Actual combat: false deletion under recovery ext4 file system
Restore the files deleted by mistake under ext4 file system on Centos6 or RHEL6
– > RM - RF / # execution unsuccessful
[root@master30 data]# rm -Rf / rm: stay"/" Recursive operations are dangerous rm: use --no-preserve-root Option skip safe mode
Principle:
Delete files on ext4 file system, and can be recovered: extundelete
ext3 delete restore: ext3grep
windows restores the wrongly deleted file: final datav2 0 Chinese version and easyrecover
Linux file system consists of three parts: file name, inode and block
windows is also composed of these three parts
a.txt -->inode -->block
File name: store file metadata information and real data;
Block block: the real place to store data
#View file name [root@master30 data]# ls -l aa.txt -rw-r--r-- 1 root root 16 6 December 9:41 aa.txt [root@master30 data]# stat a.t stat: Unable to get"a.t" File status for(stat): There is no such file or directory [root@master30 data]# stat aa.txt File:"aa.txt" Size: 16 Block: 8 IO Block: 4096 normal files Equipment: 803 h/2051d Inode: 50334076 Hard link: 1 jurisdiction:(0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Recent visit: 2021-06-12 09:41:12.322393075 +0800 Recent changes: 2021-06-12 09:41:09.424393405 +0800 Recent changes: 2021-06-12 09:41:09.424393405 +0800 Created on:- #View inode number [root@master30 data]# ls -i aa.txt 50334076 aa.txt
For a living, delete faster than restore?
Delete AA Txt - > file name, inode, block
In fact, when deleting, you just delete the file name
– > however, the inode number is still available;
If you just delete - > but suddenly b.txt has just used inode number – > it is more difficult to recover;
- The hard disk will still have parity recovery – > more professional data
What is the first thing you need to do after deleting by mistake?
– > avoid overwriting the contents of files deleted by mistake;
– > uninstall the partition that needs to be restored or mount it in the way of system;
Actual combat: Centos6 system recovers wrongly deleted files on ext4 file system
1) Download extundelete
Official website: https://sourceforge.net/projects/extundelete/
2) Prepare the basic environment of the hard disk
Virtual machine shutdown – > Edit virtual machine – > add – > hard disk – > default, next step by default
#Check the hard drive
[root@master ~]# ls /dev/sd*
/dev/sda /dev/sda1 /dev/sda2 /dev/sda3 /dev/sdb /dev/sdc
#Partition sdb
[root@master ~]# fdisk /dev/sdb
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0xcb3fcf18.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
WARNING: DOS-compatible mode is deprecated. It's strongly recommended to
switch off the mode (command 'c') and change display units to
sectors (command 'u').
Command (m for help): n #Create a new partition,
Command action
e extended
p primary partition (1-4)
p #Enter the new primary partition here
Partition number (1-4): 1 #Select partition label as 1
First cylinder (1-2610, default 1): #Select default
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-2610, default 2610): +2G #The partition size is 2G
Command (m for help): w #Save the planned partition
#Format partition -- > create ext4 file system
#The command used by Centos6 is mkfs ext4
[root@master ~]# mkfs.ext4 /dev/sdb1
mke2fs 1.41.12 (17-May-2010)
File system label=
operating system:Linux
Block size=4096 (log=2)
Block size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
131648 inodes, 526120 blocks
26306 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=541065216
17 block groups
32768 blocks per group, 32768 fragments per group
7744 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912
Writing inode surface: complete
Creating journal (16384 blocks): complete
Writing superblocks and filesystem accounting information: complete
This filesystem will be automatically checked every 27 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
#Mount and use
[root@master ~]# mkdir /sdb1
[root@master ~]# mount /dev/sdb1 /sdb1
[root@master ~]# df -h | grep sdb1
/dev/sdb1 2.0G 3.1M 1.9G 1% /sdb1
3) Prepare test data
[root@master ~]# cd /sdb1
[root@master sdb1]# mkdir test/Linux -p
[root@master sdb1]# touch liangjiawei.txt
[root@master sdb1]# echo liangjiawei > liangjiawei.txt
[root@master sdb1]# touch empty.txt
[root@master sdb1]# tree /sdb1
/sdb1
├── empty.txt
├── liangjiawei.txt
├── lost+found
└── test
└── Linux
3 directories, 2 files
4) Delete file - > directly delete;
If you want to recover files, what should you pay attention to?
- Power off immediately, and then turn the disk to read mode;
- Do not shut down normally to prevent the system from automatically reading and saving data;
- Immediately prepare the extundelete, install it in advance and put it in the USB flash disk; Mount the USB flash disk to the server,
- When recovering, you need to store the data under the U SB flash disk first;
[root@master sdb1]# rm -rf ./*
5) The overall process of recovery;
– > uninstall and ensure no more operations to avoid data overwriting
[root@master sdb1]# cd [root@master ~]# umount /dev/sdb1
– > install the extundelete tool
#Upload extundelete [root@master ~]# rz [root@master ~]# ls extundelete-0.2.4.tar.bz2 extundelete-0.2.4.tar.bz2 #Unzip package [root@master ~]# tar -xf extundelete-0.2.4.tar.bz2 [root@master ~]# cd extundelete-0.2.4 [root@master extundelete-0.2.4]# mount /dev/cdrom /mnt/cdrom/ mount: block device /dev/sr0 is write-protected, mounting read-only [root@master extundelete-0.2.4]# yum -y install e2fsprogs-devel #precompile #Installation and compilation environment [root@master extundelete-0.2.4]# yum -y install gcc gcc-c++ [root@master extundelete-0.2.4]# ./configure Configuring extundelete 0.2.4 Writing generated files to disk #compile #Can keep up with parameter - j: Specifies the number of CPUs, which can speed up the compilation [root@master extundelete-0.2.4]# make make -s all-recursive Making all in src #install [root@master extundelete-0.2.4]# make install Making install in src /usr/bin/install -c extundelete '/usr/local/bin'
The difference between install and cp
- install can specify file permissions
- cp cannot specify permissions
[root@master extundelete-0.2.4]# cp /etc/fstab /tmp/ [root@master extundelete-0.2.4]# install -m 777 /etc/fstab /tmp/fstab.install [root@master extundelete-0.2.4]# ll /tmp/fs* -rw-r--r-- 1 root root 805 5 April 17:58 /tmp/fstab -rwxrwxrwx 1 root root 805 5 April 17:58 /tmp/fstab.install
Start restoring files when you are ready
How to recover files:
- Recovery through i node
- Restore by file name
- Restore a directory, such as all files in directory a
- Restore all files;
#Create a directory to store the recovered data [root@master ~]# mkdir /recover Method 1: #First, you need to check the i node [root@master ~]# extundelete /dev/sdb1 --inode 2 ..... File name | Inode number | Deleted status . 2 .. 2 lost+found 11 Deleted liangjiawei.txt 12 Deleted empty.txt 13 Deleted test 14 Deleted #Here we have two questions, #First, why -- inode 2 #The answer is as follows: ext4 The root directory of the partition of the file system inode The value is 2, xfs Of the partition root inode The value is 64 [root@master ~]# mount /dev/sdb1 /sdb1/ [root@master ~]# ls -id /sdb1 2 /sdb1 #Recover files through i node #Here we find that the recovered file is not our original file name #However, the contents of the documents are unchanged, indicating that the documents have been restored successfully; [root@master ~]# extundelete /dev/sdb1 --restore-inode 12 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 17 groups loaded. Loading journal descriptors ... 36 descriptors loaded. [root@master ~]# cat RECOVERED_FILES/file.12 liangjiawei #Recovery by filename [root@master ~]# extundelete /dev/sdb1 --restore-file liangjiawei.txt NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 17 groups loaded. Loading journal descriptors ... 36 descriptors loaded. Successfully restored file liangjiawei.txt [root@master ~]# cat RECOVERED_FILES/ file.12 liangjiawei.txt [root@master ~]# cat RECOVERED_FILES/liangjiawei.txt liangjiawei #Restore directory #It is found that the empty directory under the test directory is missing [root@master ~]# extundelete /dev/sdb1 --restore-directory test NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 17 groups loaded. Loading journal descriptors ... 36 descriptors loaded. Searching for recoverable inodes in directory test ... 4 recoverable inodes found. Looking through the directory structure for deleted files ... 3 recoverable inodes still lost. [root@master ~]# tree RECOVERED_FILES/test/ RECOVERED_FILES/test/ 0 directories, 0 files #Restore all [root@master ~]# extundelete /dev/sdb1 --restore-all NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 17 groups loaded. Loading journal descriptors ... 36 descriptors loaded. Searching for recoverable inodes in directory / ... 4 recoverable inodes found. Looking through the directory structure for deleted files ... 0 recoverable inodes still lost. [root@master ~]# ls RECOVERED_FILES/ file.12 liangjiawei.txt liangjiawei.txt.v1 test/ [root@master ~]# ls RECOVERED_FILES/ file.12 liangjiawei.txt liangjiawei.txt.v1 test #When extundelete is restored, empty files and directories cannot be automatically restored;