Using Extundelete to recover accidentally deleted data in Linux

Recover disk mistakenly deleted data using Extundelete tool

Principle:

A brief introduction to the knowledge of the inode. Under Linux, you can use the "Ls-id" command to view the Inode value of a file or directory, such as viewing the Inode value of the root directory, you can enter:

[[email protected] Server-100 shell]# ls -id /2 /

When recovering a file with Extundelete, you do not rely on a particular file format, first extundelete the inode information from the file system (the inode of the root directory is typically 2)
To  about all the files under the current file system, including the existing and deleted files, including the file name and Inode.
Then, the inode information is used to query the block location of the inode, including the information such as direct block and indirect block.
Finally, the DD command is used to back up the information and restore the data file.

Installation:

Website:https://sourceforge.net/projects /extundelete/files/latest/download?source=top3_dlp_t5 [[email protected] Server-< Span class= "Hljs-number" >100 src]# yum-y install e2fsprogs-libs e2fsprogs e2fsprogs-devel[ [Email protected] Server-100 src]# rpm-q e2fsprogs-libs e2fsprogs E2fsprogs-devel[[email protected] Server-100 src]# tar JXVF extundelete-0.2.4.tar.bz2[[email protected] Server-100 src]# cd extundelete-0.2.4[[email protected] server-100 src] #extundelete -0.2.4]#./configure && make && make install     span>         

Generate an executable file after installation is complete

Use:

[Email protected]rtual Server-100 src]# extundelete--help where the parameters (options) are:--version,-[VV], displays the software version number.--help, display software help information.--superblock, displays the Super block information.--journal, displays log information. --after dtime, a time parameter that represents a file or directory that was deleted after a certain period of time. --before dtime, a time parameter that represents a file or directory that was deleted before a certain period of time. Action: --inode ino, showing the node "Ino" information. --block Blk, displaying data block "blk" information. --restore-inode Ino[,ino,...], restore command parameters, indicating the recovery node "ino" file, the recovered files will be automatically placed in the current directory Restored_ Files folder, use the node number as the extension. --restore-file ' path ', restores the command parameter, indicates that the file of the specified path will be restored, and places the recovered file in the Recovered_files directory in the current directory. --restore-files ' path ', restores the command parameters, indicating that all files listed in the path will be restored. --restore-all, restores the command parameters, indicating that all directories and files will be attempted to be recovered. -j Journal, which indicates that the extended log is read from a file that has been named. -b blocknumber, which means using a previously backed up super block to open the file system, is typically used to see if an existing super block is currently the desired file. -b blocksize, which opens the file system by specifying a block size, is typically used to view files that have already been known to size. 

After the data is deleted, the first to unload the deleted data on the disk or partition, if the system root partition was mistakenly deleted,
You need to go into single-user mode and mount the root partition as read-only.
Cause: Because the file is deleted, only the sector pointer in the Inode node of the file is zeroed, and the file actually exists on the disk
If the disk is mounted in read-write mode, the deleted data blocks may be newly allocated by the system, and after the blocks are overwritten, these
The data is really lost, so mount it in a read-only manner and avoid overwriting the data as much as possible.

Experiment:

The following experiment I was to format the disk as Ext4 file system, of course, under the Ext3 file system is also the same method to restore first mount a new partition [[email protected] Server-100 SRC]# Mkfs.ext4/dev/sdb1[[email protected] Server-100 SRC]# pwd/usr/local/src/[[email protected] Server-100 SRC]# mkdir Test[[email protected] Server-100 SRC]# MOUNT/DEV/SDB1 Test/[[email protected] Server-100 SRC]# cp/etc/passwd Test/[[email protected] Server-100 SRC]# cp-r Shell/test/[[email protected] Server-100 SRC]# mkdir Test/yhl[[email protected] Server-100 SRC]# echo "Welcome to test" > Test/yhl/1.txt[[email protected] Server-100 SRC]# CD Test/[[email protected] Server-100 Test]# md5sum passwd b182c9886c816aa0b4fc77ca6585d42e passwd[[email protected] Server-100 Test]# md5sum Yhl/1.txt eb39646285ff90dd31f24bd9f0a34257 yhl/1.txt[[email protected] Server-100 Test]# ls shell/yhl/shell/:6.sh check_system.sh hanyi.sh if2.sh if4.shNew.sh.bak p_s1.sh root.sh yanse.sh yuhulin.sh yunsuan.shcase.sh chengji.sh if1.sh if3.shnew.sh PPP python.sh test youxi.sh Yunsuan-1.shyhl/:1.txt[[email protected] Server-100 Test]# RM-RF * Recovery:1. Unmount the deleted files partition [[email protected] Server-100 Test]# Umount/usr/local/src/test/umount:/usr/local/src/test:deviceis busy. (In some cases useful info about processes, use the deviceis foundby Lsof (8)Or Fuser (1)) Prompt the device is busy, uninstall the following method can be uninstalled [[email protected] Server-100 Test]# fuser-m-v-i-k/usr/local/src/test/[[email protected] Server-100 ~]# umount/usr/local/src/test/View data that can be recovered [email protected] Server-100 ~]# EXTUNDELETE/DEV/SDB1--inode 2 (because the Inode value of the root partition is 2) File name | Inode number | Deleted status.2..2shell130305 deletedpasswdDeletedyhl1042433 deleted first Test to recover individual files [[email protected] Server-100 ~]# extundelete/dev/sdb1--restore-file passwd//restore-file means recovery file notice:extended attributes isNot restored. Loading FileSystem metadata ...153 groups loaded. Loading Journal Descriptors ...Descriptors loaded. Successfully restored file Passwd[[email protected] Server-100 ~]# CD recovered_files///After successful restore, this file is created by default, and the recovered files are under this directory [[email protected] Server-100 Recovered_files]# Lspasswd[[email protected] Server-100 Recovered_files]# md5sum passwd//MD5 checksum is the same as before deletion, indicating successful recovery b182c9886c816aa0b4fc77ca6585d42e passwd test Recovery directory [[email protected] Server-100 Recovered_files]# extundelete/dev/sdb1--restore-directory/shellnotice:extended Attributes isNot restored. Loading FileSystem metadata ...153 groups loaded. Loading Journal Descriptors ...Descriptors loaded. SearchingFor recoverable inodesIn Directory/shell ...Recoverable inodes found. Looking through the directory structureFor deleted files ...5 recoverable inodes still lost. [[Email protected] Server-100 Recovered_files]# lspasswd Recovered_files[[email protected] Server-100 Recovered_files]# CD Recovered_files/[[email protected] Server-100 Recovered_files]# Lsshell can see this directory, but there is a problem is to restore the file permissions and previous changes, you need to re-modify the permissions (this is the case when I test) recover all data [[email protected] Server-100 Shell]# extundelete/dev/sdb1--restore-allnotice:extended Attributes isNot restored. Loading FileSystem metadata ...153 groups loaded. Loading Journal Descriptors ...Descriptors loaded. SearchingFor recoverable inodesIn Directory/...Recoverable inodes found. Looking through the directory structureFor deleted files ...1 recoverable inodes still lost. [[Email protected] Server-100 Shell]# cd recovered_files/[[email protected] server-100 Recovered_files]# lspasswd shell yhl[[email protected] Server -100 Yhl] # ls1.txt[[email protected] Server -100 Yhl] # cat 1.txt Welcome to test[[email protected] server-100 Yhl]# md5sum 1.txt eb39646285ff90dd31f24bd9f0a34257 1.txt[[ Email protected] Server-100 shell]# du-sh RECOVERED_ Files/*4.0k recovered_files/passwd96K RECOVERED_FILES/shell< Span class= "Hljs-number" >8.0k Recovered_files/yhl can be seen, data recovery succeeded        

Recovery of data mistakenly deleted using Extundelete in Linux