Use debugfs in Linux to restore files deleted by RM

The principle is that the deleted file is not actually retrieved from the hard disk, but the inode index deletes the relevant information. Therefore, you only need to find the block of the deleted file, to restore the deleted files.

The following method is used to test the ext3 file system. ext2 has not been used. Assume that the deleted file is located in/dev/sda5.

Debugfs

1. Run debugfs and enter the scheduling mode.

2. Run open/dev/sda5.

3. Execute LS-D dir to list the most recent operations on this directory. The <num> log deletion record is displayed.

4. Execute logdump-I <num> to display the log Content.

5. Find the block corresponding to the deleted file in the output and record the blockid.

6. Exit debugfs and run dd If =/dev/sda5 of =/tmp/saved BS = 1024 COUNT = 1 skip = blockid.

At this point, the deleted file is restored, but this method has a problem. If a large file is deleted, multiple blocks are occupied, which makes operations more troublesome.

In the debugging mode, debugfs is difficult to use. However, debugfs supports the-r option and can be executed in shell, that is, multiple-R are used to connect the commands to be executed, if you need to specify a parameter in the command, you need to add ""; otherwise, shell parsing may fail.

Testdisk is a useful tool. It was previously used to restore and back up the partition tables of the system, but not to restore files. If you have any problems in the future, try again.

Http://www.cgsecurity.org/wiki/TestDisk_Download