Using Extundelete to recover accidentally deleted data in Linux

Recover disk mistakenly deleted data using Extundelete tool

Principle:

A brief introduction to the knowledge of the inode. Under Linux, you can use the "Ls-id" command to view the Inode value of a file or directory, such as viewing the Inode value of the root directory, you can enter:

[Email protected] Server-100 shell]# Ls-id/

2/

When recovering a file with Extundelete, you do not rely on a particular file format, first extundelete the inode information from the file system (the inode of the root directory is typically 2)

Then, the inode information is used to query the block location of the inode, including the information such as direct block and indirect block.

Finally, the DD command is used to back up the information and restore the data file.

Installation:

Official website: https://sourceforge.net/projects/extundelete/files/latest/download?source=top3_dlp_t5

[Email protected] Server-100 src]# yum-y install e2fsprogs-libs e2fsprogs e2fsprogs-devel

[Email protected] Server-100 src]# rpm-q e2fsprogs-libs e2fsprogs e2fsprogs-devel

[Email protected] Server-100 src]# tar jxvf extundelete-0.2.4.tar.bz2

[Email protected] Server-100 src]# CD extundelete-0.2.4

[[email protected] Server-100 src] #extundelete -0.2.4]#./configure && make && make install

Generate an executable file after installation is complete

Use:

[Email protected] Server-100 src]# extundelete--help

Among them, the parameters (options) are:

--version,-[VV], displays the software version number.

--help, display software help information.

--superblock, displays the Super block information.

--journal, displays the log information.

--after Dtime, a time parameter that represents a file or directory that was deleted after a certain period of time.

--before Dtime, a time parameter that represents a file or directory that was deleted before a certain period of time.

Actions are:

--inode Ino, displays the information for the node "Ino".

--block Blk, displaying data block "blk" information.

--restore-inode Ino[,ino,...], restore the command parameters, representing the recovery node "ino" file, the recovered files are automatically placed in the current directory Restored_files folder, using the node number as the extension.

--restore-file ' path ', which restores the command parameter, indicates that the file of the specified path will be restored and the recovered file is placed in the Recovered_files directory in the current directory.

--restore-files ' path ', which restores the command parameter, indicates that all files listed in the path will be recovered.

--restore-all, restore the command parameter, indicating that all directories and files will be tried.

-j Journal, which indicates that the extended log is read from a file that has been named.

-B blocknumber, which means using a previously backed up super block to open the file system, is typically used to see if an existing super block is currently the desired file.

-B blocksize, which opens the file system by specifying a chunk size, is typically used to view files that already know the size.

After the data is deleted, the first to unload the deleted data on the disk or partition, if the system root partition was mistakenly deleted,

You need to go into single-user mode and mount the root partition as read-only.

Cause: Because the file is deleted, only the sector pointer in the Inode node of the file is zeroed, and the file actually exists on the disk

If the disk is mounted in read-write mode, the deleted data blocks may be newly allocated by the system, and after the blocks are overwritten, these

The data is really lost, so mount it in a read-only manner and avoid overwriting the data as much as possible.

Experiment:

In the following experiment, I formatted the disk as a Ext4 file system, and of course the same method is restored under the Ext3 file system.

To mount a new partition first

[Email protected] Server-100 src]# MKFS.EXT4/DEV/SDB1

[Email protected] Server-100 src]# pwd

/usr/local/src/

[Email protected] Server-100 src]# mkdir test

[Email protected] Server-100 src]# mount/dev/sdb1 test/

[Email protected] Server-100 src]# cp/etc/passwd test/

[Email protected] Server-100 src]# cp-r shell/test/

[Email protected] Server-100 src]# mkdir TEST/YHL

[Email protected] Server-100 src]# echo "Welcome to test" > Test/yhl/1.txt

[Email protected] Server-100 src]# CD test/

[Email protected] Server-100 test]# md5sum passwd

b182c9886c816aa0b4fc77ca6585d42e passwd

[Email protected] Server-100 test]# md5sum yhl/1.txt

eb39646285ff90dd31f24bd9f0a34257 Yhl/1.txt

[Email protected] Server-100 test]# ls shell/yhl/

shell/:

6.sh check_system.sh hanyi.sh if2.sh if4.sh new.sh.bak p_s1.sh root.sh yanse.sh yuhulin.sh yunsuan.sh

case.sh chengji.sh if1.sh if3.sh new.sh PPP python.sh test youxi.sh yunsuan-1.sh

yhl/:

1.txt

[Email protected] Server-100 test]# RM-RF *

Recovery:

1. Unmount the deleted files partition

[Email protected] Server-100 test]# umount/usr/local/src/test/

Umount:/usr/local/src/test:device is busy.

(In some cases useful info about processes

The device is found by lsof (8) or fuser (1))

Prompt the device is busy, uninstall it with the following method can be uninstalled

[Email protected] Server-100 test]# fuser-m-v-i-k/usr/local/src/test/

[Email protected] Server-100 ~]# umount/usr/local/src/test/

View data that can be recovered

[[email protected] Server-100 ~]# extundelete/dev/sdb1--inode 2 (because the Inode value of the root partition is 2)

File name | Inode number | Deleted status

. 2

.. 2

Shell 130305 Deleted

passwd Deleted

Yhl 1042433 Deleted

First Test to restore a single file

[[email protected] Server-100 ~]# extundelete/dev/sdb1--restore-file passwd//restore-file means recovery file

notice:extended attributes is not restored.

Loading FileSystem metadata ... 153 groups loaded.

Loading Journal Descriptors ... Descriptors loaded.

Successfully restored file passwd

[[email protected] Server-100 ~]# CD recovered_files///After successful recovery, this file is created by default and the recovered files are under this directory

[[email protected] Server-100 recovered_files]# ls

passwd

[[email protected] Server-100 recovered_files]# md5sum passwd//MD5 check, and delete before the comparison is the same, indicating a successful recovery

b182c9886c816aa0b4fc77ca6585d42e passwd

Test Recovery Catalog

[Email protected] Server-100 recovered_files]# extundelete/dev/sdb1--restore-directory/shell

notice:extended attributes is not restored.

Loading FileSystem metadata ... 153 groups loaded.

Loading Journal Descriptors ... Descriptors loaded.

Searching for recoverable inodes in Directory/shell ...

Recoverable inodes found.

Looking through the directory structure for deleted files ...

5 recoverable inodes still lost.

[[email protected] Server-100 recovered_files]# ls

passwd Recovered_files

[Email protected] Server-100 recovered_files]# CD recovered_files/

[[email protected] Server-100 recovered_files]# ls

Shell

Can see this directory, but there is a problem is to restore the file permissions and the previous changes, you need to re-modify the permissions (when I test this is the case)

Recover all data

[Email protected] Server-100 shell]# extundelete/dev/sdb1--restore-all

notice:extended attributes is not restored.

Loading FileSystem metadata ... 153 groups loaded.

Loading Journal Descriptors ... Descriptors loaded.

Searching for recoverable inodes in directory/...

Recoverable inodes found.

Looking through the directory structure for deleted files ...

1 recoverable inodes still lost.

[Email protected] Server-100 shell]# CD recovered_files/

[[email protected] Server-100 recovered_files]# ls

passwd Shell Yhl

[[email protected] Server-100 yhl]# ls

1.txt

[Email protected] Server-100 yhl]# cat 1.txt

Welcome to test

[Email protected] Server-100 yhl]# md5sum 1.txt

eb39646285ff90dd31f24bd9f0a34257 1.txt

[Email protected] Server-100 shell]# du-sh recovered_files/*

4.0Krecovered_files/passwd

96KRecovered_files/shell

8.0KRecovered_files/yhl

As you can see, data recovery is successful

This article is from the "Sunshineboy" blog, make sure to keep this source http://sunshineboy.blog.51cto.com/10310940/1766207

Using Extundelete to recover accidentally deleted data in Linux