Extundelete data recovery, extundelete

Extundelete data recovery, extundelete

Introduction:

Extundelete data recovery

A life-saving straw! When you accidentally delete data during the O & M process, you will use the data recovery tool (all tears, not to mention ).

Common open-source data recovery tools include debugfs, R-Linux, ext3grep, and extundelete.

Ext3grep and extundelete are commonly used. ext3grep only supports the ext3 file system, and extundelete supports ext3/ext4.

The system logs are analyzed to parse inode information of all files, use inode to find the block, and use dd to back up and delete data.

When the data is deleted, immediately re-mount the partition in read-only mode... Remember to immediately !!!

:

Http://jaist.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2

Today, I accidentally deleted a directory containing the source code package...

1. Install Extundelete

shell > yum -y install e2fsprogs-devel

# Install these two dependent packages first, or the following error will be reported: configure: error: Can't find ext2fs library

shell > tar jxf extundelete-0.2.4.tar.bz2shell > cd extundelete-0.2.4[root@study extundelete-0.2.4]# ./configure ; make ; make install

# Common parameters

-- After dtime parameter, indicating the file or directory to be deleted after a certain period of time
-- Before dtime parameter, indicating the file or directory that was deleted before a certain period of time

# Common actions

-- Inode ino: displays node ino Information
-- Block blk: displays data block blk information.

-- Restore-inode ino indicates the restoration of node ino files, used to restore a single file
-- Restore-file path indicates that files in the specified path are restored, which is used to restore all files in the directory.
-- Restore-all indicates that all deleted directories and files are restored.

2. Find the deleted file

shell > ls -id /usr/local/src130619 /usr/local/src

# First view the deleted upper-level directory inode

shell > extundelete /dev/mapper/vg_study-LogVol00 --inode 130619...File name | Inode number | Deleted status.                 130619..                130587package           137256   Deletedapr-1.5.1         140038apr-util-1.5.4    535002httpd-2.4.10      535320pcre-8.30         656184siege-3.0.8       656483libmcrypt-2.5.8   144383package.xml       146709mysql-5.6.4-m7    140588memcache-2.2.7    146712php-5.4.13        667097redis-2.2.5       269016memcached-1.4.15  146806libevent-master   539531   Deleted

# The Deleted directory package is in the Deleted status and inode is 137256.

shell > extundelete /dev/mapper/vg_study-LogVol00 --inode 137256...File name | Inode number | Deleted status.                 137256..                130573e2p.h;54b8ac2f    137260        Deletede2p.h             137260mysql-5.6.4-m7.tar.gz   140630  Deletedhttpd-2.4.10.tar.gz     140035  Deletedpcre-8.30.tar.gz        140036  Deletedsiege-3.0.8.tar.gz      140037  Deletedlibmcrypt-2.5.8.tar.bz2 144382  Deletedphp-5.4.13.tar.bz2      144439  Deletedmemcache-2.2.7.tgz      144381  Deletedredis-2.2.5.tgz         146713  Deletedlibevent-master         539531  Deletedmemcached-1.4.15.tar.gz 144377  Deletedlibevent-master.zip     146863  Deleted

# What files and inode numbers are under the deleted directory

3. Restore data

shell > extundelete /dev/mapper/vg_study-LogVol00 --restore-directory /usr/local/src/package

# Specify the partition where the directory to be deleted is located. -- restore-directory is used to restore the entire directory, followed by the directory to be restored.

NOTICE: Extended attributes are not restored.WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.The partition should be unmounted to undelete any files without further data loss.If the partition is not currently mounted, this message indicatesit was improperly unmounted, and you should run fsck before continuing.If you decide to continue, extundelete may overwrite some of the deletedfiles and make recovering those files impossible. You should unmount thefile system and check it with fsck before using extundelete.Would you like to continue? (y/n)yLoading filesystem metadata ... 151 groups loaded.Loading journal descriptors ... 22517 descriptors loaded.Searching for recoverable inodes in directory /usr/local/src/package ...1679 recoverable inodes found.Looking through the directory structure for deleted files ...Block 578312 is allocated.Unable to restore inode 146713 (usr/local/src/package/redis-2.2.5.tgz): Space has been reallocated.Unable to restore inode 539531 (usr/local/src/package/libevent-master): Space has been reallocated.1670 recoverable inodes still lost.

# Where, the redis-2.2.4.tgz and libevent-master are not restored because inode is reassigned out...

shell > cd RECOVERED_FILES/usr/local/src/package

# After restoration, A RECOVERED_FILES directory is generated under the current directory.

shell > lse2p.h;54b8ac2f libmcrypt-2.5.8.tar.bz2 memcached-1.4.15.tar.gz php-5.4.13.tar.bz2libevent-master.zip memcache-2.2.7.tgz mysql-5.6.4-m7.tar.gz

# Only seven files are restored, and 12 files are deleted... Use find to check the inode number of files not recovered

shell > find / -inum 140035/usr/lib64/libe2p.soshell > find / -inum 140036/usr/lib64/libext2fs.ashell > find / -inum 140037/usr/lib64/libext2fs.so

# It is found that httpd, pcre, and siege are all allocated..., and what cannot be recovered will never exist ..

# Therefore, remember: if the data is deleted by mistake, you must immediately detach or attach the data disk to a read-only partition to prevent the inode from being reallocated to the written file.
# If the data in the root partition is deleted by mistake, immediately go to the single-user mode and mount the root partition read-only.
# Another problem occurs. When partitioning a system, it is best not to separate only one root partition. It is difficult to do this...
#2. Install the data recovery software in advance ..
# Third, When deleting data, first move the data to be deleted to/tmp (separately partitioned), and then delete it or regularly Delete the script
# Fourth, back up data.
# Finally, try again !!!