Extundelete application of efficient data recovery software under Linux

As an operational personnel, to ensure that the security of data is the fundamental responsibility, so in the maintenance of the system, to be cautious, but sometimes it will inevitably occur when the data is mistakenly deleted, at this time to change how to quickly and effectively recover data? In this section we will introduce several data recovery tools commonly used in Linux systems.

First, how to use the "RM-RF" command

Under the Linux system, the command "RM-RF" can remove any data directly from the hard disk without any hint, and Linux does not have a similar function with Windows under the Recycle Bin, it means that the data after deletion by conventional means can not be restored, So use this command with great caution. When using the RM command, it is more prudent to put the command arguments back, so that there is a reminder of the role. In fact, there is another way, that is to be deleted by the MV command to move to the/tmp directory under the system, and then write a script to perform periodic cleanup operations, to a certain extent, to reduce the risk of accidental deletion of data.

In fact, the best way to ensure data security is to do a good job of backup, although the backup is not omnipotent, but no backup is absolutely no. Any data recovery tool has some limitations, there is no guarantee to fully recover all the data, therefore, the backup as the core, the data Recovery tool as an aid is the operation and maintenance personnel must adhere to a guideline.

Similarities anddifferences of Extundelete and Ext3grep

Under Linux, the data Recovery tool based on open source has many, common have Debugfs, R-linux, Ext3grep, Extundelete, etc., more commonly have ext3grep and extundelete, these two tools recovery principle basically same, Just Extundelete features are more powerful, this section focuses on the use of Extundelete.

Three,extundelete principle of recovery

Before you introduce the recovery data using Extundelete, briefly describe the knowledge of the inode. Under Linux, you can use the "ls–id" command to view the Inode value of a file or directory, such as viewing the Inode value of the root directory, you can enter:

[Email protected] ~]# LS-ID/2/

The inode value for the root directory is 2.

When recovering a file using Extundelete, you do not rely on a specific file format, first extundelete the file system Inode information (the root directory inode is typically 2) to obtain information about all the files under the current filesystem, including existing and deleted files, This information includes the file name and Inode. Then, the inode information is used to query the block location of the inode, including the information such as direct block and indirect block. Finally, the DD command is used to back up the information and restore the data file.

Iv. installation of Extundelete

Extundelete's official website is http://extundelete.sourceforge.net/, and its current stable version is extundelete-0.2.4. , you need to install the e2fsprogs and e2fsprogs-libs two dependent packages before installing Extundelete.

The installation of E2fsprogs and E2fsprogs-libs is very simple and is not introduced here. The following is the compilation installation process for Extundelete:

[[email protected] app] #tar jxvf extundelete-0.2.4.tar.bz2[[email protected] app #cd Extundelete-0.2.4[[email Protected] Extundelete-0.2.4]#./configure[[email protected] extundelete-0.2.4] #make [email protected] extundelete-0.2.4] #make Install

After the Extundelete is successfully installed, a extundelete executable file is generated in the system. The use of Extundelete is very simple, and the reader can use "Extundelete--help" to get the software used.

Five,extundelete usage Explanation

After the Extundelete installation is complete, data recovery operations can be performed, and this section details the meaning of each parameter under Extundelete. Extundelete usage is as follows:

Extundelete--help

Command format:

extundelete [options] [action] Device-file

The parameters (options) are:

--version,-[VV], displays the software version number.

--help, display software help information.

--superblock, displays the Super block information.

--journal, displays the log information.

--after Dtime, a time parameter that represents a file or directory that was deleted after a certain period of time.

--before Dtime, a time parameter that represents a file or directory that was deleted before a certain period of time.

Actions are:

--inode Ino, displays the information for the node "Ino".

--block Blk, displaying data block "blk" information.

--restore-inode Ino[,ino,...], restore the command parameters, representing the recovery node "ino" file, the recovered files are automatically placed in the current directory Restored_files folder, using the node number as the extension.

--restore-file ' path ', which restores the command parameter, indicates that the file of the specified path will be restored and the recovered file is placed in the Recovered_files directory in the current directory.

--restore-files ' path ', which restores the command parameter, indicates that all files listed in the path will be recovered.

--restore-all, restore the command parameter, indicating that all directories and files will be tried.

-j Journal, which indicates that the extended log is read from a file that has been named.

-B blocknumber, which means using a previously backed up super block to open the file system, is typically used to see if an existing super block is currently the desired file.

-B blocksize, which means using a block size to open the file system, is typically used to view files that already know the size.

Vi. Actual combat: Extundelete The process of recovering data

After the data has been mistakenly deleted, the first time to do is to unload the deleted data on the disk or disk partition, if the system root partition data is mistakenly deleted, you need to enter the system to a single user, and the root partition in read-only mode mount. The reason for this is simple, because after deleting a file, simply zeroing out the sector pointer in the Inode node of the file, the actual file is also stored on disk, and if the disk is mounted in read-write mode, the data blocks of these deleted files may be reassigned by the operating system, after the blocks are overwritten by new data The data is really lost and the recovery tool is back to the sky. Therefore, mounting a disk in read-only mode minimizes the risk of data being overwritten in the data block to increase the success rate of the recovered data.

6.1 recovering individual files via Extundelete

1. accidental Deletion of simulated data environment

Before we demonstrate the recovery of data through Extundelete, we first want to simulate a data mistakenly deleted environment, here we take the Ext3 file system as an example, in the Ext4 file system recovery in the same way as this exactly. The simple simulation process is as follows:

[[email protected] ~] #mkdir  /data[[email protected]  ~] #mkfs. ext3 /dev/sdc1[[email protected] ~] #mount  /dev/sdc1  /data[[email  protected] ~]# cp /etc/passwd  /data[[email protected] ~]# cp  -r /app/ganglia-3.4.0  /data[[email protected] ~]# mkdir /data/test[[ email protected] ~]# echo  "Extundelete test"  > /data/test/mytest.txt[[ Email protected] ~] #cd  /data[[email protected] data]# md5sum  passwd  0715baf8f17a6c51be63b1c5c0fbe8c5  passwd[[email protected] data]# md5sum   test/mytest.txt eb42e4b3f953ce00e78e11bf50652a80  test/mytest.txt[[email protected]  data]# rm -rf /data/* 

2. unmount the disk partition

After you mistakenly delete the data, all you need to do is unmount the disk partition:

[[email protected] data] #cd/mnt[[email protected] mnt]# Umount/data

3. Query for recoverable data information

The Extundelete command allows you to query the recoverable data information of the/DEV/SDC1 partition:

[[Email protected] /]# extundelete  /dev/sdc1  --inode 2......file  name                                         | Inode number | Deleted status.                                                   2..                                                   2lost+found                                          11              deletedpasswd                                             49153           Deletedtest                                                425985          deletedganglia-3.4.0                                         245761         deleted

Depending on the output above, the file or directory that is marked as deleted is deleted. You can also see the inode value for each deleted file, and then you can recover the file.

4. Restore a single file

Execute the following command to start the recovery file:

[Email protected]/]# EXTUNDELETE/DEV/SDC1--restore-file passwd Loading filesystem metadata ... Groups loaded. Loading Journal Descriptors ... Descriptors loaded. Successfully restored file Passwd[[email protected]/]# CD Recovered_files/[[email protected] recovered_files]# lspasswd [Email protected] recovered_files]# md5sum passwd 0715baf8f17a6c51be63b1c5c0fbe8c5 passwd

Extundelete the parameter to restore a single file is "--restore-file", it is important to note that "--restore-file" is specified after the recovery file path, which is the relative path of the file. Relative path is relative to the original file storage path, for example, the original file storage path is/DATA/PASSWD, then specify the passwd file directly after the parameter, if the original file storage path is/data/test/ Mytest.txt, you can specify it by "Test/mytest.txt" after the parameter.

After the file recovery succeeds, the Extundelete command creates a recovered_files directory in the current directory where the command is executed, which is used to store the recovered files, so the current directory that executes the Extundelete command must be writable.

According to the above output, through the md5sum command checksum, the checksum code is exactly the same as before, indicating that the file recovery was successful.

6.2 Recovering a single directory through Extundelete

In addition to supporting the recovery of individual files, Extundelete supports the recovery of a single directory, and the "--restore-directory" option restores all data for a specified directory when a directory is required to be recovered.

Continue in the above simulated error delete Data Environment operation, now to restore the ganglia-3.4.0 folder under the/data directory, the operation is as follows:

[Email protected] mnt]# EXTUNDELETE/DEV/SDC1--restore-directory/ganglia-3.4.0loading filesystem metadata ... Groups loaded. Loading Journal Descriptors ... 247 descriptors loaded. Searching for recoverable inodes in directory/ganglia-3.4.0 ... 781 recoverable inodes found. Looking through the directory structure for deleted files ... 4 recoverable inodes still lost. [[email protected] mnt]# Lsrecovered_files[[email protected] mnt]# CD Recovered_files/[[email protected] Recovered_ files]# lsganglia-3.4.0

You can see that the previously deleted directory ganglia-3.4.0 has been successfully restored and entered this directory to check that all file contents and sizes are normal.

6.3 Recover all deleted data by extundelete

When you need to recover more data, specifying a file or directory will be a very heavy and time-consuming task, however, extundelete the "--restore-all" option to recover all deleted files or folders when this is considered.

Still in the above simulated error delete Data Environment operation, now to restore all the data in the/data directory, the operation process is as follows:

[[email protected] mnt]# extundelete  /dev/sdc1 --restore-allloading  Filesystem metadata ... 40 groups loaded. Loading journal descriptors ... 247 descriptors loaded. searching for recoverable inodes in directory / ... 781  Recoverable inodes found. Looking through the directory structure for deleted files ... 0  recoverable inodes still lost. [[email protected] mnt]# lsrecovered_files[[email protected] mnt]# cd  recovered_files/[[email protected] recovered_files]# lsganglia-3.4.0  passwd   test[[email protected] recovered_files]# du -sh  /mnt/recovered_files/*15m      /mnt/recovered_files/ganglia-3.4.04.0k    /mnt/recovered_ files/passwd8.0k     /mnt/recovered_files/test 

You can see that all the data is completely restored.

6.4 recovering data for a period of time through Extundelete

Sometimes a large amount of data is deleted, many of which are useless, we only need to recover some of the data, at this time, if the use of recovery of all the data, not only time-consuming, and waste of resources, in this case, it is necessary to adopt another recovery mechanism to selectively recover, Extundelete provides the "-after" and "--before" parameters, which can be restored by specifying a period of time to restore only the data within that time period.

Here's a simple example that describes how to recover data from a period of time.

We first assume that in the/data directory there is a newly created compressed file ganglia-3.4.0.tar.gz, and then delete the file, then uninstall the/data partition, start to restore the file within one hour, the operation is as follows:

[[email protected] ~] #cd  /data/[[email protected] data]# cp /app/ Ganglia-3.4.0.tar.gz  /data[[email protected] data]# date +%s1379150309[[email  protected] data]# rm -rf ganglia-3.4.0.tar.gz[[email protected] data]#  cd /mnt[[email protected] mnt]# umount /data[[email protected] mnt]#  date +%s1379150340[[email protected] mnt]# extundelete  --after  1379146740 --restore-all /dev/sdc1only show and process deleted entries  if they are deleted on or after 1379146740 and before  9223372036854775807.loading filesystem metadata ... 40 groups loaded. Loading journal descriptors ... 247 descriptors loaded. Searching for recoverable inodes in directory&nBsp;/ ... 779 recoverable inodes found. [[Email protected] mnt]#  cd recovered_files/[[email protected] recovered_ Files]# lsganglia-3.4.0.tar.gz

As you can see, the file that you just deleted has been successfully recovered, and there are many deleted files in the/data directory that are not recovered, which is the result of the "--after" parameter control because the other files in the/data directory were deleted one day ago, and we recovered the deleted files within one hours. , which is why no other deleted files have been recovered.

During this operation, it is important to note that the time followed by the "--after" parameter is a total number of seconds. The starting time is "1970-01-01 00:00:00 UTC", which converts the current time to the total number of seconds through the "date +%s" command, since the data is restored within one hours, so "1379146740" is the value of "1379150340" minus "60." *60=3600 "obtained.

This article is from the "Technical Achievement Dream" blog, please be sure to keep this source http://ixdba.blog.51cto.com/2895551/1566856

Extundelete application of efficient data recovery software under Linux