在Linux系統中,常見的數據恢復工具有extundelete、ext3grep、debugfs和R-Linux等。
extundelete可以恢復Linux下的ext3、ext4文件系統下被誤刪的文件,支持單個文件、單個目錄、inode、block和完整磁盤的恢復等。
一、安裝extundelete
1、下載extundelete
wget https://sourceforge.net/project/platformdownload.php?group_id=260221
2、安裝依賴軟件
[root@www ~]# rpm -qa |grep e2fsprogs*
e2fsprogs-libs-1.41.12-22.el6.x86_64
e2fsprogs-1.41.12-22.el6.x86_64
e2fsprogs-devel-1.41.12-22.el6.x86_6
3、編譯安裝extundelete(編譯過程報錯,需要安裝e2fsprogs-devel軟件包)
[root@www extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
configure: error: Can't find ext2fs library
[root@www extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
Writing generated files to disk
[root@www extundelete-0.2.4]# make
[root@www extundelete-0.2.4]# make install
Making install in src
/usr/bin/install -c extundelete '/usr/local/bin'
4、查看extundelete幫助信息
[root@www ~]# extundelete --help
Usage: extundelete [options] [--] device-file
Options:
--version, -[vV] Print version and exit successfully.
--help, Print this help and exit successfully.
--superblock Print contents of superblock in addition to the rest.
If no action is specified then this option is implied.
--journal Show content of journal.
--after dtime Only process entries deleted on or after 'dtime'.
--before dtime Only process entries deleted before 'dtime'.
Actions:
--inode ino Show info on inode 'ino'.
--block blk Show info on block 'blk'.
--restore-inode ino[,ino,...]
Restore the file(s) with known inode number 'ino'.
The restored files are created in ./RECOVERED_FILES
with their inode number as extension (ie, file.12345).
--restore-file 'path' Will restore file 'path'. 'path' is relative to root
of the partition and does not start with a '/'
The restored file is created in the current
directory as 'RECOVERED_FILES/path'.
--restore-files 'path' Will restore files which are listed in the file 'path'.
Each filename should be in the same format as an option
to --restore-file, and there should be one per line.
--restore-directory 'path'
Will restore directory 'path'. 'path' is relative to the
root directory of the file system. The restored
directory is created in the output directory as 'path'.
--restore-all Attempts to restore everything.
-j journal Reads an external journal from the named file.
-b blocknumber Uses the backup superblock at blocknumber when opening
the file system.
-B blocksize Uses blocksize as the block size when opening the file
system. The number should be the number of bytes.
--log 0 Make the program silent.
--log filename Logs all messages to filename.
--log D1=0,D2=filename Custom control of log messages with comma-separated
Examples below: list of options. Dn must be one of info, warn, or
--log info,error error. Omission of the '=name' results in messages
--log warn=0 with the specified level to be logged to the console.
--log error=filename If the parameter is '=0', logging for the specified
level will be turned off. If the parameter is
'=filename', messages with that level will be written
to filename.
-o directory Save the recovered files to the named directory.
The restored files are created in a directory
named 'RECOVERED_FILES/' by default.
二、利用extundelete單個文件
恢復前提:需要卸載被誤刪除數據所在的磁盤或分區。
1、查看分區信息,利用/disk1試驗
[root@www ~]# df -Th
Filesystem Type Size Used Avail Use% Mounted on
/dev/sda3 ext4 8.7G 3.5G 4.9G 42% /
tmpfs tmpfs 491M 0 491M 0% /dev/shm
/dev/sda1 ext4 194M 27M 158M 15% /boot
/dev/sdb5 ext4 796M 17M 739M 3% /mnt
/dev/sdb1 ext4 1020M 34M 935M 4% /disk1
2、查看/disk1分區下的數據
[root@www ~]# cd /disk1/
[root@www disk1]# ls
extundelete-0.2.4.tar.bz2 install.log.syslog lost+found passwd test.txt
[root@www disk1]# cat test.txt
11111
[root@www disk1]# md5sum passwd
b65232cd93267437cc2691fb16a8f7ff passwd
[root@www disk1]# md5sum test.txt
fa8f294721ab3fbb37793c68ff2cf09b test.txt
3、刪除/disk1分區下的數據
[root@www disk1]# rm -rf ./*
4、卸載/disk1分區
[root@www disk1]# cd
[root@www ~]# umount /disk1/
5、查詢可恢復的數據,帶有Deleted標記的表示已經刪除的文件
[root@www ~]# extundelete /dev/sdb1 --inode 2
......
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11 Deleted
test.txt 12 Deleted
install.log.syslog 13 Deleted
extundelete-0.2.4.tar.bz2 14 Deleted
passwd 15 Deleted
6、恢復刪除的文件
[root@www ~]# extundelete /dev/sdb1 --restore-file test.txt
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 9 groups loaded.
Loading journal descriptors ... 54 descriptors loaded.
Successfully restored file test.txt
[root@www ~]# extundelete /dev/sdb1 --restore-file passwd
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 9 groups loaded.
Loading journal descriptors ... 54 descriptors loaded.
Successfully restored file passwd
[root@www ~]# extundelete /dev/sdb1 --restore-file extundelete-0.2.4.tar.bz2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 9 groups loaded.
Loading journal descriptors ... 54 descriptors loaded.
Successfully restored file extundelete-0.2.4.tar.bz2
恢復過程中,extundelete會在當前目錄下生成一個存放恢復後文件的存放目錄RECOVERED_FILES
--restore-file參數說明:指定文件的存儲路徑,如果原文件的存儲路徑爲/disk1/data/test.txt,則在參數後指定data/test.txt即可。
[root@www ~]# ls RECOVERED_FILES/
extundelete-0.2.4.tar.bz2 passwd test.txt
[root@www ~]# cat RECOVERED_FILES/test.txt
11111
[root@www ~]# md5sum RECOVERED_FILES/test.txt //md5校驗結果
fa8f294721ab3fbb37793c68ff2cf09b RECOVERED_FILES/test.txt
三、恢復單個目錄
1、創建測試目錄
[root@www ~]# mount /dev/sdb1 /disk1/
[root@www disk1]# mkdir dir1
[root@www disk1]# cp /etc/passwd dir1/passwd
2、刪除目錄,並卸載分區
[root@www disk1]# cd
[root@www ~]# rm -rf /disk1/*
[root@www ~]# umount /dev/sdb1
3、恢復目錄
[root@www ~]# extundelete /dev/sdb1 --inode 2
......
File name | Inode number | Deleted status
. 2
.. 2
dir1 11 Deleted
test.txt 12 Deleted
install.log.syslog 13 Deleted
extundelete-0.2.4.tar.bz2 14 Deleted
passwd 15 Deleted
[root@www ~]# extundelete /dev/sdb1 --restore-directory /dir1
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 9 groups loaded.
Loading journal descriptors ... 51 descriptors loaded.
Searching for recoverable inodes in directory /dir1 ...
5 recoverable inodes found.
Looking through the directory structure for deleted files ...
4 recoverable inodes still lost.
[root@www ~]# ll RECOVERED_FILES/dir1/passwd
-rw-r--r-- 1 root root 2213 Dec 28 15:23 RECOVERED_FILES/dir1/passwd
四、恢復所有誤刪的數據
[root@www ~]# extundelete /dev/sdb1 --restore-all
[root@www ~]# ls RECOVERED_FILES/
dir1 extundelete-0.2.4.tar.bz2 install.log.syslog passwd
五、恢復某個時間段的數據
指定參數--before和--after
[root@www ~]# extundelete --before 1451288304 --restore-all /dev/sdb1
Only show and process deleted entries if they are deleted before 1451288304.
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 9 groups loaded.
Loading journal descriptors ... 54 descriptors loaded.
Searching for recoverable inodes in directory / ...
5 recoverable inodes found.
Looking through the directory structure for deleted files ...
0 recoverable inodes still lost.
[root@www ~]# ls RECOVERED_FILES/
extundelete-0.2.4.tar.bz2 install.log.syslog passwd passwd.v1 test.txt