Tip: Restore Linux deleted files by mistake (option 3)

First, let's start by understanding the file deletion principle:

1) Linux is controlled by the number of link files deleted, only when a file does not exist any link, the file will be deleted. In general, there are 2 link counters for each file: I_count and I_nlink.

2) When a process opens a file, it still exists on disk as long as the process remains open for that file, even if it is deleted. This means that the process does not know that the file has been deleted, and it can still read and write to the file descriptor that was provided to it when the file was opened. In addition to this process, this file is not visible because its corresponding directory index node has been deleted.

3) When you find that you have deleted the file by mistake, the first thing to do is to immediately unload the partition where the file was deleted, or to mount the partition in a read-only manner. It is clear to everyone that after the file is deleted, the data in the file still exists on the disk, unless the data block that holds the data is allocated by the operating system. Our step is to minimize the risk of data being overwritten in the data block to increase the success rate of the recovered data.

Second, after the completion of the actual combat drills

Scenario 1) Now let me introduce you to using Extundelete to recover files (for rhel6. X-System Ext4)

#上传extundelete -0.2.4.tar.bz2 the bag to/USR/LOCAL/SRC.

#tar-JXVF extundelete-0.2.4.tar.bz2

# CD extundelete-0.2.4

#./configure (This step has an error, see below)

#mount/dev/cdrom/mnt

#rpm-ivh/mnt/packages/e2fsprogs-devel-1.41.12-18.el6.x86_64.rpm
(Must be installed otherwise, front./configure error)

#./configure (Success)

Make && make install

Software installation is complete, let's restore the file.

1) I first create a recovery directory

mkdir Recover

CD Recover

EXTUNDELETE/DEV/SDA4--inode 2 (see the file you deleted)

#extundelete/dev/sda4-restore-inode 15 (Restore files by corresponding node)

#extundelete/dev/sda4-restore-file a.txt (to recover files by corresponding file name)

#extundelete/dev/sda4-restore-dirctory etc (by the corresponding directory, here I with etc directory)

# #extundelete/dev/sda4-restore-all (Restore All)

Scenario 2) Use Lsof to bring a mysterious function

Principle: Most information related to lsof is stored in a directory named after the PID of the process

If the/var/log/messages file is deleted due to misoperation, then the method to restore the/var/log/messages file

As follows:

First use lsof to see if there is currently a process open/var/logmessages file, as follows:

# lsof |grep/var/log/messages

SYSLOGD 1283 root 2w REG 3,3 5381017 1773647/var/log/messages (Deleted)

From the above information you can see that the PID 1283 (syslogd) Open file has a file descriptor of 2. You can also see/var/log

/messages has been marked for deletion. So we can represent each of the digitally named files under the/PROC/1283/FD/2 (FD)

Process corresponding to the file descriptor), see the corresponding information as follows:

# head-n 10/PROC/1283/FD/2

4 13:50:15 holmes86 syslogd 1.4.1:restart.

4 13:50:15 holmes86 kernel:klogd 1.4.1, log Source =/proc/kmsg started.

4 13:50:15 holmes86 kernel:linux version 2.6.22.1-8 ([email protected])

(gcc version 4.2.0) #1 SMP Wed Jul 11:18:32 EDT 4 13:50:15 holmes86 kernel:

bios-provided physical RAM Map:aug 4 13:50:15 holmes86 kernel:bios-e820:

0000000000000000-000000000009f000 (usable) 4 13:50:15 holmes86 kernel:bios-e820:

000000000009f000-00000000000a0000 (Reserved) 4 13:50:15 holmes86 kernel:

bios-e820:0000000000100000-000000001f7d3800 (usable) 4 13:50:15 holmes86 kernel:

bios-e820:000000001f7d3800-0000000020000000 (Reserved) 4 13:50:15 holmes86

kernel:bios-e820:00000000e0000000-00000000f0007000 (reserved) 4 13:50:15

Holmes86 kernel:bios-e820:00000000f0008000-00000000f000c000 (Reserved)

As you can see from the information above, you can get the data you want to recover by looking at/PROC/8663/FD/15. If it can be described by file

Data, you can use I/O redirection to copy it to a file, such as:
CAT/PROC/1283/FD/2 >/var/log/messages

This method of recovering deleted files is useful for many applications, especially log files and databases.

Scenario 3) Use Ext3grep to recover files (for rhel5. X-System ext3)

#上传ext3grep -0.10.1.tar.gz the bag to/USR/LOCAL/SRC.

#tar-JXVF ext3grep-0.10.1.tar.gz

# CD ext3grep-0.10.1

#./configure (Success)

Make && make install

Software installation is complete, let's restore the file.

1) I first create a recovery directory

mkdir Recover

CD Recover

Ext3grep/dev/your-device--restore-filepath/to/your/file/filename

It is important to note that the file path above is the file path on that partition. Suppose we want to restore the file on the/dev/sda3 partition, the original installation point of this partition is/home, and now want to restore the file/home/easwy/vi/tips.xml, then the input command should be:

Ext3grep/dev/sda3--restore-file Easwy/vi/tips.xml

All recovered files will be placed under the current Restored_files directory, the same size, where the Restored_files directory is executed ext3grep the current directory

If you forget the file name, or if you mistakenly delete a directory and you cannot remember all the files in the directory, you can first query the file name with the following command:

Ext3grep/dev/sda3--dump-names | Tee filename.txt

The above command logs the output of the Ext3grep command to the file filename.txt, you can view it slowly, or use the grep command to filter out the information you need.

When you know the directory/file information, you can use the above-mentioned command to recover.

All files and directories, but the directory, if the deletion time is longer, not necessarily full recovery, compressed files can generally be restored

Ext3grep/termite/cc-disk--restore-all

Ext3grep/dev/sda3--ls--inode 2 Create scan partition file: Sda5.ext3grep.stage1 and Sda5.ext3grep.stage2

If you want to regenerate, you can delete the two files and execute this command again. In addition, the scan partition file is automatically generated when the Ext3grep/dev/sda3--restore-file Test/a.txt is first performed for restore.

This article is from the "intentions to create value, late coffee" blog, please be sure to keep this source http://wandiankafei.blog.51cto.com/10878910/1716201

Tip: Restore Linux deleted files by mistake (option 3)