As an operational personnel, to ensure that the security of data is the fundamental responsibility, so in the maintenance of the system, to be cautious, but sometimes it will inevitably occur when the data is mistakenly deleted, at this time to change how to quickly and effectively recover data? In this article, we will introduce several data recovery tools commonly used in Linux systems.
first, how to use the "RM-RF" command
Under the Linux system, the command "RM-RF" can remove any data directly from the hard disk without any hint, and Linux does not have a similar function with Windows under the Recycle Bin, it means that the data after deletion by conventional means can not be restored, So use this command with great caution. When using the RM command, it is more prudent to put the command arguments back, so that there is a reminder of the role. In fact, there is another way, that is to be deleted by the MV command to move to the/tmp directory under the system, and then write a script to perform periodic cleanup operations, to a certain extent, to reduce the risk of accidental deletion of data.
In fact, the best way to ensure data security is to do a good job of backup, although the backup is not omnipotent, but no backup is absolutely no. Any data recovery tool has some limitations, there is no guarantee to fully recover all the data, therefore, the backup as the core, the data Recovery tool as an aid is the operation and maintenance personnel must adhere to a guideline.
Similarities and differences of Extundelete and Ext3grep
Under Linux, the data Recovery tool based on open source has many, common have Debugfs, R-linux, Ext3grep, Extundelete, etc., more commonly have ext3grep and extundelete, these two tools recovery principle basically same, Just Extundelete features are more powerful, this article focuses on the use of Extundelete.
Three, Extundelete principle of recovery
Before you introduce the recovery data using Extundelete, briefly describe the knowledge of the inode. Under Linux, you can use theLs–idcommand to view the Inode value for a file or directory, such as viewing the Inode value for the root directory, you can enter:
[Email protected] ~]# Ls-id/
2/
The inode value for the root directory is 2.
when recovering a file using Extundelete, you do not rely on a specific file format, first extundelete the file system inode information ( the root directory inode is typically 2) to obtain information about all the files under the current file system, Includes the existing and deleted files, including the file name and Inode. Then, the inode information is used to query the block location of the inode, including the information such as direct block and indirect block. Finally, the DD command is used to back up this information to restore the data file。
Four, install Extundelete, can be installed directly using Epel Source:Yum Install extundelete-y
Extundelete's official website is http://extundelete.sourceforge.net/, and its current stable version is extundelete-0.2.4. , you need to install the e2fsprogs and e2fsprogs-libs two dependent packages before installing Extundelete.
The installation of E2fsprogs and E2fsprogs-libs is very simple and is not introduced here. The following is the compilation installation process for Extundelete:
[[email protected] app] #tar JXVF extundelete-0.2.4.tar.bz2
[[email protected] app] #cd extundelete-0.2.4
[Email protected] Extundelete-0.2.4]#./configure
[[email protected] extundelete-0.2.4] #make
[[email protected] extundelete-0.2.4] #make Install
After the Extundelete is successfully installed, a extundelete executable file is generated in the system. The use of Extundelete is very simple, and the reader can use "Extundelete--help" to get the software used.
Five, Extundelete usage explanation
After the Extundelete installation is complete, data recovery operations can be performed, and this section details the meaning of each parameter under Extundelete. Extundelete usage is as follows:
Extundelete--help
Command format:
1
extundelete [options] [action] Device-file
The parameters (options) are:
--version,-[VV], displays the software version number.
--help, display software help information.
--superblock, displays the Super block information.
--journal, displays the log information.
--after Dtime, a time parameter that represents a file or directory that was deleted after a certain period of time.
--before Dtime, a time parameter that represents a file or directory that was deleted before a certain period of time.
Actions are:
--inode Ino, displays the information for the node "Ino".
--block Blk, displaying data block "blk" information.
--restore-inode Ino[,ino,...], restore the command parameters, representing the recovery node "ino" file, the recovered files are automatically placed in the current directory Restored_files folder, using the node number as the extension.
--restore-file ' path ', which restores the command parameter, indicates that the file of the specified path will be restored and the recovered file is placed in the Recovered_files directory in the current directory.
--restore-files ' path ', which restores the command parameter, indicates that all files listed in the path will be recovered.
--restore-all, restore the command parameter, indicating that all directories and files will be tried.
-j Journal, which indicates that the extended log is read from a file that has been named.
-B blocknumber, which means using a previously backed up super block to open the file system, is typically used to see if an existing super block is currently the desired file.
-B blocksize, which means using a block size to open the file system, is typically used to view files that already know the size.
vi. Actual Combat: Extundelete The process of recovering data
after the data has been mistakenly deleted, the first time to do is to unload the deleted data on the disk or disk partition, if the system root partition data is mistakenly deleted, you need to enter the system to a single user, and the root partition in read-only mode mount. The reason for this is simple, because after deleting a file, simply zeroing out the sector pointer in the Inode node of the file, the actual file is also stored on disk, and if the disk is mounted in read-write mode, the data blocks of these deleted files may be reassigned by the operating system, after the blocks are overwritten by new data The data is really lost and the recovery tool is back to the sky. Therefore, mounting a disk in read-only mode minimizes the risk of data being overwritten in the data block to increase the success rate of the recovered data.
6.1 Recovering individual files with Extundelete
1. Accidental deletion of simulated data environment
Before we demonstrate the recovery of data through Extundelete, we first want to simulate a data deletion environment, here we take the Ext3 file system as an example, in the Ext4 file system Recovery method is exactly the same. The simple simulation process is as follows:
[[Email protected] ~] #mkdir/data
[[Email protected] ~] #mkfs. EXT3/DEV/SDC1
[Email protected] ~]#Mount/dev/sdc1/data
[Email protected] ~]# Cp/etc/passwd/data
[Email protected] ~]# cp-r/app/ganglia-3.4.0/data
[Email protected] ~]# mkdir/data/test
[Email protected] ~]# echo "Extundelete Test" >/data/test/mytest.txt
[[Email protected] ~] #cd/data
[Email protected] data]# md5sum passwd
0715BAF8F17A6C51BE63B1C5C0FBE8C5 passwd
[Email protected] data]# md5sum test/mytest.txt
EB42E4B3F953CE00E78E11BF50652A80 Test/mytest.txt
[Email protected] data]# rm-rf/data/*
2. Unmount the disk partition
After you mistakenly delete the data, all you need to do is unmount the disk partition:
[[email protected] data] #cd/mnt
[Email protected] mnt]#Umount/data
3. Query for recoverable data information
The Extundelete command allows you to query the recoverable data information of the/DEV/SDC1 partition:
[Email protected]/]#EXTUNDELETE/DEV/SDC1--inode 2
......
File name | Inode number | Deleted status
.2
..2
Lost+found Deleted
passwd 49153 Deleted
Test 425985 Deleted
ganglia-3.4.0 245761 Deleted
Depending on the output above, the file or directory that is marked as deleted is deleted. You can also see the inode value for each deleted file, and then you can recover the file.
4. Restore a single file
Execute the following command to start the recovery file:
[Email protected]/]#EXTUNDELETE/DEV/SDC1--restore-file passwd
Loading FileSystem metadata ... Groups loaded.
Loading Journal Descriptors ... Descriptors loaded.
Successfully restored file passwd
[Email protected]/]# CD recovered_files/
[[email protected] recovered_files]# ls
passwd
[Email protected] recovered_files]# md5sum passwd
0715BAF8F17A6C51BE63B1C5C0FBE8C5 passwd
Extundelete the parameter to restore a single file is "--restore-file", it is important to note that "--restore-file" is followed by the recovery file path,This path is the relative path to the file。 Relative path is relative to the original file storage path, for example, the original file storage path is/DATA/PASSWD, then specify the passwd file directly after the parameter, if the original file storage path is/data/test/ Mytest.txt, you can specify it by "Test/mytest.txt" after the parameter.
after the file recovery succeeds, the Extundelete command creates a recovered_files directory by default in the current directory where the command is executed, which is used to store the recovered files, so the current directory that executes the Extundelete command must be writable.
According to the above output, through the md5sum command checksum, the checksum code is exactly the same as before, indicating that the file recovery was successful.
6.2 Recovering a single directory with Extundelete
In addition to supporting the recovery of individual files, Extundelete supports the recovery of a single directory, and the "--restore-directory" option restores all data for a specified directory when a directory is required to be recovered.
Continue in the above simulated error delete Data Environment operation, now to restore the ganglia-3.4.0 folder under the/data directory, the operation is as follows:
[Email protected] mnt]# EXTUNDELETE/DEV/SDC1--restore-directory/ganglia-3.4.0
Loading FileSystem metadata ... Groups loaded.
Loading Journal Descriptors ... 247 descriptors loaded.
Searching for recoverable inodes in directory/ganglia-3.4.0 ...
781 recoverable inodes found.
Looking through the directory structure for deleted files ...
4 recoverable inodes still lost.
[[email protected] mnt]# ls
Recovered_files
[Email protected] mnt]# CD recovered_files/
[[email protected] recovered_files]# ls
ganglia-3.4.0
You can see that the previously deleted directory ganglia-3.4.0 has been successfully restored and entered this directory to check that all file contents and sizes are normal.
6.3 Recover all deleted data by Extundelete
When you need to recover more data, specifying a file or directory will be a very heavy and time-consuming task, however, extundelete the "--restore-all" option to recover all deleted files or folders when this is considered.
Still in the above simulated error delete Data Environment operation, now to restore all the data in the/data directory, the operation process is as follows:
[Email protected] mnt]# EXTUNDELETE/DEV/SDC1--restore-all
Loading FileSystem metadata ... Groups loaded.
Loading Journal Descriptors ... 247 descriptors loaded.
Searching for recoverable inodes in directory/...
781 recoverable inodes found.
Looking through the directory structure for deleted files ...
0 recoverable inodes still lost.
[[email protected] mnt]# ls
Recovered_files
[Email protected] mnt]# CD recovered_files/
[[email protected] recovered_files]# ls
ganglia-3.4.0 passwd Test
[Email protected] recovered_files]# du-sh/mnt/recovered_files/*
15m/mnt/recovered_files/ganglia-3.4.0
4.0k/mnt/recovered_files/passwd
8.0k/mnt/recovered_files/test
You can see that all the data is completely restored.
6.4 Recovering data for a time period by Extundelete
Sometimes a large amount of data is deleted, many of which are useless, we only need to recover some of the data, at this time, if the use of recovery of all the data, not only time-consuming, and waste of resources, in this case, it is necessary to adopt another recovery mechanism to selectively recover, Extundelete provides the "-after" and "--before" parameters, which can be restored by specifying a period of time to restore only the data within that time period.
Here's a simple example that describes how to recover data from a period of time.
We first assume that in the/data directory there is a newly created compressed file ganglia-3.4.0.tar.gz, and then delete the file, then uninstall the/data partition, start to restore the file within one hour, the operation is as follows:
[[Email protected] ~] #cd/data/
[Email protected] data]# Cp/app/ganglia-3.4.0.tar.gz/data
[Email protected] data]# date +%s
1379150309
[Email protected] data]# RM-RF ganglia-3.4.0.tar.gz
[Email protected] data]# cd/mnt
[Email protected] mnt]# Umount/data
[Email protected] mnt]# date +%s
1379150340
[Email protected] mnt]# extundelete--after 1379146740--RESTORE-ALL/DEV/SDC1
Only show and process deleted entries if they is deleted on or after 1379146740 and before 9223372036854775807.
Loading FileSystem metadata ... Groups loaded.
Loading Journal Descriptors ... 247 descriptors loaded.
Searching for recoverable inodes in directory/...
779 recoverable inodes found.
[Email protected] mnt]# CD recovered_files/
[[email protected] recovered_files]# ls
Ganglia-3.4.0.tar.gz
As you can see, the file that you just deleted has been successfully recovered, and there are many deleted files in the/data directory that are not recovered, which is the result of the "--after" parameter control because the other files in the/data directory were deleted one day ago, and we recovered the deleted files within one hours. , which is why no other deleted files have been recovered.
During this operation, it is important to note that the time followed by the "--after" parameter is a total number of seconds. The starting time is "1970-01-01 00:00:00 UTC", which converts the current time to the total number of seconds through the "date +%s" command, since the data is restored within one hours, so "1379146740" is the value of "1379150340" minus "60." *60=3600 "obtained the
Data Recovery Software Extundelete Introduction