Linux mistakenly deleted recovery

As a multi-user, multi-tasking operating system, the files under Linux are hard to recover once they are deleted. Although the delete command only deletes the file nodes, it does not really erase the contents of the file, but other users and some processes that have write actions will soon overwrite the data. However, for the use of the home computer Linux, or mistakenly delete files after timely remediation, or can be restored.
1, EXT2 file system structure of a simple introduction

In the Ext2 file system used by Linux, files are stored in blocks, by default the size of each block is 1K, and different blocks are differentiated by block numbers. Each file also has a node that contains information such as file owner, read-write permission, file type, and so on. For a file that is less than 12 blocks, the block number of the file data block is stored directly in the node. If the file is larger than 12 blocks, then the node stores the block number of an indirect block after the 12 block number, in the block corresponding to the indirect block number, the block number that stores 256 file blocks (each block number in Ext2fs occupies 4 bytes, so that the block number stored in a block is 1024/4=256). If there is a larger file, there will also be a level two indirect block and a level three indirect block in the node.

2. How to recover deleted files by mistake

Most Linux distributions provide a DEBUGFS tool that can be used to edit the Ext2 file system. However, there is still work to be done before using this tool.

First, re-mount the partition where the deleted file was mistakenly read-only. Use the following command: (assuming the file is in/usr partition)

Mount–r–n–o Remount/usr-r indicates read-only mounting, and-n means no write to/etc/mtab, plus this parameter if the file on/etc is restored. If the system says XXX partion busy, you can use the Fuser command to see which processes are using the files on this partition:

Fuser–v–m/usr

If there are no important processes, use the following command to stop them:

Fuser-k–v–m/usr

You can then re-mount these file systems.

If all the files are installed uniformly in a large/partition, you can enter single-user mode at the boot prompt with Linux, and try to minimize the chances of the system process writing data to the hard disk, or simply hang the hard disk on another machine. In addition, the recovered data should not be written to/above, to avoid destroying the useful data. If there are dos/windows on the machine, you can write to these partitions:

Mount–r–n/dev/hda1/mnt/had
Then you can execute DEBUGFS: (assuming Linux is in/DEV/HDA5)
#debugfs/dev/hda5
The Debugfs prompt Debugfs will appear:
You can use the Lsdel command to list information about many files that have been deleted:
Debugfs:lsdel
debugfs:2692 deleted inodes found.
Inode Owner Mode Size Blocks time deleted
164821 0 100600 8192 1/1 Sun May 13 19:22:46 2001
..................................................................
36137 0 100644 4 1/1 Tue APR 24 10:11:15 2001
196829 0 100644 149500 38/38 Mon May 27 13:52:04 2001
Debugfs

There are many files listed (2,692 found here), the first field is the file node number, the second field is the file owner, the third field is read and write permissions, followed by the file size, the number of blocks, delete time.

Then you can judge what we need based on file size and deletion date. For example, we want to restore a node that is 196829 files:

You can look at the file data status first:

Debugfs:stat <196829>
inode:196829 type:regular mode:0644 flags:0x0 version:1
user:0 group:0 size:149500
File acl:0 Directory acl:0
links:0 blockcount:38
fragment:address:0 number:0 size:0
ctime:0x31a9a574-Mon May 27 13:52:04 2001
ATIME:0X31A21DD1--Tue 21 20:47:29 2001
Mtime:0x313bf4d7--Tue Mar 5 08:01:27 2001
dtime:0x31a9a574-Mon May 27 13:52:04 2001
BLOCKS:
594810 594811 594814 594815 594816 594817 ... ..... .... ..... ..... ....... ...........
total:38
You can then restore the file with the dump command:

Debugfs:dump <196829>/mnt/hda/01.sav
This will restore the file. Exit Debugfs:
Debugfs:quit
Another way is to edit the inode manually:
Debugfs:mi <196829>
Mode [0100644]
User ID [0]
Group ID [0]
Size [149500]
Creation time [0x31a9a574]
Modification time [0x31a9a574]
Access time [0X31A21DD1]
Deletion time [0x31a9a574] 0
Link count [0] 1
Block Count [38]
File flags [0x0]
Reserved1 [0]
File ACL [0]
Directory ACL [0]
Fragment Address [0]
Fragment Number [0]
Fragment size [0]
Direct Block #0 [594810]
..................................
Triple Indirect Block [0]

Once the MI instruction is used to display a line of information for editing, the other lines can be directly confirmed by the carriage return, the deletion time is changed to 0 (not deleted), Link count changed to 1. After the change, exit Debugfs:

Debugfs:quit

Then use fsck to check the/DEV/HDA5

Fsck/dev/hda5

The program will say to find the lost data block, put in lost+found inside. The files in this directory are the stuff we want.

Transferred from: http://bbs.chinaunix.net/thread-2088686-1-1.html