Extundelete is an efficient data recovery software in Linux.

Extundelete is an efficient data recovery software in Linux.

Recommendation: 10-year technical masterpiece: High-Performance Linux Server build Practice II is released across the network, with a trial reading chapter and full-book instance source code download!

As an O & M personnel, it is the fundamental responsibility to ensure data security. Therefore, you must be cautious when maintaining the system, but sometimes data may be deleted by mistake, how can we quickly and effectively restore data at this time? This article describes several common data recovery tools in Linux.

I. How to use the "rm-rf" command


In Linux, you can run the "rm-rf" command to delete any data directly from the hard disk without any prompts. in Linux, there is no function similar to the recycle bin in Windows, this means that data cannot be restored after being deleted by conventional means. Therefore, you must be cautious when using this command. When using the rm command, the safer way is to put the command parameters behind it, which provides a reminder. In fact, there is another method, that is, to move the things to be deleted to the/tmp directory under the system through the mv command, and then write a script to regularly perform the cleanup operation, this can reduce the risk of accidental data deletion to some extent.
In fact, the best way to ensure data security is to back up data. Although backup is not omnipotent, it is absolutely impossible without backup. All data recovery tools have certain limitations and cannot completely restore all data. Therefore, taking backup as the core and data recovery tools as an auxiliary tool is a criterion that O & M personnel must adhere.


Ii. Similarities and Differences between extundelete and ext3grep
In Linux, there are many open-source data recovery tools, including debugfs, R-Linux, ext3grep, and extundelete. ext3grep and extundelete are commonly used, the restoration principles of these two tools are basically the same, but extundelete is more powerful. This article focuses on the use of extundelete.


Iii. Restoration principle of extundelete
Introduction to inode before using extundelete to restore data. In Linux, you can run the "ls-id" command to view the inode value of a file or directory. For example, to view the inode value of the root directory, you can enter:


[Root @ cloud1 ~] # Ls-id/
2/
The inode value of the root directory is 2.
When using extundelete to restore a file, it does not depend on the specific file format. First, extundelete uses the inode information of the file system (the inode of the root directory is generally 2) to obtain information about all files in the current file system, including existing and deleted files, including file names and inode. Then, the inode information is combined with the log to query the location of the block where the inode is located, including the direct block and indirect block information. Finally, use the dd command to back up the information to restore the data file.


4. Install extundelete
The official website of extundelete is http://extundelete.sourceforge.net/, and its current stable version is extundelete-0.2.4 ., Install the e2fsprogs and e2fsprogs-libs dependency packages before installing extundelete.
E2fsprogs and e2fsprogs-libs installation are very simple and will not be introduced here. The compilation and Installation Process of extundelete is as follows:


[Root @ cloud1 app] # tar jxvf extundelete-0.2.4.tar.bz2
[Root @ cloud1 app] # cd extundelete-0.2.4
[Root @ cloud1 extundelete-0.2.4] #./configure
[Root @ cloud1 extundelete-0.2.4] # make
[Root @ cloud1 extundelete-0.2.4] # make install
After extundelete is successfully installed, an extundelete executable file is generated in the system. The use of extundelete is very simple. You can use "extundelete -- help" to obtain the usage of this software.


V. extundelete usage
After extundelete is installed, you can perform data recovery. This section describes the meaning of each extundelete parameter. The usage of extundelete is as follows:
Extundelete -- help
Command Format:
1
Extundelete [options] [action] device-file
The parameters (options) include:
-- Version,-[vV], displays the software version number.
-- Help: displays the software help information.
-- Superblock: displays the superblock information.
-- Journal: displays log information.
-- After dtime, a time parameter, indicates the files or directories deleted after a certain period of time.
-- Before dtime, time parameter, indicates the file or directory that was deleted before a certain period of time.


Actions include:
-- Inode ino: displays information about the node "ino.
-- Block blk: displays information about the data block "blk.
-- Restore-inode ino [, ino,...], the recovery command parameter indicates that the "ino" file of the node is restored. The recovered file is automatically placed in the RESTORED_FILES folder under the current directory and the node number is used as the extension.
-- Restore-file 'path': Recovery command parameter, which indicates to restore the file in the specified path and put the recovered file in the RECOVERED_FILES directory under the current directory.
-- Restore-files 'path'. The recovery command parameter indicates that all files listed in the path will be restored.
-- Restore-all: restore command parameters, indicating that all directories and files will be restored.
-J journal, which indicates reading extended logs from a named file.
-B blocknumber indicates that the previously backed up super block is used to open the file system. It is generally used to check whether the existing super block is the current file.
-B blocksize indicates that the data block size is used to open the file system. It is generally used to view known files.


Vi. Practice: extundelete data recovery process
After the deleted data is accidentally deleted, the first thing to do is to detach the disk or disk partition where the deleted data is located. If the data in the root partition of the system is deleted by mistake, you need to enter the system as a single user, and mount the root partition in read-only mode. The reason for this is very simple, because after the file is deleted, only the sector pointer in the inode node of the file is cleared, and the actual file is stored on the disk. If the disk is mounted in read/write mode, the data blocks of these deleted files may be re-allocated by the operating system. After these data blocks are overwritten by new data, the data is actually lost, the restoration tool does not work for days. Therefore, mounting a disk in read-only mode can minimize the risk of data overwriting in data blocks to improve the success rate of data recovery.


6.1 restore a single file through extundelete
1. Simulate an environment where data is accidentally deleted
Before using extundelete to restore data, we must first simulate a data accidental deletion environment. Here we use the ext3 file system as an example. The recovery method in the ext4 file system is exactly the same. A simple simulation process is as follows:


[Root @ cloud1 ~] # Mkdir/data
[Root @ cloud1 ~] # Mkfs. ext3/dev/sdc1
[Root @ cloud1 ~] # Mount/dev/sdc1/data
[Root @ cloud1 ~] # Cp/etc/passwd/data
[Root @ cloud1 ~] # Cp-r/app/ganglia-3.4.0/data
[Root @ cloud1 ~] # Mkdir/data/test
[Root @ cloud1 ~] # Echo "extundelete test">/data/test/mytest.txt
[Root @ cloud1 ~] # Cd/data
[Root @ cloud1 data] # md5sum passwd
0715baf8f17a6c51be63b1c5c0fbe8c5 passwd
[Root @ cloud1 data] # md5sum test/mytest.txt
Eb42e4b3f953ce00e78e11bf50652a80 test/mytest.txt
[Root @ cloud1 data] # rm-rf/data /*
2. Detach a disk partition
After the data is deleted by mistake, immediately you need to detach the disk partition:


[Root @ cloud1 data] # cd/mnt
[Root @ cloud1 mnt] # umount/data
3. query recoverable data information
You can use the extundelete command to query the recoverable data information of the/dev/sdc1 partition:


[Root @ cloud1/] # extundelete/dev/sdc1 -- inode 2
......
File name | Inode number | Deleted status
. 2
.. 2
Lost + found 11 Deleted
Passwd 49153 Deleted
Test 425985 Deleted
Ganglia-3.4.0 245761 Deleted
Based on the above output, the files or directories marked as Deleted are Deleted. At the same time, you can see the inode value of each deleted file, and then you can restore the file.
4. Restore a single file
Run the following command to restore the file:


[Root @ cloud1/] # extundelete/dev/sdc1 -- restore-file passwd
Loading filesystem metadata... 40 groups loaded.
Loading journal descriptors... 54 descriptors loaded.
Successfully restored file passwd
[Root @ cloud1/] # cd RECOVERED_FILES/
[Root @ cloud1 RECOVERED_FILES] # ls
Passwd
[Root @ cloud1 RECOVERED_FILES] # md5sum passwd
0715baf8f17a6c51be63b1c5c0fbe8c5 passwd
The parameter "-- restore-file" is used to restore a single file in extundelete. Note that the file path is restored after "-- restore-file, this path is the relative path of the file. The relative path is relative to the original file storage path. For example, if the original file storage path is/data/passwd, you can directly specify the passwd file after the parameter, if the original file storage path is/data/test/mytest.txt, use "test/mytest.txt" after the parameter.
After the file is restored successfully, the extundelete command creates a RECOVERED_FILES directory in the current directory where the command is executed by default. This directory is used to store the recovered files, therefore, the current directory for executing the extundelete command must be writable.
According to the above output, the md5sum command is used for verification. The verification code is exactly the same as the previous one, indicating that the file is successfully restored.


6.2 restore a single directory through extundelete
Extundelete not only supports restoring a single file, but also supports restoring a single directory. When you need to restore a directory, you can use the "-- restore-directory" option to restore all data in the specified directory.
Continue the operation in the preceding simulated accidentally deleted data environment. Now you want to restore the ganglia-3.4.0 folder under the/data directory. The operation is as follows:


[Root @ cloud1 mnt] # extundelete/dev/sdc1 -- restore-directory/ganglia-3.4.0
Loading filesystem metadata... 40 groups loaded.
Loading journal descriptors... 247 descriptors loaded.
Searching for recoverable inodes in directory/ganglia-3.4.0...
781 recoverable inodes found.
Looking through the directory structure for deleted files...
4 recoverable inodes still lost.
[Root @ cloud1 mnt] # ls
RECOVERED_FILES
[Root @ cloud1 mnt] # cd RECOVERED_FILES/
[Root @ cloud1 RECOVERED_FILES] # ls
Ganglia-1, 3.4.0
You can see that the previously deleted directory ganglia-3.4.0 has been successfully restored. You can check this directory and find that the content and size of all files are normal.


6.3 restore all accidentally deleted data through extundelete
When a large amount of data needs to be restored, it is very heavy and time-consuming to specify files or directories one by one. However, extundelete takes this into consideration, in this case, you can use the "-- restore-all" option to restore all deleted files or folders.
The operation is still performed in the simulated accidentally deleted data environment. Now, you need to restore all the data in the/data directory. the operation procedure is as follows:


[Root @ cloud1 mnt] # extundelete/dev/sdc1 -- restore-all
Loading filesystem metadata... 40 groups loaded.
Loading journal descriptors... 247 descriptors loaded.
Searching for recoverable inodes in directory /...
781 recoverable inodes found.
Looking through the directory structure for deleted files...
0 recoverable inodes still lost.
[Root @ cloud1 mnt] # ls
RECOVERED_FILES
[Root @ cloud1 mnt] # cd RECOVERED_FILES/
[Root @ cloud1 RECOVERED_FILES] # ls
Ganglia-3.4.0 passwd test
[Root @ cloud1 RECOVERED_FILES] # du-sh/mnt/RECOVERED_FILES /*
15 M/mnt/RECOVERED_FILES/ganglia-3.4.0
4.0 K/mnt/RECOVERED_FILES/passwd
8.0 K/mnt/RECOVERED_FILES/test
We can see that all data is completely restored.


6.4 restore data for a certain period of time through extundelete
Sometimes a large amount of data is deleted, and a lot of data is useless. We only need to restore some of the data. At this time, if we adopt the method of restoring all data, it will not only consume time, but also waste resources, in this case, another recovery mechanism needs to be used for selective recovery. extundelete provides the "-after" "and" -- before "parameters, you can specify a time period, then, only the data in this period is restored.
The following is a simple example to describe how to restore data within a certain period of time.
Assume that a newly created ganglia-3.4.0.tar.gz file is in the/datadirectory, delete the file, unmount the/data Partition, and restore the file within one hour. The operations are as follows:


[Root @ cloud1 ~] # Cd/data/
[Root @ cloud1 data] # cp/app/ganglia-3.4.0.tar.gz/data
[Root @ cloud1 data] # date + % s
1379150309
[Root @ cloud1 data] # rm-rf ganglia-3.4.0.tar.gz
[Root @ cloud1 data] # cd/mnt
[Root @ cloud1 mnt] # umount/data
[Root @ cloud1 mnt] # date + % s
1379150340
[Root @ cloud1 mnt] # extundelete -- after 1379146740 -- restore-all/dev/sdc1
Only show and process deleted entries if they are deleted on or after 1379146740 and before 9223372036854775807.
Loading filesystem metadata... 40 groups loaded.
Loading journal descriptors... 247 descriptors loaded.
Searching for recoverable inodes in directory /...
779 recoverable inodes found.
[Root @ cloud1 mnt] # cd RECOVERED_FILES/
[Root @ cloud1 RECOVERED_FILES] # ls
Ganglia-3.4.0.tar.gz
As you can see, the deleted files have been successfully restored, while many deleted files in the/data Directory have not been recovered. This is the result of "-- after" parameter control, because other files in the/data directory were deleted one day ago, And we restored the files that were deleted within one hour. This is why other files were not recovered.
During this operation, note that the time following the "-- after" parameter is a total number of seconds. The start time is "00:00:00 UTC". You can use the "date + % s" command to convert the current time to the total number of seconds, because the data is recovered within one hour, therefore, the value "1379146740" is obtained by "1379150340" minus "60*60 = 3600.
How to restore directories in Linux

Use extundelete to download attachments
Compile
Tar jxvf extundelete-0.2.4.tar.bz2
Cd extundelete-0.2.4
Make
Recover data:
Mount-o remout, ro/dev/sda2 // This action is intended to protect/dev/sda2 data from being overwritten
Restore all deleted
Src/extundelete/dev/sda2 -- restore-all
Restore by time: if the deletion time is about: 30 date-d "oct 8" + % s to get the number of seconds 1381213800 restore all files deleted after this time src/extundelete/dev/sda2 -- after 1381213800 -- restore-all
Restore accidentally deleted folders
Src/extundelete/dev/sda2 -- restore-directory/opt/filebox/box/18
Note !!! The above does not install extundelete, working directory has been in extundelete-0.2.4

The recovered data is under RECOVERED_FILES.




Formatted data recovery in Linux

Formatting in any operating system is not important. It can also be formatted as NTFS in linux. It mainly depends on whether you have written data to the partition after formatting, we recommend that you use the advanced recovery in EASYRECOVERY to restore the data in the non-scoring format.