分析对比debugfs、testdisk 6.14、extundelete,对比各自官网介绍和操作说明本次决定研究extundelete对文件和目录的恢复操作。
官方网站是http://extundelete.sourceforge.net/ ,其目前的稳定版本是extundelete-0.2.4.
wget https://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
yum -y install gcc-c++ e2fsprogs.x86_64 e2fsprogs-devel.x86_64
tar -jxvf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
Configuring extundelete 0.2.4
configure: error: in `/root/Desktop/extundelete-0.2.4\':
configure: error: C++ compiler cannot create executables
See `config.log\' for more details
yum -y install gcc gcc-c++
[root@localhost extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
configure: error: Can\'t find ext2fs library
yum -y install e2fsprogs-devel
[root@localhost extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
Writing generated files to disk
make && make install
extundelete -v
前提:如果确定文件被误删,在没有备份的情况下请马上对分区实施写入保护,(预防新的写入覆盖误删的块数据)mount -o remount,ro /dev/sdb1或者直接umount /dev/sdb1/解挂载目录,df -h命令可以看出你的数据目录挂载在那个分区下(fdisk磁盘管理)
extundelete /dev/sdb1 --inode 2
/usr/local/extundelete/bin/extundelete: Bad magic number in super-block when trying to open filesystem /dev/sdb1
原理:从根节点(inode=2)开始找到被删除文件的i节点,然后recover i节点。
以下操作模拟在/dev/sdb1 删除文件apache-tomcat-8.0.24.tar.gz 和目录tomcat-app1,
extundelete /dev/sdb1 --inode 2 NOTICE: Extended attributes are not restored. WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. The partition should be unmounted to undelete any files without further data loss. If the partition is not currently mounted, this message indicates it was improperly unmounted, and you should run fsck before continuing. If you decide to continue, extundelete may overwrite some of the deleted files and make recovering those files impossible. You should unmount the file system and check it with fsck before using extundelete. Would you like to continue? (y/n) y Loading filesystem metadata ... 4000 groups loaded. Group: 0 Contents of inode 2: 00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated File mode: 16877 Low 16 bits of Owner Uid: 0 Size in bytes: 4096 Access time: 1482394360 Creation time: 1482394361 Modification time: 1482394361 Deletion Time: 0 Low 16 bits of Group Id: 0 Links count: 3 Blocks count: 8 File flags: 0 File version (for NFS): 0 File ACL: 0 Directory ACL: 0 Fragment address: 0 Direct blocks: 9249, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 Indirect block: 0 Double indirect block: 0 Triple indirect block: 0
File name | Inode number | Deleted status . 2 .. 2 lost+found 11 apache-tomcat-8.0.24.tar.gz 13 Deleted apache-tomcat-8.0.24 30670849 Deleted tomcat-app1 30670849 Deleted
extundelete /dev/sdb1 --restore-inode 13 根据inode信息进行文件恢复
extundelete /dev/sdb1 --restore-file apache-tomcat-8.0.24.tar.gz 根据文件名进行文件修复
修复后的文件存储在当前目录RECOVERED_FILES里面 ll RECOVERED_FILES/ -rw-r----- 1 root root 9106353 Dec 22 17:23 apache-tomcat-8.0.24.tar.gz -rw-r----- 1 root root 9106353 Dec 22 17:23 file.13
extundelete /dev/sdb1 --restore-directory /tomcat-app1 根据目录名称恢复目录
NOTICE: Extended attributes are not restored. WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. The partition should be unmounted to undelete any files without further data loss. If the partition is not currently mounted, this message indicates it was improperly unmounted, and you should run fsck before continuing. If you decide to continue, extundelete may overwrite some of the deleted files and make recovering those files impossible. You should unmount the file system and check it with fsck before using extundelete. Would you like to continue? (y/n) y Loading filesystem metadata ... 4000 groups loaded. Loading journal descriptors ... 1204 descriptors loaded. Searching for recoverable inodes in directory /tomcat-app1 ... 2405 recoverable inodes found. Looking through the directory structure for deleted files ...
ll RECOVERED_FILES/ -rw-r----- 1 root root 9106353 Dec 22 17:23 apache-tomcat-8.0.24.tar.gz -rw-r----- 1 root root 9106353 Dec 22 17:23 file.13 drwxr-x--- 6 root root 4096 Dec 22 17:27 tomcat-app1 恢复成功
根据上面操作证明extundelete 工具可以实现对误删数据的恢复,而且操作简单。