安装 extundelete-0.2.4
extundelete 是一个开源的数据恢复工具,支持 ext3、ext4 文件系统,其官方站点位于http://extundelete.sourceforce.net/
安装依赖包
yum -y install e2fsprogs e2fsprogs-devel下载extundelete-0.2.4.tar
mv extundelete-0.2.4.tar ./opt
cd opt
cd extundelete-0.2.4
tar -xjf extundelete-0.2.4.tar
yum install gcc
yum -y install gcc-c++
./configure
make
make install
检查是否安装成功
/usr/local/bin/extundelete -v
extundelete version 0.2.4
libext2fs version 1.41.12
检查文件系统
df -T
找到补误删文件的inode号码
具体方法如下
查看当前路径下的文件目录删除情况./extundetele --inode 2 /dev/vda1
一般是从根节点开始找,此时会出来文件目录,选择所要进入的目录,用上面的命令继续查找,直到看到被删除文件的i节点为止。
恢复被删除文件(假设i节点号为3333)
./extundetele --restore-inode 3333 /dev/vda1
恢复的文件在当前路径下的RECOVERED_FILES目录中
# /usr/local/bin/extundelete --restore-inode 281804801 /dev/mapper/vg_***_home
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 44203 groups loaded.
Loading journal descriptors ... 28521 descriptors loaded.
Unable to restore inode 281804801 (file.281804801): Space has been reallocated.
# /usr/local/bin/extundelete --inode 281804801 /dev/mapper/vg_***_home
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 44203 groups loaded.
Group: 34400
Contents of inode 281804801:
0000 | fd 41 f5 01 00 10 00 00 c6 fa 8c 59 bf fa 8c 59 | .A.........Y...Y
0010 | bf fa 8c 59 00 00 00 00 f5 01 02 00 08 00 00 00 | ...Y............
0020 | 00 00 08 00 51 08 00 00 0a f3 01 00 04 00 00 00 | ....Q...........
0030 | 00 00 00 00 00 00 00 00 01 00 00 00 20 20 30 43 | ............ 0C
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 21 b5 af 00 00 00 00 00 00 00 00 00 | ....!...........
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 d0 4f 89 9f d0 4f 89 9f 80 b3 31 11 | .....O...O....1.
0090 | 63 d8 7a 59 fc ef d9 17 00 00 00 00 00 00 02 ea | c.zY............
00a0 | 07 06 38 00 00 00 00 00 25 00 00 00 00 00 00 00 | ..8.....%.......
00b0 | 73 65 6c 69 6e 75 78 00 00 00 00 00 00 00 00 00 | selinux.........
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 75 6e 63 6f 6e 66 69 6e | ........unconfin
00e0 | 65 64 5f 75 3a 6f 62 6a 65 63 74 5f 72 3a 75 73 | ed_u:object_r:us
00f0 | 65 72 5f 68 6f 6d 65 5f 74 3a 73 30 00 00 00 00 | er_home_t:s0....
Inode is Allocated
File mode: 16893
Low 16 bits of Owner Uid: 501
Size in bytes: 4096
Access time: 1502411462
Creation time: 1502411455
Modification time: 1502411455
Deletion Time: 0
Low 16 bits of Group Id: 501
Links count: 2
Blocks count: 8
File flags: 524288
File version (for NFS): 11515169
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 127754, 4, 0, 0, 1, 1127227424, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name | Inode number | Deleted status
. 281804801
.. 274595841
.groupprocessing.sh.swp 281804802 Deleted
.groupprocessing.sh.swx 281804803 Deleted
pcapmasterconfig.txt 281804808 Deleted
ergodicdir.sh 281804804 Deleted
genpcapfilelist-2.sh 281804809 Deleted
readconfig.sh 281804807 Deleted
sourcepcapfilelist.txt 281804802 Deleted
serialfilelist.txt 281804805 Deleted
genpcapfilelist-1.sh 281804812 Deleted
groupprocessing.sh 281804813 Deleted
groupfilelist.txt 281804806 Deleted
.groupprocessing.sh.swp 281804810 Deleted
groupprocessing.sh~ 281804811 Deleted
# /usr/local/bin/extundelete --restore-inode 281804813 /dev/mapper/vg_***_home
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 44203 groups loaded.
Loading journal descriptors ... 28520 descriptors loaded.
# /usr/local/bin/extundelete --restore-inode 281804806 /dev/map_***_home
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 44203 groups loaded.
Loading journal descriptors ... 28520 descriptors loaded.
# /usr/local/bin/extundelete --restore-inode 281804810 /dev/mapper/vg_***_home
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 44203 groups loaded.
Loading journal descriptors ... 28520 descriptors loaded.
# /usr/local/bin/extundelete --restore-inode 281804811 /dev/mapper/vg_***_home
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 44203 groups loaded.
Loading journal descriptors ... 28520 descriptors loaded
理解inode
了解下文件存储的大致原理文件储存在硬盘上,硬盘的最小存储单位叫做"扇区"(Sector)。每个扇区储存512字节。操作系统读取硬盘的时候,是一次性连续读取多个扇区,即一次性读取一个"块"(block)。这种由多个扇区组成的"块",是文件存取的最小单位。"块"的大小,最常见的是4KB,即连续八个 sector组成一个 block。每一个文件都有对应的inode,inode包含文件的元信息,主要信息有文件的字节数,文件拥有者的User ID,文件的Group ID,文件的读、写、执行权限,文件的时间戳,共有三个:ctime指inode上一次变动的时间,mtime,文件内容上一次变动的时间,atime指文件上一次打开的时间,链接数,即有多少文件名指向这个inode,文件数据block的位置,可用stat命令进行查询,inode也会消耗硬盘空间,所以硬盘格式化的时候,操作系统自动将硬盘分成两个区域。一个是数据区,存放文件数据;另一个是inode区(inode table),存放inode所包含的信息。每个inode节点的大小,一般是128字节或256字节。inode节点的总数,在格式化时就给定,一般是每1KB或每2KB就设置一个inode。假定在一块1GB的硬盘中,每个inode节点的大小为128字节,每1KB就设置一个inode,那么inode table的大小就会达到128MB,占整块硬盘的12.8%。查看每个硬盘分区的inode总数和已经使用的数量,可以使用df命令。每个inode都有一个号码,操作系统用inode号码来识别不同的文件。,Unix/Linux系统内部不使用文件名,而使用inode号码来识别文件。对于系统来说,文件名只是inode号码便于识别的别称或者绰号。表面上,用户通过文件名,打开文件。实际上,系统内部这个过程分成三步:首先,系统找到这个文件名对应的inode号码;其次,通过inode号码,获取inode信息;最后,根据inode信息,找到文件数据所在的block,读出数据。使用ls -i命令,可以看到文件名对应的inode号码。