Recovery principle of--extundelete recovery of data by accidental deletion in Ubuntu environment

1, data Recovery software extundelete Introduction

As an operational personnel, to ensure that the security of data is the fundamental responsibility, so in the maintenance of the system, to be cautious, but sometimes it will inevitably occur when the data is mistakenly deleted, at this time how to quickly and effectively recover data? In this section we will introduce several data recovery tools commonly used in Linux systems.

2. How to use the "RM-RF" command

Under the Linux system, the command "RM-RF" can remove any data directly from the hard disk without any hint, and Linux does not have a similar function with Windows under the Recycle Bin, it means that the data after deletion by conventional means can not be restored, So use this command with great caution. When using the RM command, it is more prudent to put the command arguments back, so that there is a reminder of the role. In fact, there is another way, that is to be deleted by the MV command to move to the/tmp directory under the system, and then write a script to perform periodic cleanup operations, to a certain extent, to reduce the risk of accidental deletion of data.

In fact, the best way to ensure data security is to do a good job of backup, although the backup is not omnipotent, but no backup is absolutely no. Any data recovery tool has some limitations, there is no guarantee to fully recover all the data, therefore, the backup as the core, the data Recovery tool as an aid is the operation and maintenance personnel must adhere to a guideline.

3. Similarities and differences between Extundelete and Ext3grep

Under Linux, the data Recovery tool based on open source has many, common have Debugfs, R-linux, Ext3grep, Extundelete, etc., more commonly have ext3grep and extundelete, these two tools recovery principle basically same, Just Extundelete features are more powerful, this section focuses on how extundelete is used.

Extundelete is a Linux-based data recovery tool that parses file system logs to parse the inode information of all files, thus recovering files that have been mistakenly deleted under the mainstream Linux ext3, Ext4 file system. Ext3grep only supports recovery of ext3 file systems. The extundelete is much faster at restore speed because the Extundelete recovery mechanism is performed simultaneously with the scan inode and recovery data, and supports single file recovery, single directory recovery, inode recovery, block recovery, full disk recovery, etc. And Ext3grep is slightly clumsy, it needs to scan the data to recover all the inode information before you can start data recovery, so the recovery speed is relatively slow, and functionally also does not support directory recovery, time period recovery and so on.

4, Extundelete principle of recovery

Before you introduce the recovery data using Extundelete, briefly describe the knowledge of the inode. Under Linux, you can use the "Ls-id" command to view the Inode value of a file or directory, such as viewing the Inode value of the root directory, you can enter:

[Email protected] ~]# Ls-id/

2/

The inode value for the root directory is 2.

When recovering a file using Extundelete, you do not rely on a specific file format, first extundelete the file system Inode information (the root directory inode is typically 2) to obtain information about all the files under the current filesystem, including existing and deleted files, This information includes the file name and Inode. Then, the inode information is used to query the block location of the inode, including the information such as direct block and indirect block. Finally, the DD command is used to back up the information and restore the data file.

5, Installation Extundelete

Extundelete's official website is http://extundelete.sourceforge.net/, and its current stable version is extundelete-0.2.4. You need to install the e2fsprogs and e2fsprogs-libs two dependent packages before installing Extundelete.

The installation of E2fsprogs and E2fsprogs-libs is very simple and is not introduced here. But the dependencies that need to be installed for Ubuntu systems are

sudo Install E2fslibs-dev

The following is the compilation installation process for Extundelete:

  [Email protected] app]# tar jxvf extundelete-0.2.4.tar.bz2
  [Email protected] app]# CD extundelete-0.2.4
  
  [[email protected] extundelete-0.2.4]# make
[[email protected] extundelete-0.2.4]# make install

After the Extundelete is successfully installed, a extundelete executable file is generated in the system. The use of the extundelete is very simple and can be obtained using the "Extundelete--help" method.

6, Extundelete usage explanation

Extundelete--help

Once the installation is complete, data recovery operations can be performed, and this section details the meaning of each of the extundelete parameters. Extundelete usage is as follows:

extundelete [options] [action] Device-file

Among them, the parameters (options) are:

--version,-[VV], displays the software version number.

--help, display software help information.

--superblock, displays the Super block information.

--journal, displays the log information.

--after Dtime, a time parameter that represents a file or directory that was deleted after a certain period of time.

--before Dtime, a time parameter that represents a file or directory that was deleted before a certain period of time.

Actions are:

--inode Ino, displays the information for the node "Ino".

--block Blk, displaying data block "blk" information.

--restore-inode Ino[,ino,...], restore the command parameters, representing the recovery node "ino" file, the recovered files are automatically placed in the current directory Restored_files folder, using the node number as the extension.

--restore-file ' path ', which restores the command parameter, indicates that the file of the specified path will be restored and the recovered file is placed in the Recovered_files directory in the current directory.

--restore-files ' path ', which restores the command parameter, indicates that all files listed in the path will be recovered.

--restore-all, restore the command parameter, indicating that all directories and files will be tried.

-j Journal, which indicates that the extended log is read from a file that has been named.

-B blocknumber, which means using a previously backed up super block to open the file system, is typically used to see if an existing super block is currently the desired file.

-B blocksize, which opens the file system by specifying a chunk size, is typically used to view files that already know the size.

7, actual combat: Extundelete The process of recovering data

After the data has been mistakenly deleted, the first time to do is to unload the deleted data on the disk or disk partition, if the system root partition data is mistakenly deleted, you need to enter the system to a single user, and the root partition in read-only mode mount. The reason for this is simple, because after deleting a file, simply zeroing out the sector pointer in the Inode node of the file, the actual file is also stored on disk, and if the disk is mounted in read-write mode, the data blocks of these deleted files may be reassigned by the operating system, after the blocks are overwritten by new data The data is really lost and the recovery tool is powerless. Therefore, mounting a disk in read-only mode minimizes the risk of data being overwritten in the data block to increase the success rate of the recovered data.

8. Restore individual files via Extundelete

8.1. Accidental deletion of simulated data environment

Before we demonstrate the recovery of data through Extundelete, we first want to simulate a data deletion environment, here we take the Ext3 file system as an example, in the Ext4 file system Recovery method is exactly the same. The simple simulation process is as follows:

[Email protected] ~]#mkdir/data [[email protected]~]# mkfs.ext3/dev/SDC1 [[email protected]Mount/DEV/SDC1/data [[email protected]~]#CP/etc/passwd/data [[email protected]~]#CP-r/app/ganglia-3.4.0/data [[email protected]~]#mkdir/data/test [[email protected]~]#Echo "extundelete Test">/data/test/mytest.txt [[email protected]~]# CD/data [[email protected] data]# md5sumpasswd0715baf8f17a6c51be63b1c5c0fbe8c5passwd[email protected] data]# md5sum test/mytest.txt EB42E4B3F953CE00E78E11BF50652A80 Test/mytest.txt [[email protected] data]#RM-rf/data/* 

8.2. Unmount the disk partition

After you mistakenly delete the data, all you need to do is unmount the disk partition:

    [Email protected] data]# CD/mnt      umount

8.3. Query for recoverable data information

The Extundelete command allows you to query the recoverable data information of the/DEV/SDC1 partition:

[Email protected]/]# EXTUNDELETE/DEV/SDC1--inode2      ...... File name| Inode number |Deleted status. 2      .. 2lost+found OneDeletedpasswd                                            49153Deleted Test425985Deleted Ganglia-3.4.0                                     245761Deleted

Depending on the output above, the file or directory that is marked as deleted is deleted. You can also see the inode value for each deleted file, and then you can recover the file.

8.4. Restore a single file

Execute the following command to start the recovery file:

[Email protected]/]# EXTUNDELETE/DEV/SDC1--restore-file passwdLoading filesystem Metadata ... + groupsloaded. Loading journal descriptors ... Wudescriptors loaded. Successfully restoredfile passwd[[Email protected]/]# CD recovered_files/[email protected] recovered_files]#ls      passwd[email protected] recovered_files]# md5sumpasswd0715baf8f17a6c51be63b1c5c0fbe8c5passwd 

Extundelete the parameter to restore a single file is "--restore-file", it is important to note that "--restore-file" is specified after the recovery file path, which is the relative path of the file. Relative path is relative to the original file storage path, for example, the original file storage path is/DATA/PASSWD, then specify the passwd file directly after the parameter, if the original file storage path is/data/test/ Mytest.txt, you can specify it by "Test/mytest.txt" after the parameter.

After the file recovery succeeds, the Extundelete command creates a recovered_files directory in the current directory where the command is executed, which is used to store the recovered files, so the current directory that executes the Extundelete command must be writable.

According to the above output, through the md5sum command checksum, the checksum code is exactly the same as before, indicating that the file recovery was successful.

9. Restore a single directory through Extundelete

In addition to supporting the recovery of individual files, Extundelete supports the recovery of a single directory, and the "--restore-directory" option restores all data for a specified directory when a directory is required to be recovered.

Continue in the above simulated error delete Data Environment operation, now to restore the ganglia-3.4.0 folder under the/data directory, the operation is as follows:

[Email protected] mnt]# EXTUNDELETE/DEV/SDC1--restore-directory/ganglia-3.4.0Loading filesystem Metadata ... + groupsloaded. Loading journal descriptors ...247descriptors loaded. Searching forRecoverable inodesinchdirectory/ganglia-3.4.0 ...      781recoverable inodes found. Looking through the directory structure fordeleted files ...4recoverable inodes still lost. [Email protected] mnt]#lsrecovered_files [[email protected] mnt]# CD Recovered_files/[email protected] recovered_files]#lsGanglia-3.4.0 

You can see that the previously deleted directory ganglia-3.4.0 has been successfully restored and entered this directory to check that all file contents and sizes are normal.

Reprint reference: Http://book.51cto.com/art/201409/452478.htm

Recovery principle of--extundelete recovery of data by accidental deletion in Ubuntu environment