Linux 下面刪除文件後常用的是extundelete工具來恢復,支持ext3/4文件系統
1 安裝extundelete工具(千萬不要把它安裝到刪除文件所在的分區)
在安裝extundelete之前,需要確保系統安裝了e2fsprogs,e2fsprogs-libs,e2fsprogs-devel。
yum install e2fsprogs e2fsprogs-libs e2fsprogs-devel -y
去extundelete官網下載源碼包 http://extundelete.sourceforge.net/ 最新的版本是0.2.4 。
wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
編譯安裝該文件,如果在安裝過程中遇到什麼問題,可以進入解壓後的文件包,仔細遇到README文件
tar xjf extundelete-0.2.4.tar.bz2 cd extundelete-0.2.4 ./configure make && make install
2 extundelete的實用方式
平時可以通過 --help命令查看詳細的命令參數
刪除數據的時候,千萬不要再向文件所在的硬盤寫數據,然後卸載刪除數據所在的分區。如果是根分區,需要進入單用戶模式,將跟分區設置爲只讀模式掛載。
umount /dev/partition mount -o remount,ro /dev/partition
創建一個模擬環境,新添加了一個硬盤sdb,然後分區,掛在到/delete目錄。在/delete目錄下面創建四個例子
1 空文件夾
2 空文件
3 文件夾裏面有文件
4 有內容的文件
[root@localhost delete]# mkdir p [root@localhost delete]# touch p [root@localhost delete]# vi p1.txt [root@localhost delete]# mkdir p1 [root@localhost delete]# cd p1 [root@localhost p1]# vi p2.txt [root@localhost p1]# cd ..
然後刪除他們
rm -rf *
卸載分區,可以通過extundelete命令查看該分區可以恢復的數據信息
[root@localhost ~]# mount /dev/mapper/VolGroup-lv_root on / type ext4 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0") /dev/sda1 on /boot type ext4 (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) /dev/sdb on /delete type ext4 (rw) [root@localhost ~]# umount /dev/sdb /delete/ [root@localhost ~]# mount /dev/mapper/VolGroup-lv_root on / type ext4 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0") /dev/sda1 on /boot type ext4 (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
執行命令,看看該分區下面有多少文件是可以恢復的
[root@localhost ~]# extundelete /dev/sdb --inode 2 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 64 groups loaded. Group: 0 Contents of inode 2: 0000 | ed 41 00 00 00 10 00 00 a1 a2 d6 56 a0 a2 d6 56 | .A.........V...V 0010 | a0 a2 d6 56 00 00 00 00 00 00 02 00 08 00 00 00 | ...V............ 0020 | 00 00 00 00 17 00 00 00 21 22 00 00 00 00 00 00 | ........!"...... 0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0080 | 1c 00 00 00 4c c1 15 de 4c c1 15 de 40 7a 87 e9 | ....L...L...@z.. 0090 | 1a 0d d5 56 00 00 00 00 00 00 00 00 00 00 00 00 | ...V............ 00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ Inode is Allocated File mode: 16877 Low 16 bits of Owner Uid: 0 Size in bytes: 4096 Access time: 1456906913 Creation time: 1456906912 Modification time: 1456906912 Deletion Time: 0 Low 16 bits of Group Id: 0 Links count: 2 Blocks count: 8 File flags: 0 File version (for NFS): 0 File ACL: 0 Directory ACL: 0 Fragment address: 0 Direct blocks: 8737, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 Indirect block: 0 Double indirect block: 0 Triple indirect block: 0 File name | Inode number | Deleted status . 2 .. 2 lost+found 11 Deleted p 131073 Deleted p1 393217 Deleted p1.txt
然後執行整個分區恢復 或者單個文件恢復
按照inode恢復文件
extundelete /dev/sdb --restore-inode 393217
按照文件名恢復
extundelete /dev/sdb --restore-file p1.txt
恢復整個目錄
extundelete /dev/sdb --restore-directory /p
恢復所有該分區刪除的文件
extundelete /dev/sdb --restore-all
恢復的文件會在當前目錄下面創建一個 RECOVERED_FILES文件
[root@localhost ~]# extundelete /dev/sdb --restore-all NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 64 groups loaded. Loading journal descriptors ... 61 descriptors loaded. Searching for recoverable inodes in directory / ... 5 recoverable inodes found. Looking through the directory structure for deleted files ... 0 recoverable inodes still lost. [root@localhost ~]# ls anaconda-ks.cfg install.log install.log.syslog RECOVERED_FILES [root@localhost ~]# cd RECOVERED_FILES/ [root@localhost RECOVERED_FILES]# ls p1 p1.txt [root@localhost RECOVERED_FILES]# tree . ├── p1 │ └── p2.txt └── p1.txt
可以發現空目錄和空文件都是無法恢復。