How can data be recovered efficiently under Linux? Extundelete help you, Extundelete application

First, how to use the "RM-RF" command

Under the Linux system, the command "RM-RF" can remove any data directly from the hard drive, without any hint, and Linux does not have the same function as Windows Recycle Bin, which means that the data cannot be recovered by conventional means after deletion. So use this command very carefully. When using the RM command, it is safer to put the command parameters behind, so that there is a reminder. In fact, there is a way, that will be deleted by the MV command to move to the system under the/tmp directory, and then write a script to perform regular cleanup operations, which can reduce the risk of accidentally deleting data to some extent.

In fact, the best way to ensure data security is to do backup, although the backup is not omnipotent, but no backup is absolutely not. Any data recovery tool has some limitations, can not guarantee the complete recovery of all the data, therefore, the backup as the core, the data Recovery tool as a support is the operational personnel must adhere to a guideline.


Similarities and differences of Extundelete and Ext3grep

Under Linux, there are a lot of data recovery tools based on open source, Common Debugfs, R-linux, Ext3grep, Extundelete, etc., more commonly used ext3grep and Extundelete, the two tools of the restoration of the basic same principle, Just Extundelete function is more powerful, this article focuses on the use of Extundelete.


The restoration principle of extundelete

Before introducing the use of extundelete to recover data, briefly introduce the knowledge about the inode. Under Linux, you can view the Inode value of a file or directory through the "Ls–id" command, for example, to view the Inode value of the root directory, and enter:


[Root@cloud1 ~]# Ls-id/
2/

Therefore, the inode value of the root directory is 2.

When you use Extundelete to recover files without relying on a particular file format, first extundelete will obtain information about all the files in the current file system, including existing and deleted files, through the file system's Inode information (typically 2 in the root directory). This information includes the filename and inode. Then, the inode information is used to query the block location of the inode, including direct blocks, indirect blocks and so on. Finally, the DD command is used to back up the information to recover the data file.


Iv. installation of Extundelete

Extundelete's official website is http://extundelete.sourceforge.net/, whose current stable version is extundelete-0.2.4. , you need to install the e2fsprogs and e2fsprogs-libs two dependent packages before installing Extundelete.

E2fsprogs and E2fsprogs-libs installation is very simple, do not introduce here. The following is the compile-and-install process for Extundelete:


[Root@cloud1 app] #tar jxvf extundelete-0.2.4.tar.bz2
[Root@cloud1 app] #cd extundelete-0.2.4
[Root@cloud1 Extundelete-0.2.4]#./configure
[Root@cloud1 extundelete-0.2.4] #make
[ROOT@CLOUD1 extundelete-0.2.4] #make Install

After the Extundelete is successfully installed, a extundelete executable file is generated in the system. The use of Extundelete is very simple, and readers can use the "Extundelete--help" to obtain this software.


Five, Extundelete usage detailed explanation

After the Extundelete installation is complete, you can perform a data recovery operation, and this section details the meaning of extundelete each parameter. Extundelete usage is as follows:
Extundelete--help

Command format:

1
extundelete [options] [action] Device-file
Where the parameters (options) are:
--version,-[VV], displays the software version number.
--help, display software help information.
--superblock, display super block information.
--journal, display log information.
--after Dtime, a time parameter, indicating a file or directory that has been deleted after a certain period of time.
--before Dtime, a time parameter, indicating a file or directory that has been deleted before a certain period of time.


Actions (action) are:
--inode Ino, displays the node "Ino" information.
--block Blk, displays the information of the block "blk".
--restore-inode Ino[,ino,...], restores the command parameters, represents the recovery node "ino" file, the recovered files are automatically placed in the Restored_files folder in the current directory, and the node number is used as the extension.
--restore-file ' path ' restores the command parameter, indicating that the file will be restored to the specified path and that the recovered file is placed in the Recovered_files directory under the current directory.
--restore-files ' path ' restores the command parameters, indicating that all files listed in the path will be restored.
--restore-all, restores the command parameters, indicating that all directories and files will be tried to recover.
-j Journal, which indicates that the extended log is read from a named file.
-B blocknumber, which represents using a previously backed up super block to open a file system, typically to see if an existing super block is the currently required file.
-B blocksize, which means that the file system is opened using a block size, which is typically used to view files that have been known to size.


Vi. actual combat: The process of extundelete data recovery

After the data is mistakenly deleted, the first time to do is to uninstall the deleted data on the disk or partition, if the system root partition of the data is mistakenly deleted, you need to enter the system into a single user, and the root partition in read-only mode mount. The reason for this is simple, because after you delete the file, simply by zeroing the sector pointer in the file's Inode node, the actual file is also stored on disk, and if the disk is mounted in read-write mode, the data blocks of the deleted files may be reassigned by the operating system, after the data blocks are overwritten by the new data, The data is really lost and the recovery tool is back to power. Therefore, mounting a disk in read-only mode minimizes the risk of data being overwritten in a block of data to increase the rate at which data is successfully recovered.


6.1 Recover a single file via Extundelete

1. Analog data mistakenly delete environment

Before demonstrating the recovery of data through Extundelete, we first want to simulate a data deletion environment, where we take the Ext3 file system as an example, and the Ext4 file system restores exactly the same way. The simple simulation operation process is as follows:


[ROOT@CLOUD1 ~] #mkdir/data
[ROOT@CLOUD1 ~] #mkfs. EXT3/DEV/SDC1
[ROOT@CLOUD1 ~] #mount/dev/sdc1/data
[Root@cloud1 ~]# Cp/etc/passwd/data
[Root@cloud1 ~]# cp-r/app/ganglia-3.4.0/data
[Root@cloud1 ~]# Mkdir/data/test
[Root@cloud1 ~]# echo "Extundelete Test" >/data/test/mytest.txt
[ROOT@CLOUD1 ~] #cd/data
[Root@cloud1 data]# md5sum passwd
0715BAF8F17A6C51BE63B1C5C0FBE8C5 passwd
[Root@cloud1 data]# md5sum Test/mytest.txt
EB42E4B3F953CE00E78E11BF50652A80 Test/mytest.txt
[Root@cloud1 data]# rm-rf/data/*

2. Uninstall Disk Partitions

After the data is mistakenly deleted, the immediate thing to do is to uninstall the partition:


[ROOT@CLOUD1 data] #cd/mnt
[Root@cloud1 mnt]# Umount/data

3. Query recoverable data information

The Extundelete command allows you to query the recoverable data information for a/DEV/SDC1 partition:


[Root@cloud1/]# EXTUNDELETE/DEV/SDC1--inode 2
......
File name | Inode number | Deleted status
. 2
.. 2
Lost+found Deleted
passwd 49153 Deleted
Test 425985 Deleted
ganglia-3.4.0 245761 Deleted

According to the output above, files or directories that have been deleted are marked as deleted. You can also see the inode value for each deleted file, and then you can recover the file.

4. Recover a single file

Start the recovery file by executing the following command:


[Root@cloud1/]# EXTUNDELETE/DEV/SDC1--restore-file passwd
Loading FileSystem metadata ... Groups loaded.
Loading Journal Descriptors ... Descriptors loaded.
Successfully restored file passwd
[Root@cloud1/]# CD recovered_files/
[Root@cloud1 recovered_files]# ls
passwd
[Root@cloud1 recovered_files]# md5sum passwd
0715BAF8F17A6C51BE63B1C5C0FBE8C5 passwd

Extundelete the parameter to recover a single file is "--restore-file", it should be noted that "--restore-file" is followed by the recovery file path, which is the relative path of the file. Relative path is relative to the original file storage path, for example, the original file storage path is/DATA/PASSWD, then directly after the parameter to specify the passwd file, if the original file storage path is/data/test/ Mytest.txt, then specify it by "Test/mytest.txt" after the argument.

After the file is successfully restored, the Extundelete command creates a recovered_files directory in the current directory of the execution command, which is used to store the recovered files, so the current directory that executes the Extundelete command must be writable.

According to the above output, through the md5sum command checksum, the checksum code is exactly the same as before, indicating the successful recovery of the file.


6.2 Recover a single directory via Extundelete

In addition to supporting the recovery of individual files, Extundelete also supports the recovery of a single directory, with the "--restore-directory" option to recover all the data for the specified directory when the directory needs to be restored.

Continue to operate in the simulated error removal data environment above, and now to restore the ganglia-3.4.0 folder in the/data directory, the operation is as follows:


[Root@cloud1 mnt]# EXTUNDELETE/DEV/SDC1--restore-directory/ganglia-3.4.0
Loading FileSystem metadata ... Groups loaded.
Loading Journal Descriptors ... 247 descriptors loaded.
Searching for recoverable inodes in directory/ganglia-3.4.0 ...
781 recoverable inodes found.
Looking through the directory structure for deleted files ...
4 recoverable inodes still lost.
[Root@cloud1 mnt]# ls
Recovered_files
[Root@cloud1 mnt]# CD recovered_files/
[Root@cloud1 recovered_files]# ls
ganglia-3.4.0

You can see that the previously deleted directory ganglia-3.4.0 has been successfully restored and entered this directory check found that all file contents and sizes are normal.


6.3 Recover all mistakenly deleted data via Extundelete

When you need to recover more data, assigning files or directories one at a time is a very heavy and time-consuming task, but Extundelete takes this into account, you can recover all deleted files or folders with the "--restore-all" option.

Still in the above simulated error removal Data Environment operation, now to restore all the data in the/data directory, the operation process is as follows:


[Root@cloud1 mnt]# EXTUNDELETE/DEV/SDC1--restore-all
Loading FileSystem metadata ... Groups loaded.
Loading Journal Descriptors ... 247 descriptors loaded.
Searching for recoverable inodes in directory/...
781 recoverable inodes found.
Looking through the directory structure for deleted files ...
0 recoverable inodes still lost.
[Root@cloud1 mnt]# ls
Recovered_files
[Root@cloud1 mnt]# CD recovered_files/
[Root@cloud1 recovered_files]# ls
ganglia-3.4.0 passwd Test
[Root@cloud1 recovered_files]# du-sh/mnt/recovered_files/*
15m/mnt/recovered_files/ganglia-3.4.0
4.0k/mnt/recovered_files/passwd
8.0k/mnt/recovered_files/test
You can see that all the data is fully recovered.


6.4 Recover data for a time period through Extundelete

Sometimes deleting a large amount of data, many of which are useless, and we only need to restore some of the data, at this point, if the recovery of the full data is not only time-consuming, but also a waste of resources, in this case, we need to adopt another recovery mechanism for selective recovery, Extundelete provides "-after" and "--before" parameters that allow you to restore only the data within that time period by specifying a time period.

The following is a simple example that describes how to recover data from a time period.

Let's first assume that there is a compressed file ganglia-3.4.0.tar.gz just created in the/data directory, then delete the file, then uninstall the/data partition and start restoring the files within an hour, as follows:


[ROOT@CLOUD1 ~] #cd/data/
[Root@cloud1 data]# Cp/app/ganglia-3.4.0.tar.gz/data
[Root@cloud1 data]# Date +%s
1379150309
[Root@cloud1 data]# RM-RF ganglia-3.4.0.tar.gz
[Root@cloud1 data]# Cd/mnt
[Root@cloud1 mnt]# Umount/data
[Root@cloud1 mnt]# Date +%s
1379150340
[Root@cloud1 mnt]# extundelete--after 1379146740--RESTORE-ALL/DEV/SDC1
Only show and process deleted entries if they are deleted in or after 1379146740 and before 9223372036854775807.
Loading FileSystem metadata ... Groups loaded.
Loading Journal Descriptors ... 247 descriptors loaded.
Searching for recoverable inodes in directory/...
779 recoverable inodes found.
[Root@cloud1 mnt]# CD recovered_files/
[Root@cloud1 recovered_files]# ls
Ganglia-3.4.0.tar.gz


Can see that just deleted the file, the recovery was successful, and a lot of the deleted files were not recovered in the/data directory, which is the result of the "--after" parameter control, because the/data directory was deleted a day ago, and we recovered the files that were deleted within one hours. , which is why no other deleted files have been recovered.

In this operation, it is necessary to note that the time followed by the "--after" parameter is the total number of seconds. Starting time is "1970-01-01 00:00:00 UTC", the "date +%s" command to convert the current time to total seconds, because the recovery is one hours of data, so "1379146740" is the value of "1379150340" minus 60 *60=3600 "obtained.