Linux Data Recovery Tool extundelete

2. Install
   

   Wget https://jaist.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/ extundelete-0.2.4.tar.bz2

   Tar jxvf extundelete-0.2.4.tar.bz2

   CD extundelete-0.2.4/

   ./configure

   [[email protected] extundelete-0.2.4]#./configure
   Configuring Extundelete 0.2.4
   Configure:error : In '/usr/local/src/extundelete-0.2.4 ':
   configure:error:c++ compiler cannot Create executables

   Yum install gcc-c++.x86_64

   [[email protected] extundelete-0.2.4]#./ configure     
   Configuring Extundelete 0.2.4
   

   [[email protected] extundelete-0.2.4]# yum-y Install E2fsprogs-devel

   [[email protected] extundelete-0.2.4]#./configure

   [[email protected] extundelete-0.2.4]# make

   [[email protected] extundelete-0.2.4]# make install

3. Extundelete usage

   [Email protected] ~]# Extundelete--help
   usage:extundelete [Options] [--] Device-file
   Options:
   --version,-[VV] Print version and exit successfully.
   --help, Print this Help and exit successfully.
   --superblock Print contents of Superblock In addition to the rest.
   If no action is specified then this option is implied.
   --journal Show content of journal.
   --after dtime only process entries deleted on or after ' Dtime '.
   --before dtime only process entries deleted before ' Dtime '.
   Actions:
   --inode ino Show info on inode ' ino '.
   --block Blk Show info on block ' blk '.
   --restore-inode Ino[,ino,...]
   Restore the file (s) with known inode number ' ino '.
   The restored files is created in./recovered_files
   With their inode number as extension (ie, file.12345).
   --restore-file ' path ' would restore file ' path '. ' Path ' is relative to root
   of the partition and does not start with a '/'
   The restored file is created in the current
   Directory as ' Recovered_files/path '.
   --restore-files ' path ' would restore files which is listed in the file ' path '.
   Each filename should is in the same format as an option
   To--restore-file, and there should is one per line.
   --restore-directory ' path '
   Would restore directory ' path '. ' Path ' is relative to the
   root directory of the file system. The restored
   Directory is created in the output directory as ' path '.
   --restore-all attempts to restore everything.
   -J journal Reads An external journal from the named file.
   -B blocknumber Uses the backup superblock at Blocknumber when opening
   The file system.
   -B blocksize Uses BlockSize as the block size when opening the file
   System. The number should be the number of bytes.
   --log 0 Make the program silent.
   --log filename Logs all messages to filename.
   --log d1=0,d2=filename Custom Control of log messages with comma-separated
   Examples below:list of options. Dn must be one of info, warn, or
   --log info,error error. Omission of the ' =name ' results in messages
   --log warn=0 with the specified level to being logged to the console.
   --log error=filename If The parameter is ' =0 ', logging for the specified
   Level would be turned off. If the parameter is
   ' =filename ', messages with the level would be written
   to filename.
   -O directory Save the recovered files to the named directory.
   The restored files is created in a directory
   Named ' recovered_files/' by default.

4. Recover individual files with Extundelete

   1. Accidental deletion of simulated data environment

   Take Ext4 file system as an example

   [Email protected] ~]# Mkdir/data

   [Email protected] ~]# MKFS.EXT4/DEV/SDC1

   [Email protected] ~]# mount/dev/sdc1/data/

   [Email protected] ~]# Cp/etc/passwd/data
   [Email protected] ~]# mkdir/data/test

   
   [Email protected] ~]# echo "Extundelete Test" >/data/test/mytest.txt

   [Email protected] data]# md5sum passwd
   F1a0dd6601afdab09a66ab7741c74f66 passwd
   [Email protected] data]# md5sum test/mytest.txt
   EB42E4B3F953CE00E78E11BF50652A80 Test/mytest.txt
   [Email protected] data]# rm-rf/data/*

   2. Unmount the disk partition

   [Email protected] data]# cd/mnt/
   [Email protected] mnt]# Umount/data

   3. Query for recoverable data information

   The Extundelete command allows you to query the recoverable data information of the/DEV/SDC1 partition
   

   [Email protected]/]# EXTUNDELETE/DEV/SDC1--inode 2
   notice:extended attributes is not restored.
   Loading FileSystem metadata ... Groups loaded.
   group:0
   Contents of Inode 2:
   0000 | Ed, xx, XX 94 AA 75 58 | A........uxt.ux
   0010 | Si AA 75 58 00 00 00 00 00 00 02 00 08 00 00 00 | T.ux .......
   0020 | XX 0a f3 01 00 04 00 00 00 | ................
   0030 | At xx xx, d5 21 00 00 | .............!..
   0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
   0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
   0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
   0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
   0080 | 1c XX C8 0b 0d C8 0b 0d DC/BF 4b | ............. 6.K
   0090 | B2 A8 75 58 00 00 00 00 00 00 00 00 00 00 00 00 |.. Ux............
   00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
   00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
   00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
   00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
   00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
   00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
   
   Inode is allocated
   File mode:16877
   Low + bits of Owner uid:0
   Size in bytes:4096
   Access time:1484106388
   Creation time:1484106324
   Modification time:1484106324
   Deletion time:0
   Low-bits of Group id:0
   Links Count:2
   Blocks Count:8
   File flags:524288
   File version (for NFS): 0
   File acl:0
   Directory acl:0
   Fragment address:0
   Direct blocks:127754, 4, 0, 0, 1, 8661, 0, 0, 0, 0, 0, 0
   Indirect block:0
   Double Indirect block:0
   Triple Indirect block:0
   
   File name | Inode number | Deleted status
   . 2
   .. 2
   Lost+found Deleted
   passwd Deleted
   Test 128513 Deleted

   According to the above output, marked as deleted state is the deleted file or directory, but also can see each deleted file Inode value, then you can restore the file

   4. Restore a single file

   Execute the following command to start the recovery file

   EXTUNDELETE/DEV/SDC1--restore-file passwd
   

Linux Data Recovery Tool extundelete