Introduction to Linux File System Reverse deletion (1)

As a multi-user, multi-task operating system, once the files in Linux are deleted, it is difficult to restore. Although the DELETE command only marks the deletion in the file node and does not actually clear the file content, other users and some processes with disk write operations will soon overwrite the information. However, you can recover a Linux instance that is used by a single machine in your home, or rectify the file by mistake.
1. Brief introduction to the Ext2 File System Structure
In the Ext2 File System Used in Linux, files are stored in blocks. By default, the size of each block is 1 K. Different blocks are distinguished by block numbers. Each file has a node that contains information such as the file owner, read/write permission, and file type. For a file with less than 12 blocks, store the block number of the data block in the node. If the file contains more than 12 blocks, the node stores the block number of an indirect block after the 12 blocks. In the block corresponding to this indirect block number, each block number in the Ext2fs that stores 256 data blocks occupies 4 bytes, so that the block number that can be stored in a block is 1024/4 = 256 ). If there is a larger file, second-level indirect blocks and third-level indirect blocks will also appear in the node.
2. Restore deleted files by mistake
Most Linux distributions provide a debugfs tool for editing Ext2 file systems. However, there is still some work to do before using this tool.
First, Remount the partition where the deleted file is located in read-only mode. Run the following command: Suppose the file is in the/usr partition)

mount ?Cr ?Cn ?Co remount /usr

R indicates read-only mounting;-n indicates no write to/etc/mtab. If the file on/etc is restored, this parameter is added. If the system says xxx partion busy, you can run the fuser command to check which processes use this partition? N:

fuser ?Cv ?Cm /usr

If there are no important processes, run the following command to stop them:

fuser -k ?Cv ?Cm /usr

Then you can remount these file systems.
If all files are installed in a large partition, you can use linux single to enter the single-user mode at the boot prompt to minimize the chance of system processes writing data to the hard disk, or simply mount the hard disk on another machine. In addition, do not write the recovered data to/to avoid damaging the useful data. If the host has dos/windows, you can write it to these partitions:

mount ?Cr ?Cn /dev/hda1 /mnt/had

Then you can execute debugfs: Suppose Linux is in/dev/hda5)

#debugfs /dev/hda5

The prompt debugfs appears:
The lsdel command can be used to list the information of many deleted files:

debugfs：lsdeldebugfs: 2692 deleted inodes found.Inode Owner Mode Size Blocks Time deleted164821 0 100600 8192 1/ 1 Sun May 13 19:22:46 2001 36137 0 100644 4 1/ 1 Tue Apr 24 10:11:15 2001196829 0 100644 149500 38/ 38 Mon May 27 13:52:04 2001debugfs: