(transferred) author: running script for reference
Link: https://www.jianshu.com/p/662293f12a47
Take notes and review them when necessary
Unlike windows, linux has a recycle bin. Basically, files cannot be found using rm -rf *.
So here comes the question...:
For files deleted by mistake under linux, can we really recover them through software?
Of course, the answer is no. We can still recover the wrongly deleted files through software. There are two situations for restoring files deleted by mistake:
One is to delete information in the process after deletion
One is that the process cannot be found after deletion, so it can only be restored with the help of tools.
Next, two different ways of false deletion and restoration are explained with examples:
The process of deleting files by mistake is still in progress:
Generally, the active process has continuous standard input or output. After the file is deleted, the process PID still exists. This is also the reason why some servers delete some files but the disk is not released.
Open a terminal and add cat to a test file:
[root@docking ~]# echo "This is DeleteFile test." > deletefile.txt [root@docking ~]# ls deletefile.txt [root@docking ~]# cat >> deletefile.txt Add SomeLine into deletefile for fun.
Open another terminal to view this file, and you can clearly see the contents:
[root@docking ~]# ls deletefile.txt [root@docking ~]# cat deletefile.txt This is DeleteFile test. Add SomeLine into deletefile for fun.
At this point, delete the file RM - F deletefile txt
[root@docking ~]# rm -f deletefile.txt [root@docking ~]# ls
Command to view this directory. The file no longer exists. Now let's restore it.
lsof check whether the deleted file process still exists.
If it is not installed, please use yum install lsof or apt get install lsof by yourself
1. In this case, we can lsof check whether the deleted file is still there
[root@docking ~]# lsof | grep deletefile cat 21796 root 1w REG 253,1 63 138860 /root/deletefile.txt (deleted)
2. Restore cp /proc/pid/fd/1 / specify directory / file name
Enter the process directory, usually / proc/pid/fd /. For the current situation:
[root@docking ~]# cd /proc/21796/fd [root@docking fd]# ll Total dosage 0 lrwx------ 1 root root 64 1 month 18 22:21 0 -> /dev/pts/0 l-wx------ 1 root root 64 1 month 18 22:21 1 -> /root/deletefile.txt (deleted) lrwx------ 1 root root 64 1 month 18 22:21 2 -> /dev/pts/0 Recovery operation: [root@docking fd]# cp 1 ~/deletefile.txt.backup [root@docking fd]# cat ~/deletefile.txt.backup This is DeleteFile test. Add SomeLine into deletefile for fun.
3. Recovery is complete.
The file process deleted by mistake no longer exists. Restore it with the help of tools
Prepare some file directories
Prepare a mounted disk
mkdir backuptest cd backuptest mkdir deletetest mkdir deletetest/innerfolder echo "Delete a folder test." > deletetest/innerfolder/deletefile.txt echo "tcpdump:x:172:72::/:/sbin/nologin" > tmppasswd
The final directory structure is as follows:
taroballs@taroballs-PC:/media/taroballs/taroballs/backuptest$ cd .. taroballs@taroballs-PC:/media/taroballs/taroballs$ tree backuptest/ backuptest/ ├── deletetest │ └── innerfolder │ └── deletefile.txt └── tmppasswd
2 directories, 2 files
Now start deleting the directory rm -rf backuptest/
taroballs@taroballs-PC:/media/taroballs/taroballs$ rm -rf backuptest/ taroballs@taroballs-PC:/media/taroballs/taroballs$ ls -l
Total consumption 0
In this case, there is no daemon or the background process continues to input it, so deletion is really deleted. lsof cannot be seen, so tools need to be used for recovery.
Now start the recovery of mistakenly deleted files.
The tool we use is an extundelete third-party tool. The recovery steps and precautions are as follows:
Stop any operation on the current partition to prevent inode from being overwritten. Inode is basically recovered after being overwritten.
To exaggerate, for example, stop the service of the partition, uninstall the device where the directory is located, and disconnect the network if necessary.
Backup the current partition through the dd command to prevent data loss caused by the failure of third-party software recovery.
This is an example for cases where data is very important, so there is no backup. For example, the following methods can be considered for backup: dd if=/path/filename of=/dev/vdc1
Uninstall the current device partition through the umount command. Or fuser command umount /dev/vdb1
If you are prompted that the device is busy, you can use the fuser command to force uninstallation: fuser -m -v -i -k/
Download the third-party tool extundelete installation, search for the wrongly deleted files and restore them
extundelete tool installation
extundelete Download address: http://extundelete.sourceforge.net/ wget https://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 Unzip the file tar jxvf extundelete-0.2.4.tar.bz2
If this error is reported
[root@docking ~]# tar jxvf extundelete-0.2.4.tar.bz2 tar (child): bzip2: unable exec: There is no such file or directory tar (child): Error is not recoverable: exiting now tar: Child returned status 2 tar: Error is not recoverable: exiting now Then use yum -y install bzip2 Solve [root@docking ~]# tar jxvf extundelete-0.2.4.tar.bz2 extundelete-0.2.4/ extundelete-0.2.4/acinclude.m4 extundelete-0.2.4/missing extundelete-0.2.4/autogen.sh extundelete-0.2.4/aclocal.m4 extundelete-0.2.4/configure extundelete-0.2.4/LICENSE extundelete-0.2.4/README ................................................... cd extundelete-0.2.4 ./configure
If this step reports an error
[root@docking extundelete-0.2.4]# ./configure Configuring extundelete 0.2.4 configure: error: in `/root/extundelete-0.2.4': configure: error: C++ compiler cannot create executables See `config.log' for more details Then use yum -y install gcc-c++solve.
If an error is still reported after performing the previous step,
[root@docking extundelete-0.2.4]# ./configure Configuring extundelete 0.2.4 configure: error: Can't find ext2fs library Then use yum -y install e2fsprogs e2fsprogs-devel To solve it. #The solution for Ubuntu is sudo # apt get # install # e2fslibs dev # e2fslibs dev
If nothing unexpected happens, configure should be completed successfully here
[root@docking extundelete-0.2.4]# ./configure Configuring extundelete 0.2.4 Writing generated files to disk [root@docking extundelete-0.2.4]#
Finally, make and then make install
[root@docking extundelete-0.2.4]# make
make -s all-recursive
Making all in src
extundelete.cc: In function'ext2_ino_t find_inode(ext2_filsys, ext2_filsys, ext2_inode*, std::string, int)'in:
extundelete.cc:1272:29: Warning: in {} Internal general'search_flags'from'int'Convert to narrower type'ext2_ino_t {aka unsigned int}' [-Wnarrowing]
buf, match_name2, priv, 0};
^
[root@docking extundelete-0.2.4]# make install
Making install in src
/usr/bin/install -c extundelete '/usr/local/bin'
extundelete installation is complete.
Scan files deleted by mistake:
Use df -lh to view mounts:
taroballs@taroballs-PC:~$ df -lh file system capacity Used available Used% Mount point udev 1.9G 0 1.9G 0% /dev tmpfs 387M 1.8M 385M 1% /run /dev/sda2 92G 61G 26G 71% / tmpfs 1.9G 49M 1.9G 3% /dev/shm tmpfs 5.0M 4.0K 5.0M 1% /run/lock tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup /dev/sda3 104G 56G 44G 57% /home tmpfs 387M 40K 387M 1% /run/user/1000 /dev/sda4 70G 20G 47G 30% /media/taroballs/d8423f8c-d687-4c03-a7c8-06a7fb57f96d /dev/sdb1 6.8G 4.1G 2.8G 60% /media/taroballs/taroballs /dev/sr0 4.0G 4.0G 0 100% /media/taroballs/2018-01-16-12-36-00-00 taroballs@taroballs-PC:~$ cd /media/taroballs/taroballs/ taroballs@taroballs-PC:/media/taroballs/taroballs$ As you can see, our catalogue/media/taroballs/taroballs Mount to/dev/sdb1 In this file system.
umount our mount disk
For example:
taroballs@taroballs-PC:~$ df -lh | grep /dev/sdb1 /dev/sdb1 6.8G 4.1G 2.8G 60% /media/taroballs/taroballs umount This directory taroballs@taroballs-PC:~$ umount /media/taroballs/taroballs taroballs@taroballs-PC:~$ df -lh | grep /dev/sdb1 taroballs@taroballs-PC:~$
Remember to umount after deleting, otherwise no one can help you with the second write.
Restore via inode node
taroballs@taroballs-PC:~$ mkdir recovertest taroballs@taroballs-PC:~$ cd recovertest/ taroballs@taroballs-PC:~/recovertest$
Execute recovery extundelete /dev/sdb1 --inode 2
taroballs@taroballs-PC:/media/taroballs/taroballs$ sudo extundelete /dev/sdb1 --inode 2 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 8 groups loaded. Group: 0 Contents of inode 2: . .ellipsis N that 's ok File name | Inode number | Deleted status . 2 .. 2 deletetest 12 Deleted tmppasswd 14 Deleted
The folder we deleted was found through scanning. Now perform the recovery operation.
(1) Restore single file tmppasswd
taroballs@taroballs-PC:~/recovertest$ extundelete /dev/sdb1 --restore-file passwd NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 8 groups loaded. Loading journal descriptors ... 46 descriptors loaded. Successfully restored file tmppasswd The recovered files are placed in the current directory RECOVERED_FILES. View recovered files: taroballs@taroballs-PC:~/recovertest$ cat tmppasswd tcpdump:x:172:72::/:/sbin/nologin
(2) Restore directory deletetest
extundelete /dev/sdb1 --restore-directory deletetest NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 8 groups loaded. Loading journal descriptors ... 46 descriptors loaded. Searching for recoverable inodes in directory deletetest ... 5 recoverable inodes found. Looking through the directory structure for deleted files ...
(3) Restore all
taroballs@taroballs-PC:~/recovertest$ extundelete /dev/sdb1 --restore-all NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 8 groups loaded. Loading journal descriptors ... 46 descriptors loaded. Searching for recoverable inodes in directory / ... 5 recoverable inodes found. Looking through the directory structure for deleted files ... 0 recoverable inodes still lost. taroballs@taroballs-PC:~/recovertest$ tree backuptest/ ├── deletetest │ └── innerfolder │ └── deletefile.txt └── tmppasswd 2 directories, 2 files
(4) Restore specified inode
taroballs@taroballs-PC:~/recovertest$ extundelete /dev/sdb1 --restore-inode 14 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 8 groups loaded. Loading journal descriptors ... 46 descriptors loaded. taroballs@taroballs-PC:~/recovertest$ cat file.14 tcpdump:x:172:72::/:/sbin/nologin
Note that when restoring an inode, the recovered file name is different from the previous one and needs to be renamed separately.
Finally, the usage of extundelete is attached:
$ extundelete --help Usage: extundelete [options] [--] device-file Options: --version, -[vV] Print version and exit successfully. --help, Print this help and exit successfully. --superblock Print contents of superblock in addition to the rest. If no action is specified then this option is implied. --journal Show content of journal. --after dtime Only process entries deleted on or after 'dtime'. --before dtime Only process entries deleted before 'dtime'. Actions: --inode ino Show info on inode 'ino'. --block blk Show info on block 'blk'. --restore-inode ino[,ino,...] Restore the file(s) with known inode number 'ino'. The restored files are created in ./RECOVERED_FILES with their inode number as extension (ie, file.12345). --restore-file 'path' Will restore file 'path'. 'path' is relative to root of the partition and does not start with a '/' The restored file is created in the current directory as 'RECOVERED_FILES/path'. --restore-files 'path' Will restore files which are listed in the file 'path'. Each filename should be in the same format as an option to --restore-file, and there should be one per line. --restore-directory 'path' Will restore directory 'path'. 'path' is relative to the root directory of the file system. The restored directory is created in the output directory as 'path'. --restore-all Attempts to restore everything. -j journal Reads an external journal from the named file. -b blocknumber Uses the backup superblock at blocknumber when opening the file system. -B blocksize Uses blocksize as the block size when opening the file system. The number should be the number of bytes. --log 0 Make the program silent. --log filename Logs all messages to filename. --log D1=0,D2=filename Custom control of log messages with comma-separated Examples below: list of options. Dn must be one of info, warn, or --log info,error error. Omission of the '=name' results in messages --log warn=0 with the specified level to be logged to the console. --log error=filename If the parameter is '=0', logging for the specified level will be turned off. If the parameter is '=filename', messages with that level will be written to filename. -o directory Save the recovered files to the named directory. The restored files are created in a directory named 'RECOVERED_FILES/' by default.