Introduction to the Linux File System Reverse deletion method

Article Title: This article describes how to delete a Linux File System. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
As a multi-user, multi-task operating system, once the files in Linux are deleted, it is difficult to restore. Although the DELETE command only marks the deletion in the file node and does not actually clear the file content, other users and some processes with disk write operations will soon overwrite the information. However, you can recover a Linux instance that is used by a single machine in your home, or rectify the file by mistake.
　　
　　 1. Brief introduction to the Ext2 File System Structure
　　
In the Ext2 File System Used in Linux, files are stored in blocks. By default, the size of each block is 1 K. Different blocks are distinguished by block numbers. Each file has a node that contains information such as the file owner, read/write permission, and file type. For a file with less than 12 blocks, store the block number of the data block in the node. If the file contains more than 12 blocks, the node stores the block number of an indirect block after the 12 blocks. In the block corresponding to this indirect block number, block number of 256 data blocks (each block number in Ext2fs occupies 4 bytes, so that the block number that can be stored in a block is 1024/4 = 256 ). If there is a larger file, second-level indirect blocks and third-level indirect blocks will also appear in the node.
　　
　　 2. Restore deleted files by mistake
　　
Most Linux distributions provide a debugfs tool for editing Ext2 file systems. However, there is still some work to do before using this tool.
　　
First, Remount the partition where the deleted file is located in read-only mode. Run the following command: (assume that the file is in the/usr partition)
　　
Mount? Cr? Cn? Co remount/usr
　　
-R indicates read-only mounting;-n indicates that the file is not written to/etc/mtab. If the file on/etc is restored, this parameter is added. If the system says xxx partion busy, you can run the fuser command to check which processes use this partition? N:
　　
Fuser? Cv? Cm/usr
　　
If there are no important processes, run the following command to stop them:
　　
Fuser-k? Cv? Cm/usr
　　
Then you can remount these file systems.
　　
If all files are installed in a large partition, you can use linux single to enter the single-user mode at the boot prompt to minimize the chance of system processes writing data to the hard disk, or simply mount the hard disk on another machine. In addition, do not write the recovered data to/to avoid damaging the useful data. If the host has dos/windows, you can write it to these partitions:
　　
Mount? Cr? Cn/dev/hda1/mnt/had
　　
Then you can run debugfs: (Suppose Linux is in/dev/hda5)
　　
# Debugfs/dev/hda5
　　
The prompt debugfs appears:
　　
The lsdel command can be used to list the information of many deleted files:
　　
Debugfs: lsdel
　　
Debugfs: 2692 deleted inodes found.
　　
Inode Owner Mode Size Blocks Time deleted
　　
164821 0 100600 8192 Sun May 13 19:22:46 1/1 .............................................................................................
　　
36137 0 100644 4 1/1 Tue Apr 24 10:11:15 2001
　　
196829 0 100644 149500 38/38 Mon May 27 13:52:04 2001
　　
Debugfs:
　　
There are many files listed (2692 files are found here). The first field is the file node number, the second field is the file owner, the third field is the read/write permission, and the next step is the file size, which occupies the number of blocks, deletion time. Then we can determine what we need based on the file size and deletion date. For example, we want to restore a file with a node of 196829:
　　
You can first check the file information status:
　　
Debugfs: stat <196829>
　　
Inode: 196829 Type: regular Mode: 0644 Flags: 0x0 Version: 1
　　
User: 0 Group: 0 Size: 149500
　　
File ACL: 0 Directory ACL: 0
　　
Links: 0 Blockcount: 38
　　
Fragment: Address: 0 Number: 0 Size: 0
　　
Ctime: 0x31a9a574 -- Mon May 27 13:52:04 2001
　　
Atime: 0x31a21dd1 -- Tue May 21 20:47:29 2001
　　
Mtime: 0x313bf4d7 -- Tue Mar 5 08:01:27 2001
　　
Dtime: 0x31a9a574 -- Mon May 27 13:52:04 2001
　　
BLOCKS:
　　
594810 594811 594814 594815 594816 594817
　　
........................................
　　
TOTAL: 38
　　
Then you can use the dump command to restore the file:
　　
Debugfs: dump <196829>/mnt/hda/01.sav
　　
In this way, the file is restored. Exit debugfs:
　　
Debugfs: quit
　　
Another method is to manually edit inode:
　　
Debugfs: mi <196829>
　　
Mode [0100644]
　　
User ID [0]
　　
Group ID [0]
　　
Size [149500]
　　
Creation time [0x31a9a574]
　　
Modification time [0x31a9a574]
　　
Access time [0x31a21dd1]
　　
Deletion time [0x31a9a574] 0
　　
Link count [0] 1
　　
Block count [38]
　　
File flags [0x0]
　　
Reserved1 [0]
　　
File acl [0]
　　
Directory acl [0]
　　
Fragment address [0]
　　
Fragment number [0]
　　
Fragment size [0]
　　
Direct Block #0 [594810]
　　
..................................
　　
Triple Indirect Block [0]
　　
After the mi command is used, a line of information is displayed each time for editing. For other lines, press enter to confirm. Change the deletion time to 0 (not deleted), and change Link count to 1. After modification, exit debugfs:
　　
Debugfs: quit
　　
Then use fsck to check/dev/hda5
　　
Fsck/dev/hda5
　　
The program will find the lost data block and put it in lost + found. The files in this directory are what we want.