Linux RM-RF * File recovery note

Source: Internet
Author: User
Tags bz2 testdisk

The hands are too fast and the intestines are ruined. Would have been to delete a file rm path/myfile.txt
The result somehow added a *, became
RM Path/myfile.txt *
Hurriedly LS, found that all the code is Utopia, has not been submitted, has not been backed up. The deletion was not confirmed. A second, the world will be pure.

Looking around with a fluke, there is no compression package backup. There are some backup places that are also very early in the work.
Want to cry without tears.

Therefore, the RM deletion of Linux is not backed up first, it is really undesirable. It is no wonder that many people have a half-minute left to look at the RM. It is recommended to change the RM under ROOT to the alias of MV directly.
No way, must be restored.
Machine in the computer room, can not power off the hard drive or restart.

First, you need to mount the disk as read-only immediately.

Otherwise the other daemons all come to read and write, the immortal can not recover. Be sure to do functional partitioning when planning your disk. Otherwise, it is very difficult to delete the mistake and try to recover. For example, Linux installation does not partition the entire load/below, it is very troublesome.
/data hung on the/dev/sdb1.

[email protected] sh]# mount
/DEV/SDB1 on/data type EXT4 (rw)

[Email protected] hadoop]# mount-r-n-o remount/data
Mount:/data is busy
This will need to see what processes are in use:
[Email protected] hadoop]# fuser-v-m/data
You can see that there are many Java and Hadoop processes in use, killing them.
[Email protected] hadoop]# mount-r-n-o remount/data
Success.
Then to the/data touch file, error.

[[email protected] data]# touch a
Touch:cannot Touch ' A ': Read-only file system

It's a lot easier to relax. Since the read-only mount, you can slowly recover and never worry about my files being overwritten.

Using Debugfs

Use Debugfs to find the inode of the deleted file, and then restore the idea.
[Email protected] ~]# DEBUGFS/DEV/SDB1
Debugfs 1.41.12 (17-may-2010)

Debugfs
Debugfs:lsdel
Inode Owner Mode Size Blocks time deleted
0 deleted inodes found.

The magical Debugfs did not find a file to be deleted inodes, I do not use it?

Failed!

Using grep to recover

grep looks for text in the disk binary, exports the characters before and after it, and perhaps restores the part.
[[email protected] hadoop]# grep-a-B 100-a ' active.sh '/dev/sdb1 > Results.txt
There are only a few messy binaries.
Failed!

Using Ext3grep

Mine is the EXT4 system, it doesn't work at all.

Had to look for professional tools

With TestDisk 6.14

Introduction to use:

Http://www.cgsecurity.org/wiki/TestDisk%3a_undelete_file_for_ext2

Download:
wget http://www.cgsecurity.org/testdisk-6.14.linux26-x86_64.tar.bz2
[Email protected] hadoop]# CD testdisk-6.14
[[email protected] testdisk-6.14]# ls
Android.mk ChangeLog documentation.html fidentify_static INFO l photorec.8 README testdisk.8 testdisk_static VERSION
AUTHORS COPYING fidentify.8 ico jni NEWS photorec_static readme.txt Testdisk.log THANKS

[Email protected] testdisk-6.14]#./testdisk_static
TestDisk 6.14, Data Recovery Utility, July 2013
Christophe Grenier <[email protected]>

http://www.cgsecurity.org

1 P MS Data 2048 7811889151 7811887104 [primary]
Directory/

>drwxr-xr-x 4096 28-aug-2013 13:41.
Drwxr-xr-x 4096 28-aug-2013 13:41.
drwxrwxrwx 16384 18-jul-2013 15:42 lost+found
drwxrwxrwx 12288 12-sep-2013 00:36 logs

drwxrwxrwx 4096 25-jul-2013 16:54 test1
Drwxrwxr-x 4096 12-sep-2013 03:28 statis
drwxrwxr-x 4096 12-sep-2013 17:40 sh
Drwxrwxr-x 12288 3-sep-2013 15:28 Hadoop

Next
Use right-to-change directory, h to hide deleted files
Q to quit,: To select the current file, a to select all files
C to copy the selected files and C to copy the current file

Select the appropriate directory, enter, finally see the deleted file name, but the size of the file is 0 ah?
TestDisk 6.14, Data Recovery Utility, July 2013
Christophe Grenier <[email protected]>

http://www.cgsecurity.org

1 P MS Data 2048 7811889151 7811887104 [primary]
Directory/sh

Drwxrwxr-x 4096 12-sep-2013 17:40.
Drwxr-xr-x 4096 28-aug-2013 13:41.
>-rwxrwxr-x 0 12-sep-2013 17:40 Active.awk
-rwxrwxr-x 0 12-sep-2013 17:40 active.sh
lrwxrwxrwx 2-aug-2013 17:17 Statis
-rwxrwxr-x 0 12-sep-2013 17:40 dateutil.sh
-rwxrwxr-x 0 12-sep-2013 17:40 hiveput.sh
-rwxrwxr-x 0 12-sep-2013 17:40 multidate.sh
Drwxrwxr-x 4096 3-sep-2013 15:24 errlogs
-rwxrwxr-x 0 12-sep-2013 17:40 hiveactive.sh
Drwxrwxr-x 4096 12-sep-2013 17:40 cps
Drwxrwxr-x 4096 30-aug-2013 15:21 Tempstatsstore
-rwxrwxr-x 0 12-sep-2013 17:40 Bkactive.awk
-rwxrwxr-x 0 12-sep-2013 17:40 Test.awk
-rwxrwxr-x 0 12-sep-2013 17:40 T.awk
-rwxrwxr-x 0 12-sep-2013 17:40 Print
-rw-rw-r–500 0 12-sep-2013 17:40 A
-rw-rw-r–500 0 12-sep-2013 17:40 a.txt
-rwxrwxr-x 0 12-sep-2013 17:40 User.awk
-rw-rw-r–500 0 12-sep-2013 17:40 Luan
-rwxrwxr-x 0 12-sep-2013 17:40 cps.sh
-rwxrwxr-x 0 12-sep-2013 17:40 hivenewdev.sh
-rw-rw-r–500 0 12-sep-2013 17:40 hive2mysql.sh
-rw-rw-r–500 0 12-sep-2013 17:40 py
lrwxrwxrwx 26-aug-2013 09:34 UserData
lrwxrwxrwx 26-aug-2013 09:34 Bidata
-rwxrwxr-x 0 12-sep-2013 17:40 Bi.awk
-rw-r–r–500 0 12-sep-2013 17:40 luandoutang_09_900037.csv
-rw-rw-r–500 0 12-sep-2013 17:40 luan1
-rwxr-xr-x 0 12-sep-2013 17:40 Luan.awk
-rwxr-xr-x 0 12-sep-2013 17:40 luan.sh
-rwxrwxr-x 0 12-sep-2013 17:40 Dvid_price.awk
-rwxrwxr-x 0 12-sep-2013 17:40 Cid_price.awk
lrwxrwxrwx 9-sep-2013 13:33 Adsdkdata
-rw-rw-r–500 0 12-sep-2013 17:40 0908.txt
-rw-rw-r–500 0 12-sep-2013 17:40 09081.txt
-rw-rw-r–500 0 12-sep-2013 17:40 09.txt
Drwxrwxr-x 4096 9-sep-2013 16:22 pid

TestDisk 6.14, Data Recovery Utility, July 2013

Please select a destination Where/sh/active.awk would be copied.
Keys:arrow keys to select another directory
C when the destination is correct
Q to quit

Select all files with a, C backup, choose a backup to the directory, confirm.

In a look, the filenames are restored, but the contents of the file are empty. TestDisk recovery failure claiming to be able to recover ext4.

Again under the new version of TESTDISK-7.0-WIP.LINUX26-X86_64.TAR.BZ2, the same problem.

Recover with extundelete-0.2.4

Official website:

http://extundelete.sourceforge.net/

Download:

wget http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2

Extundelete Dependent E2fsprogs
[Email protected] extundelete-0.2.4]#./configure
Configuring Extundelete 0.2.4
Configure:error:Can ' t find ext2fs Library

[email protected] extundelete-0.2.4]# Yum install E2fsprogs-devel

[Email protected] extundelete-0.2.4]#./configure
Configuring Extundelete 0.2.4
Writing generated files to disk

[[email protected] extundelete-0.2.4]# make & make Install

[[Email protected] extundelete-0.2.4]# CD src
[[email protected] src]# ls
BLOCK.C cli.cc extundelete-block.o extundelete-cli.o extundelete.h extundelete-priv.h jfs_compat.h Makefile Makefile.in
Block.h extundelete extundelete.cc extundelete-extundelete.o extundelete-insertionops.o insertionops.cc kernel-jbd.h makefile.am

[Email protected] src]#./extundelete
No action specified; Implying–superblock.
./extundelete:missing device Name.
Usage:./extundelete [Options] [--] Device-file
Options:
–version,-[VV] Print version and exit successfully.
Help, Print this Help and exit successfully.
–superblock Print contents of Superblock In addition to the rest.
If no action is specified then this option is implied.
–journal Show content of journal.
–after dtime only process entries deleted on or after ' Dtime '.
–before dtime only process entries deleted before ' Dtime '.
Actions:
–inode ino Show info on inode ' ino '.
–block Blk Show info on block ' blk '.
–restore-inode Ino[,ino,...]
Restore the file (s) with known inode number ' ino '.
The restored files is created in./recovered_files
With their inode number as extension (ie, file.12345).
–restore-file ' path ' would restore file ' path '. ' Path ' is relative to root
of the partition and does not start with a '/'
The restored file is created in the current
Directory as ' Recovered_files/path '.
–restore-files ' path ' would restore files which is listed in the file ' path '.
Each filename should is in the same format as an option
To–restore-file, and there should is one per line.
–restore-directory ' path '
Would restore directory ' path '. ' Path ' is relative to the
root directory of the file system. The restored
Directory is created in the output directory as ' path '.
–restore-all attempts to restore everything.
-J journal Reads An external journal from the named file.
-B blocknumber Uses the backup superblock at Blocknumber when opening
The file system.
-B blocksize Uses BlockSize as the block size when opening the file
System. The number should be the number of bytes.
–log 0 Make the program silent.
–log filename Logs all messages to filename.
–log d1=0,d2=filename Custom Control of log messages with comma-separated
Examples below:list of options. Dn must be one of info, warn, or
–log info,error error. Omission of the ' =name ' results in messages
–log warn=0 with the specified level to being logged to the console.
–log error=filename If The parameter is ' =0′, logging for the specified
Level would be turned off. If the parameter is
' =filename ', messages with the level would be written
to filename.
-O directory Save the recovered files to the named directory.
The restored files is created in a directory
Named ' recovered_files/' by default.
./extundelete:error parsing command-line Options.

[Email protected] src]#./extundelete/dev/sdb1–restore-directory/data/sh
notice:extended attributes is not restored.
Loading FileSystem metadata ... 29800 groups loaded.
Loading Journal Descriptors ... 28266 descriptors loaded.
Failed to restore file/data/sh
Could not find correct inode number past Inode 2.
Try altering the filename to one of the entries listed below.
File name | Inode number | Deleted status
. 2
.. 2
Lost+found 11
Logs 195821569
DFS 14942209
Mapred 165806081
Bidata 221380609
UserData 3407873
Trackdata 112459777
Adsdkdata 135135233
Test 227409921
A.tar.gz 12
T1 Deleted
Test1 227278849
Statis 109051905
SH 24641537
Hadoop 59506689
./extundelete:operation not permitted while restoring directory.
./extundelete:operation not permitted while trying to examine filesystem
[Email protected] src]#./extundelete/dev/sdb1–restore-file/data/sh/active.awk
notice:extended attributes is not restored.
Loading FileSystem metadata ... 29800 groups loaded.
Loading Journal Descriptors ... 28266 descriptors loaded.
Failed to restore File/data/sh/active.awk
Could not find correct inode number past Inode 2.
Try altering the filename to one of the entries listed below.
File name | Inode number | Deleted status
. 2
.. 2
Lost+found 11
Logs 195821569
DFS 14942209
Mapred 165806081
Bidata 221380609
UserData 3407873
Trackdata 112459777
Adsdkdata 135135233
Test 227409921
A.tar.gz 12
T1 Deleted
Test1 227278849
Statis 109051905
SH 24641537
Hadoop 59506689
./extundelete:operation not permitted while restoring file.
./extundelete:operation not permitted while trying to examine filesystem

[Email protected] recovered_files]#. /extundelete/dev/sdb1–restore-all
notice:extended attributes is not restored.
Loading FileSystem metadata ... 29800 groups loaded.
Loading Journal Descriptors ... 28266 descriptors loaded.
[Email protected] recovered_files]# CD recovered_files/
[[Email protected] recovered_files]# CD sh
[[email protected] sh]# ls
09081.txt a Bknewdev.awk charge.sh derby.log hive2mysql.sh Luan.awk Newdev.awk So.awk
0908.txt Active.awk b.txt charge.txt dvid_price.awk hiveactive.sh luandoutang_09_900037.csv newdev.sh T.awk
09.txt active.sh charge Cid_price.awk emptycid hivenewdev.sh luan.sh Pid.awk tempstatsstore
100001 adsdkdata charge_2013-09-09.txt cps err.txt hiveput.sh multidate.sh pid.sh Test.awk
1dev.awk a.txt charge_20130909_.txt cps_newdev.java getdvid.awk insdata.py newdev Print User.awk
201309081.txt Bi.awk charge2mysql.sh cps.sh getmysql.sh Luan Newdev1.awk py
201309091.txt Bkactive.awk Charge.awk dateutil.sh getnewdev_from_mysql.sh luan1 newdev2mysql.sh sendmail.sh
[Email protected] sh]# ls-l
Total 225360
-rw-r–r–1 root root 29251633 Sep 19:46 09081.txt
-rw-r–r–1 root root 35249787 Sep 19:46 0908.txt
-rw-r–r–1 root root 64501420 Sep 19:46 09.txt
-rw-r–r–1 root root 2378 Sep 12 19:46 100001
-rw-r–r–1 root root 840 Sep 19:46 1dev.awk
-rw-r–r–1 root root 33931129 Sep 19:46 201309081.txt
-rw-r–r–1 root root 27169653 Sep 19:46 201309091.txt
-rw-r–r–1 root root 1 Sep 19:46 a
-rw-r–r–1 root root 2227 Sep 19:46 Active.awk
-rw-r–r–1 root root 999 Sep 19:46 active.sh
-rw-r–r–1 root root 19242484 Sep 19:46 adsdkdata
-rw-r–r–1 root root 5626 Sep 19:46 a.txt
-rw-r–r–1 root root 331 Sep 19:46 Bi.awk
-rw-r–r–1 root root 1543 Sep 19:46 Bkactive.awk
-rw-r–r–1 root root 931 Sep 19:46 Bknewdev.awk
-rw-r–r–1 root root one Sep 19:46 b.txt
-rw-r–r–1 root root, Sep 19:46 charge
-rw-r–r–1 root root 20964603 Sep 19:46 charge_2013-09-09.txt
-rw-r–r–1 root root 229 Sep 19:46 Charge_20130909_.txt
-rw-r–r–1 root root 1243 Sep 19:46 charge2mysql.sh
-rw-r–r–1 root root 428 Sep 19:46 Charge.awk
-rw-r–r–1 root root 2822 Sep 19:46 charge.sh
-rw-r–r–1 root root 227 Sep 19:46 charge.txt
-rw-r–r–1 root root 1227 Sep 19:46 Cid_price.awk
Drwxr-xr-x 2 root root 4096 Sep 19:46 cps
-rw-r–r–1 root root 12070 Sep 19:46 Cps_newdev.java
-rw-r–r–1 root root 2764 Sep 19:46 cps.sh
-rw-r–r–1 root root 885 Sep 19:46 dateutil.sh
-rw-r–r–1 root root 992 Sep 19:46 Derby.log
-rw-r–r–1 root root 658 Sep 19:46 Dvid_price.awk
-rw-r–r–1 root root 54217 Sep 19:46 emptycid
-rw-r–r–1 root root 64279 Sep 19:46 err.txt
-rw-r–r–1 root root 379 Sep 19:46 Getdvid.awk
-rw-r–r–1 root root 1217 Sep 19:46 getmysql.sh
-rw-r–r–1 root root 1552 Sep 19:46 getnewdev_from_mysql.sh
-rw-r–r–1 root root 532 Sep 19:46 hive2mysql.sh
-rw-r–r–1 root root 858 Sep 19:46 hiveactive.sh
-rw-r–r–1 root root 926 Sep 19:46 hivenewdev.sh
-rw-r–r–1 root root 683 Sep 19:46 hiveput.sh
-rw-r–r–1 root root 2227 Sep 19:46 insdata.py
-rw-r–r–1 root root 1045 Sep 19:46 Luan
-rw-r–r–1 root root 813 Sep 19:46 luan1
-rw-r–r–1 root root 336 Sep 19:46 Luan.awk
-rw-r–r–1 root root 72909 Sep 19:46 luandoutang_09_900037.csv
-rw-r–r–1 root root 19:46 Sep luan.sh
-rw-r–r–1 root root 420 Sep 19:46 multidate.sh
Drwxr-xr-x 2 root root 4096 Sep 19:46 Newdev
-rw-r–r–1 root root 777 Sep 19:46 Newdev1.awk
-rw-r–r–1 root root 1290 Sep 19:46 newdev2mysql.sh
-rw-r–r–1 root root 738 Sep 19:46 Newdev.awk
-rw-r–r–1 root root 762 Sep 19:46 newdev.sh
-rw-r–r–1 root root 693 Sep 19:46 Pid.awk
-rw-r–r–1 root root 518 Sep 19:46 pid.sh
-rw-r–r–1 root root (Sep) 19:46 Print
-rw-r–r–1 root root 30324 Sep 19:46 py
-rw-r–r–1 root root for Sep 19:46 sendmail.sh
-rw-r–r–1 root root 744 Sep 19:46 So.awk
-rw-r–r–1 root root 19:46 Sep T.awk
Drwxr-xr-x 2 root root 4096 Sep 19:46 Tempstatsstore
-rw-r–r–1 root root 311 Sep 19:46 Test.awk
-rw-r–r–1 root root 385 Sep 19:46 User.awk
[Email protected] sh]# VI Active.awk
View, scripts are in.

The whole recovery was successful.
So the only success is the Extundelete, and cannot specify the files and directories, but all restore, in order to succeed.

A stone fell to the ground:)
Experience available to later, be sure to back up the disk to function partition. The RM command wants alias rm= "Rm-i".

Ext: 19006419

Linux RM-RF * File recovery note

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.