Restore deleted files in Linux ext2 File System

Restore deleted files in Linux ext2 File System

Release date: 2002-08-08
Article content:
------------------------------------------------------------------------
--------
By deepin@nsfocus.com
Http://www.nsfocus.com

The customer received more than 100 emails from the Qmail server through Foxmail in an emergency response.
And deleted,
However, these emails are very important, so we can help you recover them on the email server.

Because remote data recovery can only be performed over the network, it is impossible to remove hardware as traditional data recovery
Disk, full disk first
Copy the backup (in actual work, there is almost no such condition), and then mount it to read-only for recovery and so on.


. It can only be performed according to the existing conditions.
The partition is not very good, but the hard disk is divided into two partitions:/boot /.
Under/var/Qmail, the actual
Also in/partition

The email system has been working for two to three hours since it was deleted. After deletion, you want to restore the emails by 100%.
Email, unless on
God bless. I have to do my best.

First, stop the email system, mainly their SMTP Service (mainly those that may write disk content ).
Then select a tool for recovery
Currently, the following tools can be used in Linux to restore files:
Http://www.fish.com/tct/
It can be restored on different file partition types of multiple UNIX operating systems (of course, the effect is not the same ),
Including UFS, FFs, and ex2.
The most powerful, bulky, and troublesome operations.


Http://recover.sourceforge.net/linux/recover/
Simple functions and easy to use



Http://e2undel.sourceforge.net
Http://unc.dl.sourceforge.net/sourceforge/e2undel/e2undel-0.8.tgz

There is an interactive interface that can be selected for certain operations. This tool needs to install an e2undel Runtime Library,
If
The file to be restored is located in the/usr partition. It is best not to use it, so that it will not be damaged after being installed.
Recovered
File (of course, you can install the Runtime Library to other file systems, but according to its installation requirements
Trouble ).

Unrm
Http://packetstormsecurity.com/UNIX/utilities/unrm-0.92.tar.gz
A small tool actually uses the debugfs command in Linux to simplify the steps for manual use of debugfs
Step 2,
There is no interactive interface, and the recovered files are directly placed under a fixed directory.


According to this situation, the tools that are bulky and need to be installed are out of the Selection Range. I used
Unrm,
Without damaging the content of the data disk, I put this tool down/boot to expand. Suppose what we need to restore is
Aaa
This user's email
This user's email

Modify the Mount path in this script (originally/usr/sbin/mount, this system is
/Usr/bin)
Check whether/the local partition device is/dev/sda2.

./Unrm/dev/sda2-u Qmail-s aaa

Restore the files deleted by Qmail. The files contain the AAA string.
Actually, this-S parameter does not work.

After./unrm/dev/sda2-u Qmail is used, an unrm. Recover
Directory
Each recovered file is stored in the unrm. xxxxxx format.
Filtered
Grep AAA * | cut-D:-F 1 | uniq
Find these file names and CP them to the original Qmail mail directory (maildir/new)
The result of this operation is that 35 files have been restored, but four files have been basically damaged. Only 31 files have been completely recovered.
Items
Try to receive the email. Everything works.

From the recovery work, we can see that in the Linux ex2 file system, the recovery is better than in the previous solairs.
Ufs system requires
After./unrm/dev/sda2-u Qmail is used, an unrm. Recover
It is much more convenient. After UFS is deleted, each file block has no link, while ex2 is a bit similar

In the fat system, the inode number of the first block is lost for small files, and the blocks are linked.

A large file seems to have no link after a certain number of blocks.
Restoring files under UFS may be better than TCT.
Welcome to our site http://www.nsfocus.com/
Green Alliance technology provides you with security assurance

-----------------------------------------------------

Http://www.linuxidc.com/Linux/2008-08/14744.htm

Many people have had a painful lesson about RM. I also met a program that was written one afternoon and RM was dropped. Fortunately, it was just a file and I wrote it again the next day. But many may not be as lucky as me. This article collects some methods to restore deleted rm files in Linux for your reference.

First, the best way is to avoid this problem. The following are some suggestions:

1. The consequences of RM-RF misoperations are terrible. rm-F should also be considered and cannot be used easily.

 

2. Back up data.

3. Use some policies to avoid errors:

We recommend that you use tabs to complete tasks in shell and execute tasks in scripts to reduce the chance of errors. You can also write a script named RM, change the real RM to mV in the script, and delete all the deleted music videos to a specified directory and clean them regularly.

Can the deleted RM file be restored?

Rm man has the following statement:

Note that if you use RM to delete a file, you can restore it to its original state. If you want to ensure that the content of this file cannot be restored, consider using shred.

Therefore, theoretically, the files deleted by RM can still be recovered. Deleting a file only releases the index point (information nodes) pointing to the data block. As long as the data is not overwritten, it is still on the hard disk. The key is to find the index point, capture the data in the data block it refers to and save it to another partition. After you accidentally delete a file with RM, the first thing we need to do is ensure that data is no longer written to the partition where the file is accidentally deleted.

Generally, we can have the following options:

1. Use tools.

2. Write your own program. You need to program and understand the corresponding file system.

3. If the data is useful, you may be able to seek help from a professional company.

Tools

1. the sleuth kit http://www.sleuthkit.org/sleuthkit/ (autopsy is one of its graphics front ends)

2. Foremost http://foremost.sourceforge.net

3. a versatile tool, finaldata, can restore files accidentally deleted under Unix/Linux/DOS. For UNIX, these products are supported: Solaris, Aix, and HP-UX. For Linux, ext2 file systems are supported. For DoS, the file system supports fat 12/16/32, NTFS 4/5/5.1.

4. If the file system is ext2 (invalid for ext3 ):

The deletion mechanism of ext3 directly deletes inode data, so ext3 cannot be deleted (ext3 is designed to be unable to restore deleted files ).

Unrm

Ext2ed

Debugfs (undel lsdel)

Recover

Midnight Commander (MC)

E2undel

TCT

5. If the file system is FAT32 or NTFS:

Easyrecovery

Finaldata

6. If FreeBSD uses RM, try the undelete command.

7. When a process opens a file, as long as the process keeps opening the file, lsof can be used to restore and delete the file.