extundelete——linux下误删文件的恢复

extundelete——linux下误删文件的恢复

环境：vmware workstation 10

[root@localhost ~]# /etc/init.d/iptables stop   #关闭iptables
[root@localhost ~]# getenforce 0                #关闭selinux
Disabled
[root@localhost ~]# ping www.baidu.com          #确认虚拟可以上外网方便wget
PING www.a.shifen.com (115.239.211.112) 56(84) bytes of data.
64 bytes from 115.239.211.112: icmp_seq=1 ttl=54 time=7.11 ms
64 bytes from 115.239.211.112: icmp_seq=2 ttl=54 time=7.27 ms
64 bytes from 115.239.211.112: icmp_seq=3 ttl=54 time=7.70 ms

[root@localhost ~]# yum install e2fsprogs* -y        #安装extundelete依赖软件包

[root@localhost ~]# wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2                         #下载extundelete软件包

[root@localhost ~]# tar xvf extundelete-0.2.4.tar.bz2   #解压包

[root@localhost ~]# cd extundelete-0.2.4/
[root@localhost extundelete-0.2.4]# ./configure --prefix=/usr/local/extundelete #编译
[root@localhost extundelete-0.2.4]# make&&make install        #编译安装

[root@localhost extundelete-0.2.4]# ln -s /usr/local/extundelete/bin/extundelete /usr/bin/                                                      #新建软连接，方便书写。

[root@localhost extundelete-0.2.4]# extundelete -v     #验证安装是否成功

extundelete version 0.2.4
libext2fs version 1.41.12
Processor is little endian.

--------------至此extundelete编译安装完成，下面就是模拟数据丢失恢复的过程------------------

[root@localhost ~]# fdisk -l /dev/sdb  #这块磁盘是我准用来试验的，对分区格式化文件系统

Disk /dev/sdb: 16.1 GB, 16106127360 bytes
255 heads, 63 sectors/track, 1958 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/sdb doesn't contain a valid partition table

[root@localhost ~]# fdisk  /dev/sdb          #分区，这里就分一个分区了。

[root@localhost ~]# mkfs.ext4 /dev/sdb1      #格式化文件系统

[root@localhost ~]# mkdir /data
[root@localhost ~]# mount /dev/sdb1 /data/     #挂载磁盘
[root@localhost ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root
7.5G  1.3G  5.8G  19% /
tmpfs                 167M     0  167M   0% /dev/shm
/dev/sda1             485M   31M  429M   7% /boot
/dev/sr0              3.4G  3.4G     0 100% /iso
/dev/sdb1              15G  166M   14G   2% /data

[root@localhost ~]# cd /data/

[root@localhost data]# cp /boot/. . -rvf    #拷贝些数据文件过来。。

`/boot/./.vmlinuz-2.6.32-220.el6.x86_64.hmac' -> `././.vmlinuz-2.6.32-220.el6.x86_64.hmac'
`/boot/./System.map-2.6.32-220.el6.x86_64' -> `././System.map-2.6.32-220.el6.x86_64'
`/boot/./symvers-2.6.32-220.el6.x86_64.gz' -> `././symvers-2.6.32-220.el6.x86_64.gz'
......

[root@localhost data]# ls
config-2.6.32-220.el6.x86_64  initramfs-2.6.32-220.el6.x86_64.img  System.map-2.6.32-220.el6.x86_64
efi                           lost+found                           vmlinuz-2.6.32-220.el6.x86_64
grub                          symvers-2.6.32-220.el6.x86_64.gz
[root@localhost data]# rm -rf *        #模拟数据全部误删
[root@localhost data]# ls
[root@localhost data]#

[root@localhost ~]# umount /data/     #误删文件后首先卸载磁盘
[root@localhost ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root
7.5G  1.3G  5.8G  19% /
tmpfs                 167M     0  167M   0% /dev/shm
/dev/sda1             485M   31M  429M   7% /boot
/dev/sr0              3.4G  3.4G     0 100% /iso

/dev/sr0 3.4G 3.4G 0 100% /iso

[root@localhost ~]# extundelete /dev/sdb1 --inode 2 一般一个分区挂载到一个目录下时，这个”根”目录的inode值为2，我们为了查看根目录所有文件，所以查看分区inode为2的这个部分

NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 120 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 f9 74 7c 54 f4 74 7c 54 | .A.......t|T.t|T
0010 | f4 74 7c 54 00 00 00 00 00 00 02 00 08 00 00 00 | .t|T............
0020 | 00 00 00 00 10 00 00 00 e1 23 00 00 00 00 00 00 | .........#......
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 c8 80 67 7e c8 80 67 7e cc e6 87 38 | ......g~..g~...8
0090 | 3d 73 7c 54 00 00 00 00 00 00 00 00 00 00 00 00 | =s|T............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1417442553
Creation time: 1417442548
Modification time: 1417442548
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 2
Blocks count: 8
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 9185, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0

File name | Inode number | Deleted status
. 2
.. 2
lost+found 11 Deleted
.vmlinuz-2.6.32-220.el6.x86_64.hmac 12
System.map-2.6.32-220.el6.x86_64 13 Deleted
symvers-2.6.32-220.el6.x86_64.gz 14 Deleted
initramfs-2.6.32-220.el6.x86_64.img 15 Deleted
grub 786433 Deleted
vmlinuz-2.6.32-220.el6.x86_64 16 Deleted
efi 262145 Deleted
config-2.6.32-220.el6.x86_64 17 Deleted
注:标记为”Deleted”的文件则是被删除的文件

[root@localhost ~]# extundelete /dev/sdb1 --restore-file vmlinuz-2.6.32-220.el6.x86_64
#恢复指定的误删文件
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 120 groups loaded.
Loading journal descriptors ... 48 descriptors loaded.
Successfully restored file vmlinuz-2.6.32-220.el6.x86_64

[root@localhost ~]# cd RECOVERED_FILES/  #这个目录会在当前目录下自动生成，里面是我们恢复的文件
[root@localhost RECOVERED_FILES]# ls        #恢复成功
vmlinuz-2.6.32-220.el6.x86_64

[root@localhost ~]# extundelete /dev/sdb1 --restore-all #恢复误删分区的所有文件
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 120 groups loaded.
Loading journal descriptors ... 48 descriptors loaded.
Searching for recoverable inodes in directory / ...
26 recoverable inodes found.
Looking through the directory structure for deleted files ...
0 recoverable inodes still lost.

[root@localhost ~]# cd RECOVERED_FILES/
[root@localhost RECOVERED_FILES]# ls    #恢复成功
config-2.6.32-220.el6.x86_64  initramfs-2.6.32-220.el6.x86_64.img  vmlinuz-2.6.32-220.el6.x86_64
efi                           symvers-2.6.32-220.el6.x86_64.gz     vmlinuz-2.6.32-220.el6.x86_64.v1
grub                          System.map-2.6.32-220.el6.x86_64

注意：之前指定恢复的文件vmlinux-2.6.32-220.el6.x86_64不会被完全恢复后覆盖，而是重名为*.v1了
--------------------恢复完成，下面验证恢复后的文件和源文件是否一致-------------------------

[root@localhost ~]# md5sum /boot/vmlinuz-2.6.32-220.el6.x86_64
8d62ea19875a0f514d717fa251e5315c  /boot/vmlinuz-2.6.32-220.el6.x86_64
[root@localhost ~]# md5sum RECOVERED_FILES/vmlinuz-2.6.32-220.el6.x86_64.v1
8d62ea19875a0f514d717fa251e5315c  RECOVERED_FILES/vmlinuz-2.6.32-220.el6.x86_64.v1
[root@localhost ~]# md5sum RECOVERED_FILES/vmlinuz-2.6.32-220.el6.x86_64
8d62ea19875a0f514d717fa251e5315c  RECOVERED_FILES/vmlinuz-2.6.32-220.el6.x86_64

注：两次恢复后的文件md5值和源文件相同说明恢复成功。