在Linux系统中,常见的数据恢复工具有extundelete、ext3grep、debugfs和R-Linux等。
extundelete可以恢复Linux下的ext3、ext4文件系统下被误删的文件,支持单个文件、单个目录、inode、block和完整磁盘的恢复等。
一、安装extundelete
1、下载extundelete
wget https://sourceforge.net/project/platformdownload.php?group_id=260221
2、安装依赖软件
[root@www ~]# rpm -qa |grep e2fsprogs*
e2fsprogs-libs-1.41.12-22.el6.x86_64
e2fsprogs-1.41.12-22.el6.x86_64
e2fsprogs-devel-1.41.12-22.el6.x86_6
3、编译安装extundelete(编译过程报错,需要安装e2fsprogs-devel软件包)
[root@www extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
configure: error: Can't find ext2fs library
[root@www extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
Writing generated files to disk
[root@www extundelete-0.2.4]# make
[root@www extundelete-0.2.4]# make install
Making install in src
/usr/bin/install -c extundelete '/usr/local/bin'
4、查看extundelete帮助信息
[root@www ~]# extundelete --help
Usage: extundelete [options] [--] device-file
Options:
--version, -[vV] Print version and exit successfully.
--help, Print this help and exit successfully.
--superblock Print contents of superblock in addition to the rest.
If no action is specified then this option is implied.
--journal Show content of journal.
--after dtime Only process entries deleted on or after 'dtime'.
--before dtime Only process entries deleted before 'dtime'.
Actions:
--inode ino Show info on inode 'ino'.
--block blk Show info on block 'blk'.
--restore-inode ino[,ino,...]
Restore the file(s) with known inode number 'ino'.
The restored files are created in ./RECOVERED_FILES
with their inode number as extension (ie, file.12345).
--restore-file 'path' Will restore file 'path'. 'path' is relative to root
of the partition and does not start with a '/'
The restored file is created in the current
directory as 'RECOVERED_FILES/path'.
--restore-files 'path' Will restore files which are listed in the file 'path'.
Each filename should be in the same format as an option
to --restore-file, and there should be one per line.
--restore-directory 'path'
Will restore directory 'path'. 'path' is relative to the
root directory of the file system. The restored
directory is created in the output directory as 'path'.
--restore-all Attempts to restore everything.
-j journal Reads an external journal from the named file.
-b blocknumber Uses the backup superblock at blocknumber when opening
the file system.
-B blocksize Uses blocksize as the block size when opening the file
system. The number should be the number of bytes.
--log 0 Make the program silent.
--log filename Logs all messages to filename.
--log D1=0,D2=filename Custom control of log messages with comma-separated
Examples below: list of options. Dn must be one of info, warn, or
--log info,error error. Omission of the '=name' results in messages
--log warn=0 with the specified level to be logged to the console.
--log error=filename If the parameter is '=0', logging for the specified
level will be turned off. If the parameter is
'=filename', messages with that level will be written
to filename.
-o directory Save the recovered files to the named directory.
The restored files are created in a directory
named 'RECOVERED_FILES/' by default.
二、利用extundelete单个文件
恢复前提:需要卸载被误删除数据所在的磁盘或分区。
1、查看分区信息,利用/disk1试验
[root@www ~]# df -Th
Filesystem Type Size Used Avail Use% Mounted on
/dev/sda3 ext4 8.7G 3.5G 4.9G 42% /
tmpfs tmpfs 491M 0 491M 0% /dev/shm
/dev/sda1 ext4 194M 27M 158M 15% /boot
/dev/sdb5 ext4 796M 17M 739M 3% /mnt
/dev/sdb1 ext4 1020M 34M 935M 4% /disk1
2、查看/disk1分区下的数据
[root@www ~]# cd /disk1/
[root@www disk1]# ls
extundelete-0.2.4.tar.bz2 install.log.syslog lost+found passwd test.txt
[root@www disk1]# cat test.txt
11111
[root@www disk1]# md5sum passwd
b65232cd93267437cc2691fb16a8f7ff passwd
[root@www disk1]# md5sum test.txt
fa8f294721ab3fbb37793c68ff2cf09b test.txt
3、删除/disk1分区下的数据
[root@www disk1]# rm -rf ./*
4、卸载/disk1分区
[root@www disk1]# cd
[root@www ~]# umount /disk1/
5、查询可恢复的数据,带有Deleted标记的表示已经删除的文件
[root@www ~]# extundelete /dev/sdb1 --inode 2
......
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11 Deleted
test.txt 12 Deleted
install.log.syslog 13 Deleted
extundelete-0.2.4.tar.bz2 14 Deleted
passwd 15 Deleted
6、恢复删除的文件
[root@www ~]# extundelete /dev/sdb1 --restore-file test.txt
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 9 groups loaded.
Loading journal descriptors ... 54 descriptors loaded.
Successfully restored file test.txt
[root@www ~]# extundelete /dev/sdb1 --restore-file passwd
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 9 groups loaded.
Loading journal descriptors ... 54 descriptors loaded.
Successfully restored file passwd
[root@www ~]# extundelete /dev/sdb1 --restore-file extundelete-0.2.4.tar.bz2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 9 groups loaded.
Loading journal descriptors ... 54 descriptors loaded.
Successfully restored file extundelete-0.2.4.tar.bz2
恢复过程中,extundelete会在当前目录下生成一个存放恢复后文件的存放目录RECOVERED_FILES
--restore-file参数说明:指定文件的存储路径,如果原文件的存储路径为/disk1/data/test.txt,则在参数后指定data/test.txt即可。
[root@www ~]# ls RECOVERED_FILES/
extundelete-0.2.4.tar.bz2 passwd test.txt
[root@www ~]# cat RECOVERED_FILES/test.txt
11111
[root@www ~]# md5sum RECOVERED_FILES/test.txt //md5校验结果
fa8f294721ab3fbb37793c68ff2cf09b RECOVERED_FILES/test.txt
三、恢复单个目录
1、创建测试目录
[root@www ~]# mount /dev/sdb1 /disk1/
[root@www disk1]# mkdir dir1
[root@www disk1]# cp /etc/passwd dir1/passwd
2、删除目录,并卸载分区
[root@www disk1]# cd
[root@www ~]# rm -rf /disk1/*
[root@www ~]# umount /dev/sdb1
3、恢复目录
[root@www ~]# extundelete /dev/sdb1 --inode 2
......
File name | Inode number | Deleted status
. 2
.. 2
dir1 11 Deleted
test.txt 12 Deleted
install.log.syslog 13 Deleted
extundelete-0.2.4.tar.bz2 14 Deleted
passwd 15 Deleted
[root@www ~]# extundelete /dev/sdb1 --restore-directory /dir1
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 9 groups loaded.
Loading journal descriptors ... 51 descriptors loaded.
Searching for recoverable inodes in directory /dir1 ...
5 recoverable inodes found.
Looking through the directory structure for deleted files ...
4 recoverable inodes still lost.
[root@www ~]# ll RECOVERED_FILES/dir1/passwd
-rw-r--r-- 1 root root 2213 Dec 28 15:23 RECOVERED_FILES/dir1/passwd
四、恢复所有误删的数据
[root@www ~]# extundelete /dev/sdb1 --restore-all
[root@www ~]# ls RECOVERED_FILES/
dir1 extundelete-0.2.4.tar.bz2 install.log.syslog passwd
五、恢复某个时间段的数据
指定参数--before和--after
[root@www ~]# extundelete --before 1451288304 --restore-all /dev/sdb1
Only show and process deleted entries if they are deleted before 1451288304.
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 9 groups loaded.
Loading journal descriptors ... 54 descriptors loaded.
Searching for recoverable inodes in directory / ...
5 recoverable inodes found.
Looking through the directory structure for deleted files ...
0 recoverable inodes still lost.
[root@www ~]# ls RECOVERED_FILES/
extundelete-0.2.4.tar.bz2 install.log.syslog passwd passwd.v1 test.txt