经过本人测试该工具支持ext3和ext4文件系统
当发现某个分区的数据被误删除后,要做的第一件事是立刻卸载被误删除文件所在的分区,或者重新以只读方式挂载此分区。
这么做的原因其实很简单:删除一个文件,就是将文件inode节点中的扇区指针清除,同时,释放这些数据对应的数据块,而真实的文件还存留在磁盘分区中。但是这些被删除的文件不一定会一直存留在磁盘中,当这些释放的数据块被操作系统重新分配时,那些被删除的数据就会被覆盖。因此,在数据误删除后,马上卸载文件所在分区可以降低数据块中数据被覆盖的风险,进而提高成功恢复数据的机率。
1. 创建文件系统
[root@zw_test_26_74 /]# mkfs -t ext4 /dev/sdb3
2.查看文件系统类型
[root@zw_test_26_74 /]# blkid /dev/sdb3 --查看文件系统类型
/dev/sdb3: UUID="b786e8d1-e8ac-4681-ad3a-ff7a39c07146" TYPE="ext4"
也可以用下面方法查看
[root@zw_test_26_74 ~]# file -s /dev/sdb3
/dev/sdb3: Linux rev 1.0 ext4 filesystem data (extents) (huge files)
3.创建一个delete目录,并挂载到刚创建的文件系统上,并创建文件,然后删除文件
[root@zw_test_26_74 /]# mkdir delete
[root@zw_test_26_74 /]# mount /dev/sdb3 /delete
[root@zw_test_26_74 /]# cd /delete
[root@zw_test_26_74 delete]# ls
lost+found
[root@zw_test_26_74 delete]# vi zw.txt --添加一些内容
[root@zw_test_26_74 delete]# rm -rf zw.txt
4.下载
extundelete 主页:http://extundelete.sourceforge.net/
下载地址:http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 --0.2.4版本
http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 --0.2.4版本
[root@zw_test_26_74 /]# wget wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
[root@zw_test_26_74 /]# tar -xvf extundelete-0.2.4.tar.bz2
[root@zw_test_26_74 extundelete-0.2.4]# cd /extundelete-0.2.4
[root@zw_test_26_74 extundelete-0.2.4]# ./configure --prefix=/usr/local/extundelete && make && make install
Configuring extundelete 0.2.4
configure: error: Can't find ext2fs library
这是因为extundelete依赖e2fsprogs。
[root@zw_test_26_74 extundelete-0.2.4]# yum -y install e2fsprogs e2fsprogs-devel
安装e2fsprogs后再次configure 成功。
[root@zw_test_26_74 extundelete-0.2.4]# ./configure --prefix=/usr/local/extundelete && make && make install
Configuring extundelete 0.2.4
Writing generated files to disk
make -s all-recursive
Making all in src
Making install in src
/usr/bin/install -c 'extundelete' '/usr/local/bin/extundelete'
5.查看工具版本
[root@zw_test_26_74 /]# cd /usr/local/extundelete/bin
[root@zw_test_26_74 bin]# ./extundelete -v
extundelete version 0.2.4
libext2fs version 1.41.12
Processor is little endian.
6.卸载分区,注意如果是/ 根目录的删了,把磁盘挂载到其他机器做恢复
[root@zw_test_26_74 ~] fuser -k /delete <-- 结束使用某分区的进程树
[root@www ~]# umount /delete <-- 卸载分区
[root@zw_test_26_74 ~]# umount /dev/sdb3
7.使用extundelete查看分区上存在的文件
extundelete --inode 2 /dev/sdb2
# --inode 为查找某i节点中的内容,使用2则说明为搜索,如果需要进入目录搜索,只须要指定目录I节点即可
[root@zw_test_26_74 bin]# extundelete --inode 2 /dev/sdb3
WARNING: Extended attributes are not restored.
Loading filesystem metadata ... 26 groups loaded.
Contents of inode 2:
0000 | ed 41 00 00 00 04 00 00 01 7b c6 56 05 7b c6 56 | .A.......{.V.{.V
0010 | 05 7b c6 56 00 00 00 00 00 00 03 00 02 00 00 00 | .{.V............
0020 | 00 00 00 00 20 00 00 00 e3 10 00 00 00 00 00 00 | .... ...........
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated
Group: 0
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 1024
Access time: 1455848193
Creation time: 1455848197
Modification time: 1455848197
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 3
Blocks count: 2
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 4323, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name | Inode number | Deleted status
Directory block 4323:
. 2
.. 2
lost+found 11
zw.txt 14 Deleted
.zw.txt.swp 13 Deleted
zw.txt~ 12 Deleted
上面标记为deleted的,zw.txt 就是我误删的数据
8. 恢复:
root@zw_test_26_74 bin]# extundelete --restore-all /dev/sdb3
WARNING: Extended attributes are not restored.
Loading filesystem metadata ... 26 groups loaded.
Loading journal descriptors ... 47 descriptors loaded.
Writing output to directory RECOVERED_FILES/
Searching for recoverable inodes in directory / ...
1 recoverable inodes found.
Looking through the directory structure for deleted files ...
Restored inode 14 to file RECOVERED_FILES/zw.txt
0 recoverable inodes still lost.
[root@zw_test_26_74 bin]# ll
total 1164
-rwxr-xr-x 1 root root 1187047 Feb 19 10:10 extundelete
drwxr-xr-x 2 root root 4096 Feb 19 11:20 RECOVERED_FILES
[root@zw_test_26_74 bin]# cd RECOVERED_FILES/
[root@zw_test_26_74 RECOVERED_FILES]# ll
total 4
-rw-r--r-- 1 root root 150 Feb 19 11:20 zw.txt
可以看到zw.txt 已经恢复到RECOVERED_FILES 目录下了。
9.扩展命令:
--restore-inode 12 # --restore-inode 按指定的I节点恢复
--restore-file zw.txt # --restore-file 按指定的文件名恢复
--extundelete --restore-all # --restore-all 是全部恢复 ,默认全将恢复出来的文件放在当前路径 RECOVERED_FILES/ 目录下,文件名为 file.I节点号
注意: RECOVERED_FILES目录生成在当前执行命令的目录下面啦!