一、需求研究
分析對比debugfs、testdisk 6.14、extundelete,對比各自官網介紹和操作說明本次決定研究extundelete對文件和目錄的恢復操作。
二、項目內容
1、工具安裝部署
官方網站是http://extundelete.sourceforge.net/ ,其目前的穩定版本是extundelete-0.2.4.
工具下載
wget https://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
解壓按裝
依賴包
yum -y install gcc-c++ e2fsprogs.x86_64 e2fsprogs-devel.x86_64
tar -jxvf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
./configure
這時一般會報錯;
Configuring extundelete 0.2.4
configure: error: in `/root/Desktop/extundelete-0.2.4':
configure: error: C++ compiler cannot create executables
See `config.log' for more details
經過查找知道需要安裝gcc-c++包
yum -y install gcc gcc-c++
重新./configure顯示
[root@localhost extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
configure: error: Can't find ext2fs library
經過查找知道缺少e2fsprogs-devel,下面開始安裝
yum -y install e2fsprogs-devel
再./configure出現,表示成功了;
[root@localhost extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
Writing generated files to disk
make && make install
驗證安裝結果
extundelete -v
前提:如果確定文件被誤刪,在沒有備份的情況下請馬上對分區實施寫入保護,(預防新的寫入覆蓋誤刪的塊數據)mount -o remount,ro /dev/sdb1或者直接umount /dev/sdb1/解掛載目錄,df -h命令可以看出你的數據目錄掛載在那個分區下(fdisk磁盤管理)
2、文件恢復操作過程
恢復指定文件:
extundelete /dev/sdb1 --inode 2
可能會報下面錯誤
/usr/local/extundelete/bin/extundelete: Bad magic number in super-block when trying to open filesystem /dev/sdb1
網上搜了下,lvm是有區別的,主要是lvm的設備名不是/dev/sda的形式了vgscan查看具體的卷名。最后發現我的卷名是/dev/vg_centosdesktop/lv_root。
原理:從根節點(inode=2)開始找到被刪除文件的i節點,然后recover i節點。
以下操作模擬在/dev/sdb1 刪除文件apache-tomcat-8.0.24.tar.gz 和目錄tomcat-app1,
| extundelete /dev/sdb1 --inode 2 NOTICE: Extended attributes are not restored. WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. The partition should be unmounted to undelete any files without further data loss. If the partition is not currently mounted, this message indicates it was improperly unmounted, and you should run fsck before continuing. If you decide to continue, extundelete may overwrite some of the deleted files and make recovering those files impossible. You should unmount the file system and check it with fsck before using extundelete. Would you like to continue? (y/n) y Loading filesystem metadata ... 4000 groups loaded. Group: 0 Contents of inode 2: 00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated File mode: 16877 Low 16 bits of Owner Uid: 0 Size in bytes: 4096 Access time: 1482394360 Creation time: 1482394361 Modification time: 1482394361 Deletion Time: 0 Low 16 bits of Group Id: 0 Links count: 3 Blocks count: 8 File flags: 0 File version (for NFS): 0 File ACL: 0 Directory ACL: 0 Fragment address: 0 Direct blocks: 9249, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 Indirect block: 0 Double indirect block: 0 Triple indirect block: 0
File name | Inode number | Deleted status . 2 .. 2 lost+found 11 apache-tomcat-8.0.24.tar.gz 13 Deleted apache-tomcat-8.0.24 30670849 Deleted tomcat-app1 30670849 Deleted
|
關注紅色信息
恢復命令(恢復過程不要在誤刪分區進行,謹防inode、block塊相互覆蓋)
| extundelete /dev/sdb1 --restore-inode 13 根據inode信息進行文件恢復
extundelete /dev/sdb1 --restore-file apache-tomcat-8.0.24.tar.gz 根據文件名進行文件修復
修復后的文件存儲在當前目錄RECOVERED_FILES里面 ll RECOVERED_FILES/ -rw-r----- 1 root root 9106353 Dec 22 17:23 apache-tomcat-8.0.24.tar.gz -rw-r----- 1 root root 9106353 Dec 22 17:23 file.13
|
3、目錄恢復操作過程
| extundelete /dev/sdb1 --restore-directory /tomcat-app1 根據目錄名稱恢復目錄
NOTICE: Extended attributes are not restored. WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. The partition should be unmounted to undelete any files without further data loss. If the partition is not currently mounted, this message indicates it was improperly unmounted, and you should run fsck before continuing. If you decide to continue, extundelete may overwrite some of the deleted files and make recovering those files impossible. You should unmount the file system and check it with fsck before using extundelete. Would you like to continue? (y/n) y Loading filesystem metadata ... 4000 groups loaded. Loading journal descriptors ... 1204 descriptors loaded. Searching for recoverable inodes in directory /tomcat-app1 ... 2405 recoverable inodes found. Looking through the directory structure for deleted files ...
ll RECOVERED_FILES/ -rw-r----- 1 root root 9106353 Dec 22 17:23 apache-tomcat-8.0.24.tar.gz -rw-r----- 1 root root 9106353 Dec 22 17:23 file.13 drwxr-x--- 6 root root 4096 Dec 22 17:27 tomcat-app1 恢復成功
|
4.重新掛載磁盤目錄或者reboot重啟都是ok的。
三、項目結果
根據上面操作證明extundelete 工具可以實現對誤刪數據的恢復,而且操作簡單。
總結:
1、使用rm一定要謹慎
2、磁盤按照功能進行分區是必要的
3、最少掌握一種數據恢復方式