Virtual machines: VMware Workstation 9.0.2
Operating system: CentOS6.3 x64
extundelete:extundelete-0.2.4
First. TEST environment
1. First turn off SELinux
# Setenforce 0
# Vi/etc/sysconfig/selinux
---------------
Selinux=disabled
---------------
2. Create a 2G disk on the virtual machine
3. Enter the system to create a 2G primary partition
# FDISK/DEV/SDB
---------------------
n+p+1+ Enter + Enter +W
---------------------
4. Enable the partition to take effect without restarting
# partx-a/dev/sdb
5. Format and mount the EXT4 partition
# MKFS.EXT4/DEV/SDB1
# Mkdir/data
# Mount/dev/sdb1/data
Note: During the actual online recovery process, do not install the Extundelete to the hard disk where you mistakenly deleted the files, so there is a chance that the data that needs to be recovered will be completely overwritten.
It is recommended to add a hard drive to install Extundelete to this hard drive, and then do the following.
Second. Extundelete Installation
1. Installing dependent Packages
# yum Install e2fsprogs*-y
2. Download and install Extundelete
# wget HTTP://NCHC.DL.SOURCEFORGE.NET/PROJECT/EXTUNDELETE/EXTUNDELETE/0.2.4/EXTUNDELETE-0.2.4.TAR.BZ2
# TAR-JXVF EXTUNDELETE-0.2.4.TAR.BZ2
# CD extundelete-0.2.4
#./configure--prefix=/usr/local/extundelete
# Make && make install
3. Verify that the installation is successful
# Cd/usr/local/extundelete/bin
#./extundelete-v
---------------------
Extundelete version 0.2.4
LIBEXT2FS version 1.41.12
Processor is little endian.
---------------------
4. Setting Environment variables
# echo "Path=/usr/local/extundelete/bin: $PATH" >>/etc/profile
# echo "Export PATH" >>/etc/profile
# Source/etc/profile
5. Upload some pictures, install packages and other files to the/data directory
# Cd/data
# yum Install Lrzsz-y
# RZ
-------------
Local files .....
-------------
# ls
------------------
Lost+found mysql-5.6.10.tar.gz nginx.conf pic.jpg
------------------
6. Delete all
# RM-RF *
7. View deleted files
1). To uninstall the disk partition before you view it
# CD ~
# UMOUNT/DEV/SDB1
2). View Files
Note: When a partition is typically mounted to a directory, the Inode value for this "root" directory is 2
We look at all the files in the root directory, so we're looking at this section of partition Inode 2.
# EXTUNDELETE/DEV/SDB1--inode 2
--------------------------------
.....
File name | Inode number | Deleted status
. 2
.. 2
Lost+found Deleted
Mysql-5.6.10.tar.gz Deleted
Nginx.conf Deleted
Pic.jpg Deleted
--------------------------------
Note: Files marked "Deleted" are deleted files
8. Restore the specified file
Note: The default deleted file will revert to the Recovered_files directory in the current directory.
# Extundelete--restore-file PIC.JPG/DEV/SDB1
# CD Recovered_files/
# LL
----------------
-rw-r--r--1 root root 52592 August 07:18 pic.jpg
----------------
9. Fully recover files on the device
# Extundelete--RESTORE-ALL/DEV/SDB1
# LL
-----------------------------------
Total dosage 34464
-rw-r--r--1 root root 35174149 August 07:24 mysql-5.6.10.tar.gz
-rw-r--r--1 root root 4551 August 07:24 nginx.conf
-rw-r--r--1 root root 52592 August 07:18 pic.jpg
-rw-r--r--1 root root 52592 August 07:24 pic.jpg.v1
-----------------------------------
Note: The full recovery here does not overwrite the previously restored pic.jpg file, but instead renames it to PIC.JPG.V1
10. Deleted file After restore specified point in time
1). Specify a point in time
# date-d "Sep 4 03:09:13" +%s
------------------
1378235353
------------------
2). Restore files after this point in time
# extundelete--restore-all--after "1378235353"/dev/sdb1
--------------------
..........
--------------------
Note: Use the before parameter if you want to restore the previous. The Extundelete command, used in conjunction with after, is useful for recovering, filtering out too-old files and reducing the recovery pressure.
11. Check whether the recovery is successful
# md5sum Recovered_files/mysql-5.6.10.tar.gz
------------------------------------
9dcee911fb4bc7e977a6b63f4d3ffa63 recovered_files/mysql-5.6.10.tar.gz
------------------------------------
Upload the MySQL installation package that you just mistakenly deleted
# RZ
...
# md5sum Mysql-5.6.10.tar.gz
---------------------------------
9dcee911fb4bc7e977a6b63f4d3ffa63 mysql-5.6.10.tar.gz
---------------------------------
MD5 value Same, restore success ...
-----------Done-------------
Extundelete Anti-delete summary
I. Introduction of Extundelete
1.extundelete File Recovery Tool, the most force of the tool is to support EXT3/EXT4 dual-format partition recovery.
2. During the actual online recovery process, do not install the Extundelete to the hard disk where you mistakenly deleted the files, so there is a chance to completely overwrite the data that needs to be recovered.
3. Extundelete still has a lot of incompleteness, and the recovery based on the entire disk is more powerful, and the recovery based on directories and files is not strong enough.
4. Extundelete after execution, in the current directory to produce a recovered_files directory, which is the recovered files, also includes folders.
5. Any File recovery tool, before use, will be restored to the partition to unload or mount as read-only, to prevent data being overwritten use.
Umount/dev/partition
Mount-o remount,ro/dev/partition
6. Maintaining good habits is definitely easier than recovering data.
Second, installation
0.yum Install e2fsprogs* e2fslibs*-y
1.wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
2.TAR-AXF extundelete-0.2.4.tar.bz2-c/USR/LOCAL/SRC
3.cd/usr/local/src/extundelete-0.2.4
4../configure--prefix=/usr/local/extundelete
5.make
6.make Install
7.ln-s/usr/local/extundelete/bin/*/usr/local/bin/
Iii. use and Order 1. Umount or Read only partition
Umount/dev/partition
Mount-o remount,ro/dev/partition
2. Switch to the directory where the recovered files are stored
CD $dir
3. Command
usage:extundelete [Options] [--] Device-file
Options:
--superblock Prints the Super block information for the specified partition. If you do not add any parameters,
This option is the default.
Extundelete--superblock/dev/sda3 <---> extundelete/dev/sda1
--journal Displays the log information for the block, with--superblock.
Extundelete--journal/dev/sda1
--after Dtime only after the specified time "Dtime" (timestamp) is restored, the deleted data
If the time of deletion is about 2011-7-26 14:30
Date-d "Jul 14:30" +%s
Number of seconds 1234567890
Recover all files deleted after this time
EXTUNDELETE/DEV/SDB1--after 1234567890--restore-all
--before Dtime only restores the specified time "Dtime" (timestamp) before the deleted data
Actions:
--inode Ino displays information about the inode for x in a partition, typically viewing all the files under that partition.
Extundelete--inode 2/dev/sda1
--block BLK Displays information about the block X for a partition.
--restore-inode Ino[,ino,...] Restores one or more files of the specified inode number, the recovered file,
Saved in the current directory in the Recovered_files, the file name is "file. $inode"
EXTUNDELETE/DEV/SDA1--restore-inode 13,14
--restore-file ' filename ' restores the specified file (deleted), the file is located in the current directory
The recovered_files/$filename, the file name or the original
EXTUNDELETE/DEV/SDA1--restore-file initramfs-2.6.32-358.el6.x86_64.img
--restore-files ' Read_filename ' restores the contents of the specified file (the real existence),
The file is located in the current directory of the recovered_files/$filename, the file name or the original
VI test_restore.txt (no extra space at the end)
System.map-2.6.32-358.el6.x86_64
Config-2.6.32-358.el6.x86_64
Symvers-2.6.32-358.el6.x86_64.gz
Vmlinuz-2.6.32-358.el6.x86_64
Initramfs-2.6.32-358.el6.x86_64.img
EXTUNDELETE/DEV/SDA1--restore-files Test_restore.txt
--restore-directory ' Dir-name ' restores the specified directory, the file is located in the current directory
recovered_files/$dir-name, file name or original
EXTUNDELETE/DEV/SDA1--restore-files Grub
--restore-all Restore all deleted data in a partition, file name or original
EXTUNDELETE/DEV/SDA1--restore-all
4. Example ①--superblock
②--journal
③--after Dtime
If the time of deletion is about 2011-7-26 14:30
Date-d "Jul 14:30" +%s
Number of seconds 1234567890
Recover all files deleted after this time
/USR/LOCAL/BIN/EXTUNDELETE/DEV/SDB1--after 1234567890--restore-all
④--before Dtime
⑤--inode
⑥--restore-inode Ino[,ino,...]
⑦--restore-file ' filename '
⑧--restore-files ' Read_filename '
⑨--restore-directory ' Dir-name '
⑩--restore-all
To restore a single directory:
EXTUNDELETE/DEV/SDB1--restore-directory/mongodb
Recover all deleted files:
EXTUNDELETE/DEV/SDB1--restore-all
Extundelete can also be implemented to restore data for a certain period of time. Can be achieved by "--after" and "--before" Parameters!
"Principle" extundelete the process of recovering data:
After the data has been mistakenly deleted, the first thing to do is to unload the partition of the deleted data, if the data of the root partition is mistakenly deleted, you need to enter the system into single user mode, and the root partition is mounted in read-only mode. The reason for this is simple, because after the file is deleted, only the sector pointer in the Inode node of the file is zeroed out, the actual file is also stored on disk, if the disk continues to mount in read-write mode, the data blocks of these deleted files may be reassigned by the operating system, after these databases are overwritten by new data, The data is really lost and the recovery tool is powerless. So! Mounting a disk in read-only mode minimizes the risk of data being overwritten in the database to increase the percentage of successful recovery data.