Linux ext2 file System Restore deleted files __linux

Source: Internet
Author: User
Tags qmail

Linux ext2 file System Restore deleted files

Release Date: 2002-08-08
Article content:
------------------------------------------------------------------------
--------
by deepin@nsfocus.com
Http://www.nsfocus.com

From an emergency response, the customer received over 100 messages on the QMail mail server via Foxmail
After the deletion,
But it's important to find these emails and help us recover on the mail server.

Because it is remote data recovery, it can only be done over the network, and it is impossible to remove hard as traditional data recovery
Pan, first the overall
Copy backup (virtually no such condition in practice), then mount to read-only for recovery, and so on


Sudden. Can only be done on the basis of existing conditions.
Partition condition is not very good, just put the hard disk into the/boot/two partitions, mail system in
Under the/var/qmail, the actual
Also on/partition

The distance has been deleted for more than 2-3 hours, the mail system has been working, delete after the 100% to restore these
Mail, unless on
Emperor Bless. I can only do my best to be humane.

First stop the mail system, primarily their SMTP service (mostly those that might write the disk), but
After selection tool for recovery
The following tools are currently available for file recovery under Linux
http://www.fish.com/tct/
Can be recovered on different file partition types on a variety of UNIX operating systems (the effect is not the same),
including Ufs,ffs,ex2 and so on.
The most powerful, the largest volume, the operation is also the most troublesome.


http://recover.sourceforge.net/linux/recover/
Single function, easy to use



Http://e2undel.sourceforge.net
Http://unc.dl.sourceforge.net/sourceforge/e2undel/e2undel-0.8.tgz

There is an interactive interface that can be selected for certain operations, and this tool needs to install a E2undel runtime,
If
The files that need to be recovered are located on the/USR location partition, preferably not, lest the installation of it further destroys the pending
Recovery of
File (of course, you can install it to other file systems, but according to its installation requirements, it also compares
Trouble).

Unrm
Http://packetstormsecurity.com/UNIX/utilities/unrm-0.92.tar.gz
A gadget that actually uses the DEBUGFS command under Linux to simplify the manual use of Debugfs steps
Sudden
There is no interactive interface, the recovered files are directly placed below a fixed directory


According to this time, the large size of the tools needed to be installed is not in the selection range. I used the
UNRM, in order to
Without damaging the contents of the data disk, I put the gadget down to the/boot area. Let's say we need to recover
Aaa
This user's mail
This user's mail

Modify the path of the mount in this script (originally/usr/sbin/mount, this system is
/usr/bin)
See/location partition equipment for/DEV/SDA2

./unrm/dev/sda2-u Qmail-s AAA

Restore user qmail deleted file with AAA this string.
Actually found this-s parameter has no effect

After using the./unrm/dev/sda2-u qmail, a unrm.recover is automatically born under the current directory.
Directory
Each recovered file is stored in a unrm.xxxxxx way.
After filtering
grep AAA * |   Cut-d:-F 1 | Uniq
Locate these file names, and then the CP to the original QMail Mail directory (maildir/new)
The result is a recovery of 35 files, but 4 have been largely compromised, with only 31 full restores
A
Try to collect mail, everything is OK.

From this recovery, restore under the Linux EX2 file system than before in Solairs
UFS systems are
After using the./unrm/dev/sda2-u qmail, a unrm.recover is automatically born under the current directory.
Convenient many, the main ufs after the deletion, each file block has no link relationship, and ex2 somewhat similar with

Fat system, small files just lose the inode number of the first block, and the following blocks are linked.

, the large file seems to be in a certain number of blocks after the link relationship is not.
Restoring files in UFs may still be better tct relative effects.
Welcome to visit our site http://www.nsfocus.com/
NSFocus gives you a safe and secure guarantee

-----------------------------------------------------

Http://www.linuxidc.com/Linux/2008-08/14744.htm


For RM, many people have a bitter lesson. I also met once, one afternoon to write the program was RM dropped, fortunately just a file, the next day quickly and again wrote again. But a lot of people may not be as lucky as I am. This article collects some methods for recovering RM deleted files under Linux for your reference.

First of all, the best way is to avoid this problem, here are a few suggestions:

1, the consequences of RM-RF misoperation is terrible, Rm-f also want to reconsider, not easy to use.

2, do a good job of data backup.

3, with some strategies to avoid errors:

To promote the use of a TAB in the shell to complete the task with the script to reduce the chance of error. or write a script, named RM, in the script to the real RM to MV, will delete the MV to a specified directory, regular cleaning.

Can the RM deleted files recover?

The man inside RM has the following statement:

Note that if you use RM to delete a file, you can usually still restore the file to its original state. If you want to make sure that the contents of the file cannot be restored, consider using shred.

So theoretically RM deleted files are still recoverable. Delete the file will only point to the data Block index point (information nodes) released, as long as not to be overwritten, the data is actually still on the hard disk, the key is to find the index point, and then the data block that it refers to capture the data, and then save to another partition. The first thing we do when we delete a file with RM is to make sure that we don't write the data to the partition where the file was accidentally deleted.

Usually we can have the following choices:

1, with the help of tools.

2, write their own procedures. You need to be able to program and understand the corresponding file system.

3, if the data is very useful, perhaps to find a professional company to rescue.

Tools

1. The Sleuth Kit http://www.sleuthkit.org/sleuthkit/(autopsy is one of its graphical front ends)

2, Foremost http://foremost.sourceforge.net

3, an omnipotent tool, FinalData, can restore Unix/linux/dos under the false deletion of the file. For UNIX, these products are supported, Solaris, AIX, and HP-UX. For Linux, a EXT2 file system is supported. For DOS, a file system that supports Fat 12/16/32, NTFS 4/5/5.1.

4, if the file system is ext2 (invalid for ext3):

The ext3 deletion mechanism is to delete the inode data directly, so that ext3 cannot be reversed (ext3 is designed to be unable to recover deleted files).

Unrm

Ext2ed

Debugfs (Undel Lsdel)

Recover

Midnight Commander (MC)

E2undel

Tct

5, if the file system is FAT32 or NTFS:

Easyrecovery

FinalData

6, FreeBSD if the use of RM, you can try undelete this command.

7. When a process opens a file, lsof can be used to recover the deleted file as long as the process keeps opening the file.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.