. Successfully restored file passwd [root@Virtual Server-100 ~]# cd RECOVERED_FILES/ //恢复成功之后默认会创建这个文件,恢复的文件在这个目录下面 [root@Virtual Server-100 RECOVERED_FILES]# ls passwd [root@Virtual Server-100 RECOVERED_FILES]# md5sum passwd //进行MD5校验,和删除之前对比是一样的,说明恢复成功 b182c9886c816aa0b4fc77ca6585d42e passwd 测试恢复目录 [root@Virtual Server-100 RECOVERED_FILES]# extundelete /dev/sdb1 --restore-directory /shell NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 153 groups loaded. Loading journal descriptors ... 79 descriptors loaded. Searching for recoverable inodes in directory /shell ... 26 recoverable inodes found. Looking through the directory structure for deleted files ... 5 recoverable inodes still lost. [root@Virtual Server-100 RECOVERED_FILES]# ls passwd RECOVERED_FILES [root@Virtual Server-100 RECOVERED_FILES]# cd RECOVERED_FILES/ [root@Virtual Server-100 RECOVERED_FILES]# ls shell 可以看见这个目录,但是有一个问题是恢复回来的文件权限和之前的发生了变化,需要你重新修改权限(我测试的时候是这样的) 恢复所有数据 [root@Virtual Server-100 shell]# extundelete /dev/sdb1 --restore-all NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 153 groups loaded. Loading journal descriptors ... 79 descriptors loaded. Searching for recoverable inodes in directory / ... 26 recoverable inodes found. Looking through the directory structure for deleted files ... 1 recoverable inodes still lost. [root@Virtual Server-100 shell]# cd RECOVERED_FILES/ [root@Virtual Server-100 RECOVERED_FILES]# ls passwd shell yhl [root@Virtual Server-100 yhl]# ls1.txt [root@Virtual Server-100 yhl]# cat 1.txt Welcome to test [root@Virtual Server-100 yhl]# md5sum 1.txt eb39646285ff90dd31f24bd9f0a34257 1.txt [root@Virtual Server-100 shell]# du -sh RECOVERED_FILES/*4.0K RECOVERED_FILES/passwd 96K RECOVERED_FILES/shell 8.0K RECOVERED_FILES/yhl 可以看出,数据恢复成功