extundelete——linux下誤刪文件的恢復

extundelete——linux下誤刪文件的恢復

環境：vmware workstation 10

[root@localhost ~]# /etc/init.d/iptables stop   #關閉iptables
[root@localhost ~]# getenforce 0                #關閉selinux
Disabled
[root@localhost ~]# ping www.baidu.com          #確認虛擬可以上外網方便wget 
PING www.a.shifen.com (115.239.211.112) 56(84) bytes of data.
64 bytes from 115.239.211.112: icmp_seq=1 ttl=54 time=7.11 ms
64 bytes from 115.239.211.112: icmp_seq=2 ttl=54 time=7.27 ms
64 bytes from 115.239.211.112: icmp_seq=3 ttl=54 time=7.70 ms

[root@localhost ~]# yum install e2fsprogs* -y        #安裝extundelete依賴軟件包

[root@localhost ~]# wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2                         #下載extundelete軟件包

[root@localhost ~]# tar xvf extundelete-0.2.4.tar.bz2   #解壓包

 
[root@localhost ~]# cd extundelete-0.2.4/              
[root@localhost extundelete-0.2.4]# ./configure --prefix=/usr/local/extundelete #編譯
[root@localhost extundelete-0.2.4]# make&&make install        #編譯安裝

[root@localhost extundelete-0.2.4]# ln -s /usr/local/extundelete/bin/extundelete /usr/bin/                                                      #新建軟連接，方便書寫。

[root@localhost extundelete-0.2.4]# extundelete -v     #驗證安裝是否成功

extundelete version 0.2.4

libext2fs version 1.41.12

Processor is little endian.

--------------至此extundelete編譯安裝完成，下面就是模擬數據丟失恢復的過程------------------

[root@localhost ~]# fdisk -l /dev/sdb  #這塊磁盤是我準用來試驗的，對分區格式化文件系統

Disk /dev/sdb: 16.1 GB, 16106127360 bytes

255 heads, 63 sectors/track, 1958 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x00000000

Disk /dev/sdb doesn't contain a valid partition table

  

[root@localhost ~]# fdisk  /dev/sdb          #分區，這裏就分一個分區了。

[root@localhost ~]# mkfs.ext4 /dev/sdb1      #格式化文件系統

[root@localhost ~]# mkdir /data              
[root@localhost ~]# mount /dev/sdb1 /data/     #掛載磁盤
[root@localhost ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root
                      7.5G  1.3G  5.8G  19% /
tmpfs                 167M     0  167M   0% /dev/shm
/dev/sda1             485M   31M  429M   7% /boot
/dev/sr0              3.4G  3.4G     0 100% /iso
/dev/sdb1              15G  166M   14G   2% /data

[root@localhost ~]# cd /data/

[root@localhost data]# cp /boot/. . -rvf    #拷貝些數據文件過來。。

`/boot/./.vmlinuz-2.6.32-220.el6.x86_64.hmac' -> `././.vmlinuz-2.6.32-220.el6.x86_64.hmac'
`/boot/./System.map-2.6.32-220.el6.x86_64' -> `././System.map-2.6.32-220.el6.x86_64'
`/boot/./symvers-2.6.32-220.el6.x86_64.gz' -> `././symvers-2.6.32-220.el6.x86_64.gz'
......

[root@localhost data]# ls
config-2.6.32-220.el6.x86_64  initramfs-2.6.32-220.el6.x86_64.img  System.map-2.6.32-220.el6.x86_64
efi                           lost+found                           vmlinuz-2.6.32-220.el6.x86_64
grub                          symvers-2.6.32-220.el6.x86_64.gz
[root@localhost data]# rm -rf *        #模擬數據全部誤刪  
[root@localhost data]# ls 
[root@localhost data]#

[root@localhost ~]# umount /data/     #誤刪文件後首先卸載磁盤
[root@localhost ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root
                      7.5G  1.3G  5.8G  19% /
tmpfs                 167M     0  167M   0% /dev/shm
/dev/sda1             485M   31M  429M   7% /boot
/dev/sr0              3.4G  3.4G     0 100% /iso

/dev/sr0              3.4G  3.4G     0 100% /iso

[root@localhost ~]# extundelete /dev/sdb1 --inode 2 一般一個分區掛載到一個目錄下時，這個”根”目錄的inode值爲2，我們爲了查看根目錄所有文件，所以查看分區inode爲2的這個部分

NOTICE: Extended attributes are not restored.

Loading filesystem metadata ... 120 groups loaded.

Group: 0

Contents of inode 2:

0000 | ed 41 00 00 00 10 00 00 f9 74 7c 54 f4 74 7c 54 | .A.......t|T.t|T

0010 | f4 74 7c 54 00 00 00 00 00 00 02 00 08 00 00 00 | .t|T............

0020 | 00 00 00 00 10 00 00 00 e1 23 00 00 00 00 00 00 | .........#......

0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0080 | 1c 00 00 00 c8 80 67 7e c8 80 67 7e cc e6 87 38 | ......g~..g~...8

0090 | 3d 73 7c 54 00 00 00 00 00 00 00 00 00 00 00 00 | =s|T............

00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

Inode is Allocated

File mode: 16877

Low 16 bits of Owner Uid: 0

Size in bytes: 4096

Access time: 1417442553

Creation time: 1417442548

Modification time: 1417442548

Deletion Time: 0

Low 16 bits of Group Id: 0

Links count: 2

Blocks count: 8

File flags: 0

File version (for NFS): 0

File ACL: 0

Directory ACL: 0

Fragment address: 0

Direct blocks: 9185, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

Indirect block: 0

Double indirect block: 0

Triple indirect block: 0

File name                                       | Inode number | Deleted status

.                                                 2

..                                                2

lost+found                                        11             Deleted

.vmlinuz-2.6.32-220.el6.x86_64.hmac               12

System.map-2.6.32-220.el6.x86_64                  13             Deleted

symvers-2.6.32-220.el6.x86_64.gz                  14             Deleted

initramfs-2.6.32-220.el6.x86_64.img               15             Deleted

grub                                              786433         Deleted

vmlinuz-2.6.32-220.el6.x86_64                     16             Deleted

efi                                               262145         Deleted

config-2.6.32-220.el6.x86_64                      17             Deleted

注:標記爲”Deleted”的文件則是被刪除的文件

[root@localhost ~]# extundelete /dev/sdb1 --restore-file vmlinuz-2.6.32-220.el6.x86_64
                                           #恢復指定的誤刪文件
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 120 groups loaded.
Loading journal descriptors ... 48 descriptors loaded.
Successfully restored file vmlinuz-2.6.32-220.el6.x86_64

[root@localhost ~]# cd RECOVERED_FILES/  #這個目錄會在當前目錄下自動生成，裏面是我們恢復的文件
[root@localhost RECOVERED_FILES]# ls        #恢復成功
vmlinuz-2.6.32-220.el6.x86_64

[root@localhost ~]# extundelete /dev/sdb1 --restore-all #恢復誤刪分區的所有文件
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 120 groups loaded.
Loading journal descriptors ... 48 descriptors loaded.
Searching for recoverable inodes in directory / ... 
26 recoverable inodes found.
Looking through the directory structure for deleted files ... 
0 recoverable inodes still lost.

[root@localhost ~]# cd RECOVERED_FILES/ 
[root@localhost RECOVERED_FILES]# ls    #恢復成功
config-2.6.32-220.el6.x86_64  initramfs-2.6.32-220.el6.x86_64.img  vmlinuz-2.6.32-220.el6.x86_64
efi                           symvers-2.6.32-220.el6.x86_64.gz     vmlinuz-2.6.32-220.el6.x86_64.v1
grub                          System.map-2.6.32-220.el6.x86_64

注意：之前指定恢復的文件vmlinux-2.6.32-220.el6.x86_64不會被完全恢復後覆蓋，而是重名爲*.v1了

--------------------恢復完成，下面驗證恢復後的文件和源文件是否一致-------------------------

[root@localhost ~]# md5sum /boot/vmlinuz-2.6.32-220.el6.x86_64 
8d62ea19875a0f514d717fa251e5315c  /boot/vmlinuz-2.6.32-220.el6.x86_64
[root@localhost ~]# md5sum RECOVERED_FILES/vmlinuz-2.6.32-220.el6.x86_64.v1 
8d62ea19875a0f514d717fa251e5315c  RECOVERED_FILES/vmlinuz-2.6.32-220.el6.x86_64.v1
[root@localhost ~]# md5sum RECOVERED_FILES/vmlinuz-2.6.32-220.el6.x86_64
8d62ea19875a0f514d717fa251e5315c  RECOVERED_FILES/vmlinuz-2.6.32-220.el6.x86_64

注：兩次恢復後的文件md5值和源文件相同說明恢復成功。