extundelete——linux下误删文件的恢复

环境：vmware workstation 10

[root@localhost ~]# /etc/init.d/iptables stop   #关闭iptables[root@localhost ~]# getenforce 0                #关闭selinuxDisabled[root@localhost ~]# ping www.baidu.com          #确认虚拟可以上外网方便wget PING www.a.shifen.com (115.239.211.112) 56(84) bytes of data.64 bytes from 115.239.211.112: icmp_seq=1 ttl=54 time=7.11 ms64 bytes from 115.239.211.112: icmp_seq=2 ttl=54 time=7.27 ms64 bytes from 115.239.211.112: icmp_seq=3 ttl=54 time=7.70 ms

[root@localhost ~]# yum install e2fsprogs* -y        #安装extundelete依赖软件包

[root@localhost ~]# wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2                         #下载extundelete软件包

[root@localhost ~]# tar xvf extundelete-0.2.4.tar.bz2   #解压包

 [root@localhost ~]# cd extundelete-0.2.4/              [root@localhost extundelete-0.2.4]# ./configure --prefix=/usr/local/extundelete #编译[root@localhost extundelete-0.2.4]# make&&make install        #编译安装

[root@localhost extundelete-0.2.4]# ln -s /usr/local/extundelete/bin/extundelete /usr/bin/                                                      #新建软连接，方便书写。

[root@localhost extundelete-0.2.4]# extundelete -v     #验证安装是否成功

extundelete version 0.2.4

libext2fs version 1.41.12

Processor is little endian.

--------------至此extundelete编译安装完成，下面就是模拟数据丢失恢复的过程------------------

[root@localhost ~]# fdisk -l /dev/sdb  #这块磁盘是我准用来试验的，对分区格式化文件系统

Disk /dev/sdb: 16.1 GB, 16106127360 bytes

255 heads, 63 sectors/track, 1958 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x00000000

Disk /dev/sdb doesn't contain a valid partition table

  

[root@localhost ~]# fdisk  /dev/sdb          #分区，这里就分一个分区了。

[root@localhost ~]# mkfs.ext4 /dev/sdb1      #格式化文件系统

[root@localhost ~]# mkdir /data              [root@localhost ~]# mount /dev/sdb1 /data/     #挂载磁盘[root@localhost ~]# df -hFilesystem            Size  Used Avail Use% Mounted on/dev/mapper/VolGroup-lv_root                      7.5G  1.3G  5.8G  19% /tmpfs                 167M     0  167M   0% /dev/shm/dev/sda1             485M   31M  429M   7% /boot/dev/sr0              3.4G  3.4G     0 100% /iso/dev/sdb1              15G  166M   14G   2% /data

[root@localhost ~]# cd /data/

[root@localhost data]# cp /boot/. . -rvf    #拷贝些数据文件过来。。

`/boot/./.vmlinuz-2.6.32-220.el6.x86_64.hmac' -> `././.vmlinuz-2.6.32-220.el6.x86_64.hmac'`/boot/./System.map-2.6.32-220.el6.x86_64' -> `././System.map-2.6.32-220.el6.x86_64'`/boot/./symvers-2.6.32-220.el6.x86_64.gz' -> `././symvers-2.6.32-220.el6.x86_64.gz'......

[root@localhost data]# lsconfig-2.6.32-220.el6.x86_64  initramfs-2.6.32-220.el6.x86_64.img  System.map-2.6.32-220.el6.x86_64efi                           lost+found                           vmlinuz-2.6.32-220.el6.x86_64grub                          symvers-2.6.32-220.el6.x86_64.gz[root@localhost data]# rm -rf *        #模拟数据全部误删  [root@localhost data]# ls [root@localhost data]#

[root@localhost ~]# umount /data/     #误删文件后首先卸载磁盘[root@localhost ~]# df -hFilesystem            Size  Used Avail Use% Mounted on/dev/mapper/VolGroup-lv_root                      7.5G  1.3G  5.8G  19% /tmpfs                 167M     0  167M   0% /dev/shm/dev/sda1             485M   31M  429M   7% /boot/dev/sr0              3.4G  3.4G     0 100% /iso

/dev/sr0              3.4G  3.4G     0 100% /iso

[root@localhost ~]# extundelete /dev/sdb1 --inode 2 一般一个分区挂载到一个目录下时，这个”根”目录的inode值为2，我们为了查看根目录所有文件，所以查看分区inode为2的这个部分

NOTICE: Extended attributes are not restored.

Loading filesystem metadata ... 120 groups loaded.

Group: 0

Contents of inode 2:

0000 | ed 41 00 00 00 10 00 00 f9 74 7c 54 f4 74 7c 54 | .A.......t|T.t|T

0010 | f4 74 7c 54 00 00 00 00 00 00 02 00 08 00 00 00 | .t|T............

0020 | 00 00 00 00 10 00 00 00 e1 23 00 00 00 00 00 00 | .........#......

0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0080 | 1c 00 00 00 c8 80 67 7e c8 80 67 7e cc e6 87 38 | ......g~..g~...8

0090 | 3d 73 7c 54 00 00 00 00 00 00 00 00 00 00 00 00 | =s|T............

00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

Inode is Allocated

File mode: 16877

Low 16 bits of Owner Uid: 0

Size in bytes: 4096

Access time: 1417442553

Creation time: 1417442548

Modification time: 1417442548

Deletion Time: 0

Low 16 bits of Group Id: 0

Links count: 2

Blocks count: 8

File flags: 0

File version (for NFS): 0

File ACL: 0

Directory ACL: 0

Fragment address: 0

Direct blocks: 9185, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

Indirect block: 0

Double indirect block: 0

Triple indirect block: 0

File name                                       | Inode number | Deleted status

.                                                 2

..                                                2

lost+found                                        11             Deleted

.vmlinuz-2.6.32-220.el6.x86_64.hmac               12

System.map-2.6.32-220.el6.x86_64                  13             Deleted

symvers-2.6.32-220.el6.x86_64.gz                  14             Deleted

initramfs-2.6.32-220.el6.x86_64.img               15             Deleted

grub                                              786433         Deleted

vmlinuz-2.6.32-220.el6.x86_64                     16             Deleted

efi                                               262145         Deleted

config-2.6.32-220.el6.x86_64                      17             Deleted

注:标记为”Deleted”的文件则是被删除的文件

[root@localhost ~]# extundelete /dev/sdb1 --restore-file vmlinuz-2.6.32-220.el6.x86_64                                           #恢复指定的误删文件NOTICE: Extended attributes are not restored.Loading filesystem metadata ... 120 groups loaded.Loading journal descriptors ... 48 descriptors loaded.Successfully restored file vmlinuz-2.6.32-220.el6.x86_64

[root@localhost ~]# cd RECOVERED_FILES/  #这个目录会在当前目录下自动生成，里面是我们恢复的文件[root@localhost RECOVERED_FILES]# ls        #恢复成功vmlinuz-2.6.32-220.el6.x86_64

[root@localhost ~]# extundelete /dev/sdb1 --restore-all #恢复误删分区的所有文件NOTICE: Extended attributes are not restored.Loading filesystem metadata ... 120 groups loaded.Loading journal descriptors ... 48 descriptors loaded.Searching for recoverable inodes in directory / ... 26 recoverable inodes found.Looking through the directory structure for deleted files ... 0 recoverable inodes still lost.

[root@localhost ~]# cd RECOVERED_FILES/ [root@localhost RECOVERED_FILES]# ls    #恢复成功config-2.6.32-220.el6.x86_64  initramfs-2.6.32-220.el6.x86_64.img  vmlinuz-2.6.32-220.el6.x86_64efi                           symvers-2.6.32-220.el6.x86_64.gz     vmlinuz-2.6.32-220.el6.x86_64.v1grub                          System.map-2.6.32-220.el6.x86_64

注意：之前指定恢复的文件vmlinux-2.6.32-220.el6.x86_64不会被完全恢复后覆盖，而是重名为*.v1了

--------------------恢复完成，下面验证恢复后的文件和源文件是否一致-------------------------

[root@localhost ~]# md5sum /boot/vmlinuz-2.6.32-220.el6.x86_64 8d62ea19875a0f514d717fa251e5315c  /boot/vmlinuz-2.6.32-220.el6.x86_64[root@localhost ~]# md5sum RECOVERED_FILES/vmlinuz-2.6.32-220.el6.x86_64.v1 8d62ea19875a0f514d717fa251e5315c  RECOVERED_FILES/vmlinuz-2.6.32-220.el6.x86_64.v1[root@localhost ~]# md5sum RECOVERED_FILES/vmlinuz-2.6.32-220.el6.x86_648d62ea19875a0f514d717fa251e5315c  RECOVERED_FILES/vmlinuz-2.6.32-220.el6.x86_64

注：两次恢复后的文件md5值和源文件相同说明恢复成功。