下载安装extundelete之前要安装两个软件包e2fsprogs和e2fsprogs-libs
安装顺序:e2fsprogs-->e2fsprogs-libs-->extundelete逐一编译安装
[root@crushlinux~]#wgethttp://jaist./project/e2fsprogs/e2fsprogs/1.41.14/e2fsprogs-1.41.14.tar.gz
[root@crushlinux~]#wgethttp://jaist./project/e2fsprogs/e2fsprogs/1.41.14/e2fsprogs-libs-1.41.14.tar.gz
[root@crushlinux~]#wgethttp://jaist./project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
[root@crushlinux~]#tarxfe2fsprogs-1.41.14.tar.gz-C/usr/src/
[root@crushlinux~]#cd/usr/src/e2fsprogs-1.41.14/
[root@crushlinuxe2fsprogs-1.41.14]#./configure
[root@crushlinuxe2fsprogs-1.41.14]#make&&makeinstall
[root@crushlinux~]#tarxfe2fsprogs-libs-1.41.14.tar.gz-C/usr/src/
[root@crushlinux~]#cd/usr/src/e2fsprogs-libs-1.41.14/
[root@crushlinuxe2fsprogs-libs-1.41.14]#./configure
[root@crushlinuxe2fsprogs-libs-1.41.14]#make&&makeinstall
[root@crushlinux~]#tarxfextundelete-0.2.4.tar.bz2-C/usr/src/
[root@crushlinux~]#cd/usr/src/extundelete-0.2.4/
[root@crushlinuxextundelete-0.2.4]#./configure
[root@crushlinuxextundelete-0.2.4]#make&&makeinstall
模拟实验环境:
新添加一块硬盘并对其进行分区格式化成ext4,将其挂在到/backupdata目录上,建立测试文件和目录。
[root@crushlinux~]#fdisk/dev/sdb
Command(mforhelp):n
Commandaction
eextended
pprimarypartition(1-4)
p
Partitionnumber(1-4):1
Firstcylinder(1-2610,default1):
Usingdefaultvalue1
Lastcylinder,+cylindersor+size{K,M,G}(1-2610,default2610):+200M
Command(mforhelp):w
[root@crushlinux~]#partprobe/dev/sdb
[root@crushlinux~]#mkfs.ext4/dev/sdb1
[root@crushlinux~]#mkdir/backupdata/
[root@crushlinux~]#mount/dev/sdb1/backupdata/
[root@crushlinux~]#mkdir/backupdata/gnutool-delete
[root@crushlinux~]#cd/backupdata/gnutool-delete
[root@crushlinuxgnutool-delete]#man7man>file1.txt
[root@crushlinuxgnutool-delete]#man7man>file2.txt
[root@crushlinuxgnutool-delete]#mkdirfolder;cdfolder;man7man>file1.txt
[root@crushlinuxfolder]#cd../
获取文件校验码
[root@crushlinuxgnutool-delete]#md5sumfile*
06da9233bf8c0836e4d45e28dfb2b511file1.txt
06da9233bf8c0836e4d45e28dfb2b511file2.txt
[root@crushlinuxgnutool-delete]#md5sumfolder/file1.txt
06da9233bf8c0836e4d45e28dfb2b511folder/file1.txt
[root@crushlinuxgnutool-delete]#cd../
删除测试文件或目录
[root@crushlinuxbackupdata]#rm-rfgnutool-delete/
将设备卸载或者改成只读,防止数据被覆盖使用
[root@crushlinuxbackupdata]#cd../
[root@crushlinux/]#umount/backupdata/或者
[root@crushlinux~]#mount-oremount,ro/dev/sdb1
查询恢复数据信息,注意这里的--inode2这里会扫描分区:
[root@crushlinux/]#extundelete/dev/sdb1--inode2
NOTICE:Extendedattributesarenotrestored.
Loadingfilesystemmetadata...26groupsloaded.
Group:0
Contentsofinode2:
0000|ed41000000040000377929533a792953|.A......7y)S:y)S
0010|3a792953000000000000030002000000|:y)S............
0020|0000000002000000d310000000000000|................
0030|00000000000000000000000000000000|................
0040|00000000000000000000000000000000|................
0050|00000000000000000000000000000000|................
0060|00000000000000000000000000000000|................
0070|00000000000000000000000000000000|................
InodeisAllocated
Filemode:16877
Low16bitsofOwnerUid:0
Sizeinbytes:1024
Accesstime:1395226935
Creationtime:1395226938
Modificationtime:1395226938
DeletionTime:0
Low16bitsofGroupId:0
Linkscount:3
Blockscount:2
Fileflags:0
Fileversion(forNFS):0
FileACL:0
DirectoryACL:0
Fragmentaddress:0
Directblocks:4307,0,0,0,0,0,0,0,0,0,0,0
Indirectblock:0
Doubleindirectblock:0
Tripleindirectblock:0
Filename|Inodenumber|Deletedstatus
.2
..2
lost+found11
gnutool-delete12Deleted
Deletedstatus标记为Deleted是已经删除的文件或目录
默认恢复到当前所在目录下的RECOVERED_FILES目录中去。准备一个可以读写的分区,注意不要再丢失数据的分区哦!
[root@crushlinux/]#extundelete/dev/sdb1--restore-all
NOTICE:Extendedattributesarenotrestored.
Loadingfilesystemmetadata...26groupsloaded.
Loadingjournaldescriptors...43descriptorsloaded.
Searchingforrecoverableinodesindirectory/...
5recoverableinodesfound.
Lookingthroughthedirectorystructurefordeletedfiles...
0recoverableinodesstilllost.
[root@crushlinux/]#cdRECOVERED_FILES/gnutool-delete/
[root@crushlinuxgnutool-delete]#ls
file1.txtfile2.txtfolder
查看校验码与之前所得是否完全一致
[root@crushlinuxgnutool-delete]#md5sumfile*
06da9233bf8c0836e4d45e28dfb2b511file1.txt
06da9233bf8c0836e4d45e28dfb2b511file2.txt
[root@crushlinuxgnutool-delete]#md5sumfolder/file1.txt
06da9233bf8c0836e4d45e28dfb2b511folder/file1.txt
1、恢复所有文件
extundelete/dev/sdb1–restore-all
2、恢复目录
extundelete/dev/sdb1—-restore-directory/backupdata/gnutool-delete
3、恢复文件
extundelete/dev/sdb1—-restore-files/backupdata/gnutool-delete/file1.txt
4、恢复多个文件
创建一个空白文件,内容为要恢复的文件列表,一个文件一行哦!
vimrestore
/backupdata/gnutool-delete/file1.txt
/backupdata/gnutool-delete/file2.txt
/backupdata/gnutool-delete/folder/file1.txt
extundelete/dev/sdb1—-restore-files'restore'
5、根据时间恢复
假如删除的时间大概是-05-0414:30
[root@crushlinux~]#date-d"may0414:30"+%s
1399185000得出秒数
恢复此时间后删除的所有文件
/usr/local/bin/extundelete/dev/sdb1--after1399185000--restore-all
6、根据文件的inode恢复
extundelete/dev/sdb1--restore-inode77883
7、查看命令帮助
extundelete--help
应用总结:extundelete基于整个磁盘的恢复功能较为强大,基于目录和文件的恢复还不够完善。如果误删除了文件,记住对磁盘不要进行任何操作,保留好现场哦!
切记:硬盘有价,数据无价!!
恢复Linux误删除文件系列之通过文件打开的PID和文件的句柄来恢复
环境描述:
当前系统中有多个用户登录,其中一个用户对某个文件进行修改,另一个用户对文件执行了删除操作。
例如通过cat命令往文件里输入内容
[root@rhel6~]#cat>>/tmp/restore
hello
hi
haha
而在另一个终端删除这个文件
[root@rhel6~]#rm-rf/tmp/restore
解决方法:
通过文件打开的PID和打开文件的句柄来恢复
[root@rhel6~]#lsof|grep-idelete|greprestore
cat23308root1wREG8,51473/tmp/restore(deleted)
[root@rhel6~]#cd/proc/23308/fd
fd/fdinfo/
[root@rhel6~]#cd/proc/23308/fd
[root@rhel6fd]#ls
012
[root@rhel6fd]#cp1/tmp/restore
[root@rhel6fd]#cat/tmp/restore
hello
hi
haha
ok文件恢复了~~
切记:硬盘有价,数据无价!!