Ubuntu restores deleted files

Accidentally yesterday, performed the RM xx-rf and removed a project. Then there are all kinds of remorse, all kinds of remorse, this project is a week's workload ah. Finally must solve, so Google search found the recovery artifact Extundelete, and finally successfully recovered all the deleted by my unintentional files. Thank God, thank Extundelete. The following is a summary of personal experience. How to use Extundelete

1) Download Tool Extundelete

Downloading this tool under Ubuntu is too easy.

sudo apt-get install Extundelete

2) Use

This is also very easy to use. Using the Extundelete–help command, you can tell us a lot.

itleaks@ itleaks::~$ extundelete--help usage:extundelete [Options] [--] device-file options: ...--after dtime.., .....
  Only process entries deleted in or after ' Dtime '.
--before dtime only process entries deleted before ' Dtime '. The Actions: ...--restore-file ' path ' would restore file ' path '.
                         ' Path ' is relative to root of the partition and does not start with a '/' (it
                         Must is one of the paths returned by--dump-names).
  The restored file is created into the current directory as ' Recovered_files/path '.
                         --restore-files ' path ' would restore files which are listed in the file ' path '. Each filename should is in the same format as a option to--restore-file, and there should is on
  E per line.
                         --output-dir ' path ' Restore files in the output dir ' path '. By default the restored files are createdUnder current directory ' Recovered_files '.
  --restore-all attempts to restore everything. ...........

We know that when we accidentally delete useful files, we are generally more likely to know the time of deletion, so the use of time this option can quickly and accurately restore the files we want. How is this dtime generated? Please refer to the following command:

itleaks@ itleaks:~$ date-d "2014-06-01 23:02:00" +%s
1401634920

%s means seconds since 1970-01-01 00:00:00 UTC, which is the time difference between entering and 1970-01-0100:00:00

And then you can use this to recover.

sudo extundelete/dev/sda8--after 1401634920--restore-all

Now let's do a trial: The following are the details

itleaks@ itleaks:/tmp$ echo "recovery test" > Itleaks.test itleaks@ itleaks:/tmp$ rm itleaks.test itleaks@ itleaks:/tmp $ Date-d ' 2014-06-01 22:28:00 +%s 1401632880 itleaks@ itleaks:/tmp$ sudo extundelete/dev/sda8--after 1401632880--rest

Ore-all only show and process deleted entries if they are deleted in or after 1401632880 and before 9223372036854775807.
warning:extended attributes are not restored.
Warning:ext3_feature_incompat_recover is set.
The partition should is unmounted to undelete any files without further data loss. If the partition is isn't currently mounted, this message indicates it being improperly unmounted, and you should run fsck
Fore continuing.   If you are decide to continue, Extundelete could overwrite some of the deleted files and make recovering those files impossible.
You should unmount the ' file system and check it with fsck before using Extundelete. Would to continue? (y/n) Y Loading filesystem metadata ...
378 groups loaded. Loading Journal DescriPtors ...
27106 descriptors loaded. 

Searching for recoverable inodes in directory/...
Recoverable inodes found.
Looking through the directory structure for deleted files ..... ...........
Unable to restore Inode 2360218 (Etc/brltty/brl-fs-bumpers.kti): No undeleted copies found in the journal.
Unable to restore Inode 2359564 (etc/mtab~): No undeleted copies found in the journal. Restored Inode 2883641 to file recovered_files/tmp/itleaks.test itleaks@ itleaks:/tmp$ tree Recovered_files/recovered_f Iles/└──tmp└──itleaks.test 1 directory, 1 file

extundelete principle

This is due to the organizational structure of the Linuxext3 file system, as shown in the following figure:

In Linux, the Super Block describes the information of the partition, a partition is divided into two parts, the Index node table and the data block area, which is set up in the format. File (directory is also a file, but its content is described in the directory of files) by the index node description, the index node describes the file modification time, file name, file block address and so on. Also, Linux is a lazy action for file deletion operations, when you delete a file, the system simply makes the index node of the file and its own block of data available to free (will nlink=0), and does not do any other empty, only when the index node or block is actually used to modify the data inside. This provides us with the opportunity to file repair. Because of the fixed size of the index nodes in the system, it is easy to traverse all the index nodes in the scanning system, find the index nodes of free and check whether the blocks have been used, and if they are not, they can be repaired and repaired. At the same time, because the information in the index node is also reserved, the specific deleted files can be recovered according to the time. Considerations After a file is mistakenly deleted

From the analysis above, we can know that, after the deletion of files, try not to do large data operations, so as to avoid the deleted files of the data block is reused, resulting in complete loss of data.

/********************************

* This article from the blog "Love Kicking Door"

* Reprint Please indicate the source: Http://blog.csdn.net/itleaks

******************************************/