（Ext3，Ext4格式）Linux文件誤刪恢復

今天給大家介紹一個文件誤刪恢復的軟件，extundelete，注意此軟件只支持ext3或ext4文件系統，對ext4恢復率很高。

先說一下Linux文件系統的組成：由 文件名，inode，block 組成

data.txt                -->inode                                 -->block

文件名               存放文件的元數據信息             真正存放的數據

查看inode號：每一個文件都有一個inode號

#ls -i data.txt

1320208 data.txt

# stat data.txt 
  File: "data.txt"
  Size: 0             Blocks: 0          IO Block: 4096   普通空文件
Device: fb00h/64256d    Inode: 1320208     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2020-04-26 22:26:15.971286718 +0800
Modify: 2020-04-26 22:26:15.971286718 +0800
Change: 2020-04-26 22:26:15.971286718 +0800

------------------------------------------------------------------------------------------

誤刪除文件後，第一件事需要做什麼？就是卸載需要恢復文件的分區或者以只讀的方式掛載：

mount -o remount,ro /data

開始實驗

軟件準備，可以去百度下載extundelete，找不到網盤裏有

鏈接：https://pan.baidu.com/s/1H88pcoA1N92t9SUbzYr2Cg 提取碼：lokx

源碼安裝extundelete

tar jxvf extundelete-0.2.4.tar.bz2

cd extundelete-0.2.4

yum install -y e2fsprogs-devel gcc*

./configure

make

make install

 

準備新加一塊盤，分區後，格式化爲ext4系統，創建文件夾並掛載

[root@oracle ~]# mkfs.ext4 /dev/sdb1
mke2fs 1.43-WIP (20-Jun-2013)
文件系統標籤=
OS type: Linux
塊大小=4096 (log=2)
分塊大小=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
131072 inodes, 524112 blocks
26205 blocks (5.00%) reserved for the super user
第一個數據塊=0
Maximum filesystem blocks=536870912
16 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912

Allocating group tables: 完成                            
正在寫入inode表: 完成                            
Creating journal (8192 blocks): 完成
Writing superblocks and filesystem accounting information: 完成 

[root@oracle ~]# mkdir /data;mount /dev/sdb1 /data

1.在/data目錄下添加一些測試文件

[root@oracle ~]#  cp /var/log/boot.log  /var/log/yum.log  /data/

[root@oracle ~]# mkdir -p /data/AA/BB/CC
[root@oracle ~]# touch /data/AA/A
[root@oracle ~]# touch /data/AA/BB/B
[root@oracle ~]# touch /data/AA/BB/CC/C

[root@oracle ~]# echo "This is disk test" >/data/data.txt

2.模擬刪除誤操作

[root@oracle data]# rm -rf /data/*

3.通過inode節點查看被刪除的文件

[root@oracle ~]# extundelete /dev/sdb1  --inode 2
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates 
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible.  You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n) 
y
Loading filesystem metadata ... 16 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 a2 ac a5 5e a2 ac a5 5e | .A.........^...^
0010 | a2 ac a5 5e 00 00 00 00 00 00 02 00 08 00 00 00 | ...^............
0020 | 00 00 08 00 09 00 00 00 0a f3 01 00 04 00 00 00 | ................
0030 | 00 00 00 00 00 00 00 00 01 00 00 00 a1 20 00 00 | ............. ..
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 a4 a7 9b db a4 a7 9b db a4 95 21 db | ..............!.
0090 | c6 aa a5 5e 00 00 00 00 00 00 00 00 00 00 00 00 | ...^............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1587915938
Creation time: 1587915938
Modification time: 1587915938
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 2
Blocks count: 8
File flags: 524288
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 127754, 4, 0, 0, 1, 8353, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0

File name                                       | Inode number | Deleted status
.                                                 2
..                                                2
lost+found                                        11             Deleted
boot.log                                          12             Deleted
yum.log                                           13             Deleted
AA                                                8193           Deleted
data.txt                                          19             Deleted

注意：ext4文件系統的分區根目錄的inode值爲2，xfs分區根目錄的inode值爲64

4.恢復

<1>通過inode節點恢復

[root@oracle ~]# extundelete  /dev/sdb1  --restore-inode 19
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 16 groups loaded.
Loading journal descriptors ... 58 descriptors loaded.
[root@oracle ~]# ls
anaconda-ks.cfg  extundelete-0.2.4          install.log         RECOVERED_FILES  模板  圖片  下載  桌面
data.txt         extundelete-0.2.4.tar.bz2  install.log.syslog  公共的           視頻  文檔  音樂
[root@oracle ~]# cd RECOVERED_FILES/
[root@oracle RECOVERED_FILES]# ls
file.19
[root@oracle RECOVERED_FILES]# cat file.19 
This is disk test

<2>通過文件名恢復

[root@oracle ~]# extundelete  /dev/sdb1  --restore-file yum.log
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 16 groups loaded.
Loading journal descriptors ... 58 descriptors loaded.
Successfully restored file yum.log
[root@oracle ~]# ls RECOVERED_FILES/
file.19  yum.log
[root@oracle ~]# diff /var/log/yum.log  RECOVERED_FILES/yum.log 
[root@oracle ~]# cat RECOVERED_FILES/yum.log 
Apr 26 18:00:48 Installed: lrzsz-0.12.20-27.1.el6.x86_64
Apr 26 18:08:56 Installed: libgnat-4.4.7-18.el6.x86_64
Apr 26 18:08:59 Installed: libgnat-devel-4.4.7-18.el6.x86_64
Apr 26 18:09:00 Installed: java-1.5.0-gcj-1.5.0.0-29.1.el6.x86_64
Apr 26 18:09:00 Installed: 1:java_cup-0.10k-5.el6.x86_64
Apr 26 18:09:01 Installed: sinjdoc-0.5-9.1.el6.x86_64
Apr 26 18:09:02 Installed: 1:ecj-4.5.2-3.el6.x86_64
Apr 26 18:09:02 Installed: zlib-devel-1.2.3-29.el6.x86_64
Apr 26 18:09:04 Installed: libgcj-devel-4.4.7-18.el6.x86_64
Apr 26 18:09:04 Installed: libcom_err-devel-1.42.8-1.0.3.el6.x86_64
Apr 26 18:09:05 Installed: libobjc-4.4.7-18.el6.x86_64
Apr 26 18:09:06 Installed: gcc-objc-4.4.7-18.el6.x86_64
Apr 26 18:09:07 Installed: gcc-objc++-4.4.7-18.el6.x86_64
Apr 26 18:09:07 Installed: e2fsprogs-devel-1.42.8-1.0.3.el6.x86_64
Apr 26 18:09:08 Installed: gcc-java-4.4.7-18.el6.x86_64
Apr 26 18:09:10 Installed: gcc-gnat-4.4.7-18.el6.x86_64
<3>通過目錄恢復

[root@oracle ~]# extundelete  /dev/sdb1   --restore-directory AA
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 16 groups loaded.
Loading journal descriptors ... 58 descriptors loaded.
Searching for recoverable inodes in directory AA ... 
7 recoverable inodes found.
Looking through the directory structure for deleted files ... 
5 recoverable inodes still lost.
[root@oracle ~]# ls RECOVERED_FILES/
AA  file.19  yum.log
<4>恢復所有文件

[root@oracle ~]#  extundelete /dev/sdb1 --restore-all
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 16 groups loaded.
Loading journal descriptors ... 58 descriptors loaded.
Searching for recoverable inodes in directory / ... 
7 recoverable inodes found.
Looking through the directory structure for deleted files ... 
0 recoverable inodes still lost.
[root@oracle ~]# ls RECOVERED_FILES/
AA  boot.log  data.txt  file.19  yum.log  yum.log.v1

PS:extundelete在恢復文件的時候不能自動創建空文件和目錄