| This document gives a method to recover the files deleted by mistake in ext4 file system. The software to be used is extundelete, which has a high recovery success rate for ext4 file system and is worth having! |
[root@localhost ~]# rm -Rf / #Execution failed! rm: stay"/" Recursive operation is very dangerous rm: Use --no-preserve-root Option to skip safe mode [root@localhost ~]# rm -rf /* #This can be executed successfully! Ha ha...
To delete files on ext4 file system, you can restore: extundelete, ext3 restore: ext3grep windows recovery deleted files by mistake: final data v2.0 Chinese version and easyrecovery
Extension:
Linux file system consists of three parts: filename, inode, block windows also consists of these three parts. a.txt -->inode --> block File name store file metadata information store data View file name: [root@localhost ~]# cp /etc/passwd a.txt [root@localhost ~]# ls a.txt a.txt To view the inode number: Common sense: each file has an inode number. [root@localhost ~]# ls -i a.txt 440266 a.txt View the file properties in the inode; view the contents of the inode through the stat command [root@localhost ~] (stat a.txt) view inode information: [root@localhost ~]# ls -l a.txt -rw-r--r-- 1 root root 1720 Oct 25 10:21 a.txt Block block: the real place to store data Logical deletion: false deletion Why delete faster than copy?
What is the first thing to do after deleting a file by mistake? You don't want to delete the blockbuster that has been saved for decades!
To avoid overwriting the contents of deleted files by mistake, how to avoid it?
Unmount the partition where the file needs to be recovered or mount it as read-only
For example:
mount -o remount,ro /mnt
Actual combat: recover files deleted by mistake in ext4 file system
Download outsundelete
http://sourceforge.net/ Open source software distribution center
extundelete-0.2.4.tar.bz2
Link: https://pan.baidu.com/s/1n0dtGnhffcH7XrLv0TqUsw
Extraction code: a5m7
Prepare test partition:
[root@localhost ~]# ls /dev/sd*
/dev/sda /dev/sda1 /dev/sda2 /dev/sdb
[root@localhost ~]# fdisk /dev/sdb
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x539f33b8.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
WARNING: DOS-compatible mode is deprecated. It's strongly recommended to
switch off the mode (command 'c') and change display units to
sectors (command 'u').
Command (m for help): p #View partition table information
Disk /dev/sdb: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x539f33b8
Device Boot Start End Blocks Id System
Command (m for help): n #Create a new partition
Command action
e extended
p primary partition (1-4)
p #Create a primary partition
Partition number (1-4): 1
First cylinder (1-2610, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-2610, default 2610): +1G #Specify partition size
Command (m for help): p #View partition table information
Disk /dev/sdb: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x539f33b8
Device Boot Start End Blocks Id System
/dev/sdb1 1 132 1060258+ 83 Linux
Command (m for help): w #Preservation
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
[root@localhost ~]# partx -a /dev/sdb1 #Get new partition table
//perhaps
[root@localhost ~]# rebootExtension:
If you delete a file under the root and want to restore it, what should you do?
Method 1: power off immediately, and then mount the disk in read-only mode to another computer for recovery.
Method 2: put the extundelete on the virtual machine (the virtual machine system should be the same as the server version), install it in advance, and then copy it to the U disk. Insert the U disk into the server. During recovery, the recovered files should be saved to the U disk (do not let the recovered data write / down, which will overwrite the previously deleted files).
Use new partition:
[root@localhost ~]# mkdir /tmp/sdb1 #Create mount point [root@localhost ~]# mkfs.ext4 /dev/sdb1 #Format the / dev/sdb1 partition file system to ext4 [root@localhost ~]# mount /dev/sdb1 /tmp/sdb1 #Hang the / dev/sdb1 partition to / tmp/sdb1 [root@localhost ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup-lv_root 18G 1.3G 16G 8% / tmpfs 499M 0 499M 0% /dev/shm /dev/sda1 485M 33M 427M 8% /boot /dev/sr0 3.6G 3.6G 0 100% /media/cdrom /dev/sdb1 1020M 34M 935M 4% /tmp/sdb1
Copy some test files, delete them again, and then demonstrate recovery:
[root@localhost ~]# cp /etc/passwd /tmp/sdb1 [root@localhost ~]# cp /etc/hosts /tmp/sdb1 [root@localhost ~]# echo aaa > a.txt [root@localhost ~]# mkdir -p /tmp/sdb1/a/b/c [root@localhost ~]# cp a.txt /tmp/sdb1/a [root@localhost ~]# cp a.txt /tmp/sdb1/a/b [root@localhost ~]# touch /tmp/sdb1/a/b/kong.txt [root@localhost ~]# yum install -y tree [root@localhost ~]# tree /tmp/sdb1 /tmp/sdb1 ├── a │ ├── a.txt │ └── b │ ├── a.txt │ ├── c #Empty directory │ └── kong.txt #Empty file ├── hosts ├── lost+found └── passwd 4 directories, 5 files
Delete file:
[root@localhost ~]# cd /tmp/sdb1 [root@localhost sdb1]# ls a hosts lost+found passwd [root@localhost sdb1]# rm -rf a hosts passwd [root@localhost sdb1]# ls lost+found
What is the first thing to do after deleting files by mistake???
How to avoid the contents of deleted files being overwritten???
Unmount the partition where the file needs to be recovered or mount it as read-only
[root@localhost sdb1]# cd /root [root@localhost ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup-lv_root 18G 1.3G 16G 8% / tmpfs 499M 0 499M 0% /dev/shm /dev/sda1 485M 33M 427M 8% /boot /dev/sr0 3.6G 3.6G 0 100% /media/cdrom /dev/sdb1 1020M 34M 935M 4% /tmp/sdb1 [root@localhost ~]# echo "/dev/sdb1 /tmp/sdb1 ext4 defaults 0 0" >> /etc/fstab [root@localhost ~]# mount -o remount,ro /tmp/sdb1 #Remount the partition of / tmp/sdb1 as read-write [root@localhost ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup-lv_root 18G 1.3G 16G 8% / tmpfs 499M 0 499M 0% /dev/shm /dev/sda1 485M 33M 427M 8% /boot /dev/sr0 3.6G 3.6G 0 100% /media/cdrom /dev/sdb1 1020M 34M 935M 4% /tmp/sdb1 [root@localhost ~]# touch /tmp//sdb1/testfile touch: cannot touch `/tmp//sdb1/testfile': Read-only file system
perhaps
[root@localhost ~]# umount /tmp/sdb1 #Uninstall the partition of / tmp/sdb1 [root@localhost ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup-lv_root 18G 1.3G 16G 8% / tmpfs 499M 0 499M 0% /dev/shm /dev/sda1 485M 33M 427M 8% /boot /dev/sr0 3.6G 3.6G 0 100% /media/cdrom
Install the outsundelete tool
Upload extundelete to Linux: Upload the extundelete file from Windows to Linux, and install SecureCRT or XShell[root@localhost ~] (yum install - y lrzsz) #After installation, you have the rz command and the sz command rz: upload files from Windows to Linux sz: download files from Linux to Windows
Source code installation
[root@localhost ~]# cd /usr/local/src [root@localhost src]# ls [root@localhost src]# rz rz waiting to receive. zmodem trl+C ȡ 100% 105 KB 105 KB/s 00:00:01 0 Errorsbz2... [root@localhost src]# ls extundelete-0.2.4.tar.bz2 [root@localhost src]# tar xjvf extundelete-0.2.4.tar.bz2 [root@localhost src]# cd extundelete-0.2.4 [root@localhost extundelete-0.2.4]# yum install -y e2fsprogs-devel gcc* [root@localhost extundelete-0.2.4]# ./configure #Check the system installation environment [root@localhost extundelete-0.2.4]# make -j 4 #Compile, compile the source code into executable binary file. - j 4 use 4 processes to compile at the same time, improve the compilation speed or use 4-core CPU to compile at the same time. [root@localhost extundelete-0.2.4]# make install #Build install
Extension:
What's the difference between install and cp? The permission can be specified during install replication. cp can't Example: [root@localhost ~]# install -m 777 /bin/find /opt/a.sh [root@localhost ~]# ll /opt/
Start recovery:
Method 1: recover through inode node
Method 2: recover by filename
Method 3: restore a directory, such as all files under directory a:
Method 4: restore all files
[root@localhost extundelete-0.2.4]# mkdir /test #Create a directory to store recovered data [root@localhost extundelete-0.2.4]# cd /test [root@localhost test]# //View the deleted file name through the inode node: [root@localhost test]# extundelete /dev/sdb1 --inode 2 File name | Inode number | Deleted status . 2 .. 2 lost+found 11 passwd 12 Deleted hosts 13 Deleted a 7377 Deleted //Extension: the inode value of ext4 file system's partition root is 2, and that of xfs partition root is 64 [root@localhost test]# ls -id /boot/ #xfs file system 64 /boot/ [root@localhost test]# ls -id /tmp/sdb1 2 /tmp/sdb1
Method 1: recover through inode node
[root@localhost test]# ls [root@localhost test]# extundelete /dev/sdb1 --restore-inode 12 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 9 groups loaded. Loading journal descriptors ... 61 descriptors loaded. [root@localhost test]# ls RECOVERED_FILES [root@localhost test]# ls RECOVERED_FILES/ file.12 [root@localhost test]# diff /etc/passwd RECOVERED_FILES/file.12 #The content of the reference file has no output, indicating that the content of the recovered file has not changed
Method 2: recover by filename
[root@localhost test]# extundelete /dev/sdb1 --restore-file passwd [root@localhost test]# diff /etc/passwd RECOVERED_FILES/passwd #The content of the reference file has no output, indicating that the content of the recovered file has not changed
Method 3: restore a directory, such as all files under directory a:
[root@localhost test]# extundelete /dev/sdb1 --restore-directory a [root@localhost test]# tree RECOVERED_FILES/a/ RECOVERED_FILES/a/ ├── a.txt └── b └── a.txt 1 directory, 2 files
Method 4: restore all files
[root@localhost test]# rm -rf RECOVERED_FILES/* [root@localhost test]# extundelete /dev/sdb1 --restore-all [root@localhost test]# ls RECOVERED_FILES/ a hosts passwd [root@localhost test]# tree RECOVERED_FILES/ RECOVERED_FILES/ ├── a │ ├── a.txt │ └── b │ └── a.txt ├── hosts └── passwd 2 directories, 4 files
Data comparison
Before deletion:
[root@localhost ~]# tree /tmp/sdb1 /tmp/sdb1 ├── a │ ├── a.txt │ └── b │ ├── a.txt │ ├── c #Empty directory │ └── kong.txt #Empty file ├── hosts ├── lost+found └── passwd 4 directories, 5 files
After recovery:
[root@localhost test]# tree RECOVERED_FILES/ RECOVERED_FILES/ ├── a │ ├── a.txt │ └── b │ └── a.txt ├── hosts └── passwd 2 directories, 4 files
Can extundelete automatically create empty files and directories when restoring files?
A: no