Using Extundelete to recover accidentally deleted data in Linux

Source: Internet
Author: User





Recover disk mistakenly deleted data using Extundelete tool






Principle:



A brief introduction to the knowledge of the inode. Under Linux, you can use the "Ls-id" command to view the Inode value of a file or directory, such as viewing the Inode value of the root directory, you can enter:



[Email protected] Server-100 shell]# Ls-id/



2/






When recovering a file with Extundelete, you do not rely on a particular file format, first extundelete the inode information from the file system (the inode of the root directory is typically 2)






Then, the inode information is used to query the block location of the inode, including the information such as direct block and indirect block.



Finally, the DD command is used to back up the information and restore the data file.









Installation:






Official website: https://sourceforge.net/projects/extundelete/files/latest/download?source=top3_dlp_t5



[Email protected] Server-100 src]# yum-y install e2fsprogs-libs e2fsprogs e2fsprogs-devel



[Email protected] Server-100 src]# rpm-q e2fsprogs-libs e2fsprogs e2fsprogs-devel



[Email protected] Server-100 src]# tar jxvf extundelete-0.2.4.tar.bz2



[Email protected] Server-100 src]# CD extundelete-0.2.4



[[email protected] Server-100 src] #extundelete -0.2.4]#./configure && make && make install



Generate an executable file after installation is complete



Use:



[Email protected] Server-100 src]# extundelete--help






Among them, the parameters (options) are:






--version,-[VV], displays the software version number.






--help, display software help information.






--superblock, displays the Super block information.






--journal, displays the log information.






--after Dtime, a time parameter that represents a file or directory that was deleted after a certain period of time.






--before Dtime, a time parameter that represents a file or directory that was deleted before a certain period of time.






Actions are:






--inode Ino, displays the information for the node "Ino".






--block Blk, displaying data block "blk" information.






--restore-inode Ino[,ino,...], restore the command parameters, representing the recovery node "ino" file, the recovered files are automatically placed in the current directory Restored_files folder, using the node number as the extension.






--restore-file ' path ', which restores the command parameter, indicates that the file of the specified path will be restored and the recovered file is placed in the Recovered_files directory in the current directory.






--restore-files ' path ', which restores the command parameter, indicates that all files listed in the path will be recovered.






--restore-all, restore the command parameter, indicating that all directories and files will be tried.






-j Journal, which indicates that the extended log is read from a file that has been named.






-B blocknumber, which means using a previously backed up super block to open the file system, is typically used to see if an existing super block is currently the desired file.






-B blocksize, which opens the file system by specifying a chunk size, is typically used to view files that already know the size.












After the data is deleted, the first to unload the deleted data on the disk or partition, if the system root partition was mistakenly deleted,



You need to go into single-user mode and mount the root partition as read-only.



Cause: Because the file is deleted, only the sector pointer in the Inode node of the file is zeroed, and the file actually exists on the disk



If the disk is mounted in read-write mode, the deleted data blocks may be newly allocated by the system, and after the blocks are overwritten, these



The data is really lost, so mount it in a read-only manner and avoid overwriting the data as much as possible.









Experiment:



In the following experiment, I formatted the disk as a Ext4 file system, and of course the same method is restored under the Ext3 file system.



To mount a new partition first



[Email protected] Server-100 src]# MKFS.EXT4/DEV/SDB1



[Email protected] Server-100 src]# pwd



/usr/local/src/



[Email protected] Server-100 src]# mkdir test



[Email protected] Server-100 src]# mount/dev/sdb1 test/



[Email protected] Server-100 src]# cp/etc/passwd test/



[Email protected] Server-100 src]# cp-r shell/test/



[Email protected] Server-100 src]# mkdir TEST/YHL



[Email protected] Server-100 src]# echo "Welcome to test" > Test/yhl/1.txt



[Email protected] Server-100 src]# CD test/



[Email protected] Server-100 test]# md5sum passwd



b182c9886c816aa0b4fc77ca6585d42e passwd



[Email protected] Server-100 test]# md5sum yhl/1.txt



eb39646285ff90dd31f24bd9f0a34257 Yhl/1.txt



[Email protected] Server-100 test]# ls shell/yhl/



shell/:



6.sh check_system.sh hanyi.sh if2.sh if4.sh new.sh.bak p_s1.sh root.sh yanse.sh yuhulin.sh yunsuan.sh



case.sh chengji.sh if1.sh if3.sh new.sh PPP python.sh test youxi.sh yunsuan-1.sh






yhl/:



1.txt



[Email protected] Server-100 test]# RM-RF *






Recovery:



1. Unmount the deleted files partition



[Email protected] Server-100 test]# umount/usr/local/src/test/



Umount:/usr/local/src/test:device is busy.



(In some cases useful info about processes



The device is found by lsof (8) or fuser (1))



Prompt the device is busy, uninstall it with the following method can be uninstalled



[Email protected] Server-100 test]# fuser-m-v-i-k/usr/local/src/test/



[Email protected] Server-100 ~]# umount/usr/local/src/test/






View data that can be recovered



[[email protected] Server-100 ~]# extundelete/dev/sdb1--inode 2 (because the Inode value of the root partition is 2)



File name | Inode number | Deleted status



. 2



.. 2



Shell 130305 Deleted



passwd Deleted



Yhl 1042433 Deleted






First Test to restore a single file



[[email protected] Server-100 ~]# extundelete/dev/sdb1--restore-file passwd//restore-file means recovery file



notice:extended attributes is not restored.



Loading FileSystem metadata ... 153 groups loaded.



Loading Journal Descriptors ... Descriptors loaded.



Successfully restored file passwd



[[email protected] Server-100 ~]# CD recovered_files///After successful recovery, this file is created by default and the recovered files are under this directory



[[email protected] Server-100 recovered_files]# ls



passwd



[[email protected] Server-100 recovered_files]# md5sum passwd//MD5 check, and delete before the comparison is the same, indicating a successful recovery



b182c9886c816aa0b4fc77ca6585d42e passwd






Test Recovery Catalog



[Email protected] Server-100 recovered_files]# extundelete/dev/sdb1--restore-directory/shell



notice:extended attributes is not restored.



Loading FileSystem metadata ... 153 groups loaded.



Loading Journal Descriptors ... Descriptors loaded.



Searching for recoverable inodes in Directory/shell ...



Recoverable inodes found.



Looking through the directory structure for deleted files ...



5 recoverable inodes still lost.



[[email protected] Server-100 recovered_files]# ls



passwd Recovered_files



[Email protected] Server-100 recovered_files]# CD recovered_files/



[[email protected] Server-100 recovered_files]# ls



Shell



Can see this directory, but there is a problem is to restore the file permissions and the previous changes, you need to re-modify the permissions (when I test this is the case)






Recover all data



[Email protected] Server-100 shell]# extundelete/dev/sdb1--restore-all



notice:extended attributes is not restored.



Loading FileSystem metadata ... 153 groups loaded.



Loading Journal Descriptors ... Descriptors loaded.



Searching for recoverable inodes in directory/...



Recoverable inodes found.



Looking through the directory structure for deleted files ...



1 recoverable inodes still lost.



[Email protected] Server-100 shell]# CD recovered_files/



[[email protected] Server-100 recovered_files]# ls



passwd Shell Yhl



[[email protected] Server-100 yhl]# ls



1.txt



[Email protected] Server-100 yhl]# cat 1.txt



Welcome to test



[Email protected] Server-100 yhl]# md5sum 1.txt



eb39646285ff90dd31f24bd9f0a34257 1.txt



[Email protected] Server-100 shell]# du-sh recovered_files/*



4.0Krecovered_files/passwd



96KRecovered_files/shell



8.0KRecovered_files/yhl



As you can see, data recovery is successful






This article is from the "Sunshineboy" blog, make sure to keep this source http://sunshineboy.blog.51cto.com/10310940/1766207



Using Extundelete to recover accidentally deleted data in Linux


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.