当前位置:网站首页>Recovering files deleted by mistake in ext4 file system under centos6 / rhel6

Recovering files deleted by mistake in ext4 file system under centos6 / rhel6

2020-11-10 11:55:28 Philosophy of life

One . About ext4 file system

​ EXT4 It's the fourth generation extended file system ( English :Fourth extended filesystem, Abbreviation for ext4) yes Linux Log file system under the system , yes ext3 File system

Subsequent versions .Ext4 By Ext3 The maintainer of Theodore Tso Leading the development team to achieve . Compared with ext3 file system ,ext4 File systems support larger file systems and more

Big papers , More subdirectories , More blocks and i- The number of nodes and so on .

​ about ext4 Delete files on the file system by mistake , have access to extundelete recovery , about ext3 file system , Then use ext3grep Recover files deleted by mistake . stay windows On

To recover the files deleted by mistake, you can use final data v2.0 Chinese version and easyrecovery.

Two .linux The composition of the file system (inode,block)

​ Linux The file system consists of three parts : file name ,inode,block.inode Store file metadata information ,block It's the real place to store data .windows It also consists of three parts .

​ Each file has a inode Number , have access to ls -i and stat see .

[root@node5 ~]# ls -i test.txt 
34566868 test.txt
[root@node5 ~]# stat test.txt 
  File: ‘test.txt’
  Size: 12        	Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d	Inode: 34566868    Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2020-10-10 17:30:12.532654117 +0800
Modify: 2020-10-10 17:30:12.532654117 +0800
Change: 2020-10-10 17:30:12.533654118 +0800
 Birth: -

3、 ... and . problem : Why delete is faster than copy ?

​ Because it's just a logical deletion . Deleting is not really deleting the entire data , It just sets the file list to be writable , When there is new data to write , straight

Then overlay the original data . You can use the figure below to show :

image-20201012181134673

image-20201012181152486

Four . problem : When we delete files by mistake , The first thing to do ?

​ Because in linux in , Deletion is just a logical deletion , At this time, we should avoid the contents of the file deleted by mistake to be covered by the newly written file . You can unmount the partition that needs to recover files or just

Mount by reading .

​ If you delete a file under the root , Want to recover data , What to do ?

​ Method 1: Power off immediately , Then read the disk as read-only , Mount to another computer for recovery .

​ Method 2: hold extundelete On a virtual machine ( The virtual machine system should be the same as the server version ), Install it in advance and then copy it to U Plate , hold U Disk insert server , recovery

when , The recovered files should be saved to U Plate ,( Don't let recovered data write / Next , That will overwrite the previously deleted file ).

5、 ... and . Preparing the test environment

1. First go https://sourceforge.net/projects/extundelete/ This website downloads extundelete-0.2.4.tar.bz2 Software . It is worth mentioning that http://sourceforge.net/ It's an open source software distribution center , A lot of software can be downloaded here .

2. You can add a hard disk , Or partition the existing hard disk . The general steps of disk partition are fdisk partition , Create mount point , Format as ext4 file system , most

Post Mount . For specific disk partitions, please refer to the partition tools section .

3. Prepare test files , Delete test file , Uninstall partition

# because /dev/sdb5 yes ext4 file system , So in /sdb5 Create test file in directory 
[root@node5 ~]# df -hT
Filesystem              Type      Size  Used Avail Use% Mounted on
/dev/mapper/centos-root xfs        17G   11G  6.2G  64% /
devtmpfs                devtmpfs  3.9G     0  3.9G   0% /dev
tmpfs                   tmpfs     3.9G  8.0K  3.9G   1% /dev/shm
tmpfs                   tmpfs     3.9G  8.8M  3.9G   1% /run
tmpfs                   tmpfs     3.9G     0  3.9G   0% /sys/fs/cgroup
/dev/sda1               xfs      1014M  125M  890M  13% /boot
/dev/sdb1               xfs        47M  2.7M   45M   6% /sdb1
/dev/sdb5               ext4      190M  1.6M  175M   1% /sdb5
/dev/sdb6               xfs       295M   16M  280M   6% /sdb6
tmpfs                   tmpfs     785M     0  785M   0% /run/user/0
[root@node5 ~]# cd /sdb5
[root@node5 sdb5]# pwd
/sdb5
[root@node5 sdb5]# ls
lost+found

# Copy some files as test files 
[root@node5 sdb5]# cp /etc/passwd ./
[root@node5 sdb5]# cp /etc/hosts ./
[root@node5 sdb5]# cp -r /boot/grub2 ./
[root@node5 sdb5]# mkdir -p a/b/c/d
[root@node5 sdb5]# touch a/b/test.txt
[root@node5 sdb5]# tree ./ -L 2
./
├── a
│   └── b
├── grub2
│   ├── device.map
│   ├── fonts
│   ├── grub.cfg
│   ├── grubenv
│   ├── i386-pc
│   └── locale
├── hosts
├── lost+found
└── passwd

7 directories, 5 files
[root@node5 sdb5]# ls
a  grub2  hosts  lost+found  passwd

# Delete test file 
[root@node5 sdb5]# rm -rf a grub2 hosts passwd
[root@node5 sdb5]# ls
lost+found

# Uninstall partition , Avoid writing new data over the original data 
[root@node5 sdb5]# cd
[root@node5 ~]# umount /sdb5

6、 ... and . install extundelet

1. because extundelete-0.2.4.tar.bz2 It's the source package , So install extundelete Use the source code installation method .

2. Source code compilation and installation extundelete

[root@node5 ~]# ls extundelete*
extundelete-0.2.4.tar.bz2

# Unzip the installation package 
[root@node5 ~]# tar jxvf extundelete-0.2.4.tar.bz2 
[root@node5 ~]# ls
201810240430234009.pcm  apache-tomcat-8.0.51.tar.gz  extundelete-0.2.4                                       idea Shortcut key .txt              linux-4.19.77.tar   qemu-4.1.0                     test2.txt
a                       busybox-1.24.2               extundelete-0.2.4.tar.bz2                               iu.jpg                      linux Script .sh        qemu-4.1.0.tar                 test.txt
aaa.txt                 busybox-1.24.2.tar.bz2       glibc-aarch64-linux-gnu-2.24-2.sdl7.2.noarch.rpm        jdk-8u172-linux-x64.tar.gz  nginx-1.8.0.tar.gz  rootfs                          Test garbled files .txt
anaconda-ks.cfg         ceshi.txt                    glibc-aarch64-linux-gnu-devel-2.24-2.sdl7.2.noarch.rpm  linux-4.19.77               qemu-2.11.0.tar.xz  telnet-0.17-64.el7.x86_64.rpm

[root@node5 ~]# cd extundelete-0.2.4
[root@node5 extundelete-0.2.4]# pwd
/root/extundelete-0.2.4
[root@node5 extundelete-0.2.4]# ls
acinclude.m4  aclocal.m4  autogen.sh  config.h.in  configure  configure.ac  depcomp  install-sh  LICENSE  Makefile.am  Makefile.in  missing  README  src

# Install dependency packages 
[root@node5 extundelete-0.2.4]# yum -y install e2fsprogs-devel
 
# Check the system installation environment 
[root@node5 extundelete-0.2.4]# ./configure 
Configuring extundelete 0.2.4
Writing generated files to disk

#$? Returns the return value of the previous command , return 0 It's right 
[root@node5 extundelete-0.2.4]# echo $?
0

# compile , Compile the source code into executable binaries .-j 4 Said the use of 4 Processes compile at the same time , Speed up compilation or use 4 nucleus CPU Compile at the same time 
[root@node5 extundelete-0.2.4]# make -j 4
make -s all-recursive
Making all in src
extundelete.cc: In function ‘ext2_ino_t find_inode(ext2_filsys, ext2_filsys, ext2_inode*, std::string, int)’:
extundelete.cc:1272:29: warning: narrowing conversion of ‘search_flags’ from ‘int’ to ‘ext2_ino_t {aka unsigned int}’ inside { } [-Wnarrowing]
    buf, match_name2, priv, 0};
                             ^
[root@node5 extundelete-0.2.4]# echo $?
0

# Compilation and installation 
[root@node5 extundelete-0.2.4]# make install
Making install in src
  /usr/bin/install -c extundelete '/usr/local/bin'
  
[root@node5 extundelete-0.2.4]# echo $?
0

# You can see that there is already extundelete This executable file 
[root@node5 extundelete-0.2.4]# which extundelete
/usr/local/bin/extundelete

# Expand install and cp What's the difference? ? 
#install You can specify permissions when copying , however cp Can not be 
# for example 
[root@node5 ~]# install -m 777 /bin/find /opt/a.sh
[root@node5 ~]# ll /opt/

7、 ... and . Recovery of deleted files by mistake

1. There are four ways to recover a file that was accidentally deleted :

  • ​ adopt inode No. 1 restores data
  • ​ Recover data by file name
  • ​ Restore the specified directory
  • ​ Recover all files

2. Create a folder for storing recovery data , adopt inode Node to view the deleted file name .

[root@node5 ~]# pwd
/root
[root@node5 ~]# mkdir reback
[root@node5 ~]# cd reback/
[root@node5 reback]# pwd
/root/reback

# adopt inode Node to view the deleted file name 
# Expand :ext4 Of the partition root of the file system inode The value is 2,xfs Partition root inode The value is 64
[root@node5 reback]# extundelete /dev/sdb5 --inode 2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 25 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 04 00 00 78 fe 83 5f 76 fe 83 5f | .A......x.._v.._
0010 | 76 fe 83 5f 00 00 00 00 00 00 03 00 02 00 00 00 | v.._............
0020 | 00 00 08 00 08 00 00 00 0a f3 01 00 04 00 00 00 | ................
0030 | 00 00 00 00 00 00 00 00 01 00 00 00 24 11 00 00 | ............$...
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 1024
Access time: 1602485880
  eation time: 1602485878
▽odification time: 1602485878
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 3
Blocks count: 2
File flags: 524288
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 127754, 4, 0, 0, 1, 4388, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0

File name                                       | Inode number | Deleted status
.                                                 2
..                                                2
lost+found                                        11
passwd                                            12             Deleted
hosts                                             13             Deleted
grub2                                             14             Deleted
a                                                 324            Deleted

3. adopt inode Restore the specified data

[root@node5 reback]# extundelete /dev/sdb5 --restore-inode 12

4. Recover the specified data by the file name

[root@node5 reback]# extundelete /dev/sdb5 --restore-file hosts

5. Restore all files in the specified directory

[root@node5 reback]# extundelete /dev/sdb5 --restore-directory a

6. Restore all files

[root@node5 reback]# extundelete /dev/sdb5 --restore-all

7. Be careful :extundelete When recovering files, you can't automatically create empty files and empty directories . for example

image-20201013004650994

版权声明
本文为[Philosophy of life]所创,转载请带上原文链接,感谢