（Ext3，Ext4格式）Linux文件误删恢复

今天给大家介绍一个文件误删恢复的软件，extundelete，注意此软件只支持ext3或ext4文件系统，对ext4恢复率很高。

先说一下Linux文件系统的组成：由 文件名，inode，block 组成

data.txt                -->inode                                 -->block

文件名               存放文件的元数据信息             真正存放的数据

查看inode号：每一个文件都有一个inode号

#ls -i data.txt

1320208 data.txt

# stat data.txt 
  File: "data.txt"
  Size: 0             Blocks: 0          IO Block: 4096   普通空文件
Device: fb00h/64256d    Inode: 1320208     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2020-04-26 22:26:15.971286718 +0800
Modify: 2020-04-26 22:26:15.971286718 +0800
Change: 2020-04-26 22:26:15.971286718 +0800

------------------------------------------------------------------------------------------

误删除文件后，第一件事需要做什么？就是卸载需要恢复文件的分区或者以只读的方式挂载：

mount -o remount,ro /data

开始实验

软件准备，可以去百度下载extundelete，找不到网盘里有

链接：https://pan.baidu.com/s/1H88pcoA1N92t9SUbzYr2Cg 提取码：lokx

源码安装extundelete

tar jxvf extundelete-0.2.4.tar.bz2

cd extundelete-0.2.4

yum install -y e2fsprogs-devel gcc*

./configure

make

make install

 

准备新加一块盘，分区后，格式化为ext4系统，创建文件夹并挂载

[root@oracle ~]# mkfs.ext4 /dev/sdb1
mke2fs 1.43-WIP (20-Jun-2013)
文件系统标签=
OS type: Linux
块大小=4096 (log=2)
分块大小=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
131072 inodes, 524112 blocks
26205 blocks (5.00%) reserved for the super user
第一个数据块=0
Maximum filesystem blocks=536870912
16 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912

Allocating group tables: 完成                            
正在写入inode表: 完成                            
Creating journal (8192 blocks): 完成
Writing superblocks and filesystem accounting information: 完成 

[root@oracle ~]# mkdir /data;mount /dev/sdb1 /data

1.在/data目录下添加一些测试文件

[root@oracle ~]#  cp /var/log/boot.log  /var/log/yum.log  /data/

[root@oracle ~]# mkdir -p /data/AA/BB/CC
[root@oracle ~]# touch /data/AA/A
[root@oracle ~]# touch /data/AA/BB/B
[root@oracle ~]# touch /data/AA/BB/CC/C

[root@oracle ~]# echo "This is disk test" >/data/data.txt

2.模拟删除误操作

[root@oracle data]# rm -rf /data/*

3.通过inode节点查看被删除的文件

[root@oracle ~]# extundelete /dev/sdb1  --inode 2
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates 
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible.  You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n) 
y
Loading filesystem metadata ... 16 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 a2 ac a5 5e a2 ac a5 5e | .A.........^...^
0010 | a2 ac a5 5e 00 00 00 00 00 00 02 00 08 00 00 00 | ...^............
0020 | 00 00 08 00 09 00 00 00 0a f3 01 00 04 00 00 00 | ................
0030 | 00 00 00 00 00 00 00 00 01 00 00 00 a1 20 00 00 | ............. ..
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 a4 a7 9b db a4 a7 9b db a4 95 21 db | ..............!.
0090 | c6 aa a5 5e 00 00 00 00 00 00 00 00 00 00 00 00 | ...^............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1587915938
Creation time: 1587915938
Modification time: 1587915938
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 2
Blocks count: 8
File flags: 524288
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 127754, 4, 0, 0, 1, 8353, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0

File name                                       | Inode number | Deleted status
.                                                 2
..                                                2
lost+found                                        11             Deleted
boot.log                                          12             Deleted
yum.log                                           13             Deleted
AA                                                8193           Deleted
data.txt                                          19             Deleted

注意：ext4文件系统的分区根目录的inode值为2，xfs分区根目录的inode值为64

4.恢复

<1>通过inode节点恢复

[root@oracle ~]# extundelete  /dev/sdb1  --restore-inode 19
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 16 groups loaded.
Loading journal descriptors ... 58 descriptors loaded.
[root@oracle ~]# ls
anaconda-ks.cfg  extundelete-0.2.4          install.log         RECOVERED_FILES  模板  图片  下载  桌面
data.txt         extundelete-0.2.4.tar.bz2  install.log.syslog  公共的           视频  文档  音乐
[root@oracle ~]# cd RECOVERED_FILES/
[root@oracle RECOVERED_FILES]# ls
file.19
[root@oracle RECOVERED_FILES]# cat file.19 
This is disk test

<2>通过文件名恢复

[root@oracle ~]# extundelete  /dev/sdb1  --restore-file yum.log
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 16 groups loaded.
Loading journal descriptors ... 58 descriptors loaded.
Successfully restored file yum.log
[root@oracle ~]# ls RECOVERED_FILES/
file.19  yum.log
[root@oracle ~]# diff /var/log/yum.log  RECOVERED_FILES/yum.log 
[root@oracle ~]# cat RECOVERED_FILES/yum.log 
Apr 26 18:00:48 Installed: lrzsz-0.12.20-27.1.el6.x86_64
Apr 26 18:08:56 Installed: libgnat-4.4.7-18.el6.x86_64
Apr 26 18:08:59 Installed: libgnat-devel-4.4.7-18.el6.x86_64
Apr 26 18:09:00 Installed: java-1.5.0-gcj-1.5.0.0-29.1.el6.x86_64
Apr 26 18:09:00 Installed: 1:java_cup-0.10k-5.el6.x86_64
Apr 26 18:09:01 Installed: sinjdoc-0.5-9.1.el6.x86_64
Apr 26 18:09:02 Installed: 1:ecj-4.5.2-3.el6.x86_64
Apr 26 18:09:02 Installed: zlib-devel-1.2.3-29.el6.x86_64
Apr 26 18:09:04 Installed: libgcj-devel-4.4.7-18.el6.x86_64
Apr 26 18:09:04 Installed: libcom_err-devel-1.42.8-1.0.3.el6.x86_64
Apr 26 18:09:05 Installed: libobjc-4.4.7-18.el6.x86_64
Apr 26 18:09:06 Installed: gcc-objc-4.4.7-18.el6.x86_64
Apr 26 18:09:07 Installed: gcc-objc++-4.4.7-18.el6.x86_64
Apr 26 18:09:07 Installed: e2fsprogs-devel-1.42.8-1.0.3.el6.x86_64
Apr 26 18:09:08 Installed: gcc-java-4.4.7-18.el6.x86_64
Apr 26 18:09:10 Installed: gcc-gnat-4.4.7-18.el6.x86_64
<3>通过目录恢复

[root@oracle ~]# extundelete  /dev/sdb1   --restore-directory AA
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 16 groups loaded.
Loading journal descriptors ... 58 descriptors loaded.
Searching for recoverable inodes in directory AA ... 
7 recoverable inodes found.
Looking through the directory structure for deleted files ... 
5 recoverable inodes still lost.
[root@oracle ~]# ls RECOVERED_FILES/
AA  file.19  yum.log
<4>恢复所有文件

[root@oracle ~]#  extundelete /dev/sdb1 --restore-all
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 16 groups loaded.
Loading journal descriptors ... 58 descriptors loaded.
Searching for recoverable inodes in directory / ... 
7 recoverable inodes found.
Looking through the directory structure for deleted files ... 
0 recoverable inodes still lost.
[root@oracle ~]# ls RECOVERED_FILES/
AA  boot.log  data.txt  file.19  yum.log  yum.log.v1

PS:extundelete在恢复文件的时候不能自动创建空文件和目录