One. Data deletion
Command: RM-RF, remove any data directly from the hard drive without any hint
Recommended Practice:
- Put the command arguments back: Rm-rfi
- Move the deleted items through the MV command to the/temp directory under the system, then write a script to perform the cleanup periodically
- Backup
Two. Installation and use of Extundelete
Common open Source-based data recovery tools under Linux are: Debugfs/r-linux/ext3grep/extundelete
1. Recovery principle: Three steps
- Extundelete recovery files do not depend on a particular file format, first extundelete will pass Incode information via the file system (Ls-id/view The root Incode is typically 2) to obtain information (including file names and Incode, including deleted files) for all files under the current file system.
- Then use Incode information combined with the log to query the Incode block location, including direct block/indirect block and other information.
- Finally, the DD command is used to back up this information to restore the data file
2. Installation (Introduction to compilation installation)
- Installation of E2fsprogs and e2fsprogs-libs two dependent packages before installation
- Download the file at the end of Extundelete (. tar.bz2), assuming 0.2.4 version
- Decompression: Tar jxvf extundelete-0.2.4.tar.bz2
- CD extundelete-0.2.4
- ./configure
- Make
- Make install
3. Usage
Command format: extundelete [optons] [action] Device-file
[option] Parameter:
- --VERSION,-[VV], display software version number
- --help, displaying software help information
- --superblock, displaying super block information
- --journal, displaying log information
- --after Dtime, a time parameter that represents a file or directory that was deleted after a certain period of time
- --before Dtime, a time parameter that represents a file or directory that was deleted before a certain period of time
[Action] Action parameters:
- --incode into, displaying node "ino" information
- --block Blk, displaying data block "blk" information
- --restore-incode Ino[,ino,...], restore the command parameters, representing the Restore node "ino" of the file, the restored files are automatically placed in the current directory Restored_files folder, using the node number as the extension.
- --restore-file ' path ', which restores the command parameter, means that the file of the specified path will be restored and the restored file is placed in the Recovered_files file in the current directory.
- --restore-all, restore command parameters, indicating that all directories and files will be attempted to be restored
- -j Journal, which indicates that the extended log is read from a file that has been named.
- -B blocknumber, which means using a previously backed up super block to open the file system, is typically used to see if an existing super block is currently the desired file
- -B blocksize, which means using a block size to open the file system, is typically used to view files that already know the size.
4. Note
After the data has been mistakenly deleted, the first thing to do is to unmount the disk or disk partition where the deleted data resides. If the root partition is deleted, the system needs to be entered into a single user and the root partition is mounted in read-only mode.
Cause: After the file is deleted, only the sector pointer in the file's Incode is zeroed out, and the actual file is still there. If the disk is mounted on a read-write machine, the data blocks of the deleted files may be reassigned by the operating system, and the data is lost when the data blocks are overwritten with new data. Therefore, mount in read-only mode minimizes the risk of data being overwritten in the data block.
Common data recovery tools under Linux
