CentOS6.5 下 extundelete回复删除的文件

32去2

Linux 下面删除文件后常用的是extundelete工具来恢复，支持ext3/4文件系统


1 安装extundelete工具（千万不要把它安装到删除文件所在的分区）
在安装extundelete之前，需要确保系统安装了e2fsprogs，e2fsprogs-libs，e2fsprogs-devel。

1	yum install e2fsprogs e2fsprogs-libs e2fsprogs-devel -y

去extundelete官网下载源码包 http://extundelete.sourceforge.net/ 最新的版本是0.2.4 。

1	wget http://nchc.dl.sourceforge.net/p ... elete-0.2.4.tar.bz2

编译安装该文件，如果在安装过程中遇到什么问题，可以进入解压后的文件包，仔细遇到README文件

1 2 3 4

tar xjf extundelete-0.2.4.tar.bz2 cd extundelete-0.2.4 ./configure make && make install

2 extundelete的实用方式

平时可以通过 --help命令查看详细的命令参数
删除数据的时候，千万不要再向文件所在的硬盘写数据，然后卸载删除数据所在的分区。如果是根分区，需要进入单用户模式，将跟分区设置为只读模式挂载。

1 2	umount /dev/partition mount -o remount,ro /dev/partition

创建一个模拟环境，新添加了一个硬盘sdb，然后分区，挂在到/delete目录。在/delete目录下面创建四个例子
1 空文件夹
2 空文件
3 文件夹里面有文件
4 有内容的文件

1 2 3 4 5 6 7

[iyunv@localhost delete]# mkdir p [iyunv@localhost delete]# touch p [iyunv@localhost delete]# vi p1.txt [iyunv@localhost delete]# mkdir p1 [iyunv@localhost delete]# cd p1 [iyunv@localhost p1]# vi p2.txt [iyunv@localhost p1]# cd ..

然后删除他们

1

rm -rf *

卸载分区，可以通过extundelete命令查看该分区可以恢复的数据信息

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

[iyunv@localhost ~]# mount /dev/mapper/VolGroup-lv_root on / type ext4 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0") /dev/sda1 on /boot type ext4 (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) /dev/sdb on /delete type ext4 (rw) [iyunv@localhost ~]# umount  /dev/sdb /delete/ [iyunv@localhost ~]# mount /dev/mapper/VolGroup-lv_root on / type ext4 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0") /dev/sda1 on /boot type ext4 (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

执行命令，看看该分区下面有多少文件是可以恢复的

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

[iyunv@localhost ~]# extundelete /dev/sdb --inode 2 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 64 groups loaded. Group: 0 Contents of inode 2: 0000 | ed 41 00 00 00 10 00 00 a1 a2 d6 56 a0 a2 d6 56 | .A.........V...V 0010 | a0 a2 d6 56 00 00 00 00 00 00 02 00 08 00 00 00 | ...V............ 0020 | 00 00 00 00 17 00 00 00 21 22 00 00 00 00 00 00 | ........!"...... 0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0080 | 1c 00 00 00 4c c1 15 de 4c c1 15 de 40 7a 87 e9 | ....L...L...@z.. 0090 | 1a 0d d5 56 00 00 00 00 00 00 00 00 00 00 00 00 | ...V............ 00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ Inode is Allocated File mode: 16877 Low 16 bits of Owner Uid: 0 Size in bytes: 4096 Access time: 1456906913 Creation time: 1456906912 Modification time: 1456906912 Deletion Time: 0 Low 16 bits of Group Id: 0 Links count: 2 Blocks count: 8 File flags: 0 File version (for NFS): 0 File ACL: 0 Directory ACL: 0 Fragment address: 0 Direct blocks: 8737, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 Indirect block: 0 Double indirect block: 0 Triple indirect block: 0 File name                                       | Inode number | Deleted status .                                                 2 ..                                                2 lost+found                                        11             Deleted p                                                 131073         Deleted p1                                                393217         Deleted p1.txt

然后执行整个分区恢复 或者单个文件恢复
按照inode恢复文件

1	extundelete  /dev/sdb --restore-inode 393217

按照文件名恢复

1	extundelete  /dev/sdb --restore-file p1.txt

恢复整个目录

1	extundelete  /dev/sdb --restore-directory /p

恢复所有该分区删除的文件

1	extundelete  /dev/sdb --restore-all

恢复的文件会在当前目录下面创建一个 RECOVERED_FILES文件

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

[iyunv@localhost ~]# extundelete  /dev/sdb --restore-all NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 64 groups loaded. Loading journal descriptors ... 61 descriptors loaded. Searching for recoverable inodes in directory / ... 5 recoverable inodes found. Looking through the directory structure for deleted files ... 0 recoverable inodes still lost. [iyunv@localhost ~]# ls anaconda-ks.cfg  install.log  install.log.syslog  RECOVERED_FILES [iyunv@localhost ~]# cd RECOVERED_FILES/ [iyunv@localhost RECOVERED_FILES]# ls p1  p1.txt [iyunv@localhost RECOVERED_FILES]# tree . ├── p1 │   └── p2.txt └── p1.txt

可以发现空目录和空文件都是无法恢复。