Linux下文件误删除，使用extundelete恢复测试过程

extundelete下载官网地址：

• 给虚拟主机添加一块磁盘，磁盘为/dev/sdb

[root@localhost bin]# cat /proc/scsi/scsi Attached devices:Host: scsi2 Channel: 00 Id: 00 Lun: 00  Vendor: VMware   Model: Virtual disk     Rev: 1.0   Type:   Direct-Access                    ANSI  SCSI revision: 02Host: scsi1 Channel: 00 Id: 00 Lun: 00  Vendor: NECVMWar Model: VMware IDE CDR10 Rev: 1.00  Type:   CD-ROM                           ANSI  SCSI revision: 05[root@localhost bin]# echo "scsi add-single-device 2 0 1 0">/proc/scsi/scsi[root@localhost bin]# fdisk -l[root@localhost bin]# fdisk /dev/sdb [root@localhost bin]# partprobe /dev/sdb[root@localhost bin]# mkfs.xfs /dev/sdb1[root@localhost bin]# mount /dev/sdb1 /mnt/

• 执行误操作：

[root@localhost mnt]# lsredis-4.0.11  redis-4.0.11.tar.gz[root@localhost mnt]# rm -rf redis-4.0.11*

• 将误操作所在分区进行只读保护

如果确定文件被误删，在没有备份的情况下请马上对分区实施写入保护（预防新的写入覆盖误删的块数据，因此权限给只读）：

[root@localhost /]# mount -o remount,ro /dev/sdb1 [root@localhost /]# mount -o remount,ro /mnt/

• 安装部署数据恢复工具extundelete

安装依赖包

[root@localhost /]# yum -y install gcc-c++ e2fsprogs.x86_64 e2fsprogs-devel.x86_64[root@localhost /]# cd /app/soft/[root@localhost soft]# wget https://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2[root@localhost soft]# tar -jxvf extundelete-0.2.4.tar.bz2[root@localhost soft]# cd extundelete-0.2.4[root@localhost extundelete-0.2.4]# ./configureConfiguring extundelete 0.2.4Writing generated files to disk[root@localhost extundelete-0.2.4]# makemake -s all-recursiveMaking all in srcextundelete.cc: In function ‘ext2_ino_t find_inode(ext2_filsys, ext2_filsys, ext2_inode*, std::string, int)’:extundelete.cc:1272:29: warning: narrowing conversion of ‘search_flags’ from ‘int’ to ‘ext2_ino_t {aka unsigned int}’ inside { } [-Wnarrowing]    buf, match_name2, priv, 0};                             ^[root@localhost extundelete-0.2.4]# make installMaking install in src  /bin/install -c extundelete '/usr/local/bin'[root@localhost extundelete-0.2.4]# extundelete -vextundelete version 0.2.4libext2fs version 1.42.9Processor is little endian.[root@localhost extundelete-0.2.4]# extundelete --help其中，参数（options）有：--version, -[vV]，显示软件版本号。--help，显示软件帮助信息。--superblock，显示超级块信息。--journal，显示日志信息。--after dtime，时间参数，表示在某段时间之后被删的文件或目录。--before dtime，时间参数，表示在某段时间之前被删的文件或目录。动作（action）有：--inode ino，显示节点“ino”的信息。--block blk，显示数据块“blk”的信息。--restore-inode ino[,ino,...]，恢复命令参数，表示恢复节点“ino”的文件，恢复的文件会自动放在当前目录下的RESTORED_FILES文件夹中，使用节点编号作为扩展名。--restore-file 'path'，恢复命令参数，表示将恢复指定路径的文件，并把恢复的文件放在当前目录下的RECOVERED_FILES目录中。--restore-files 'path'，恢复命令参数，表示将恢复在路径中已列出的所有文件。--restore-all，恢复命令参数，表示将尝试恢复所有目录和文件。-j journal，表示从已经命名的文件中读取扩展日志。-b blocknumber，表示使用之前备份的超级块来打开文件系统，一般用于查看现有超级块是不是当前所要的文件。-B blocksize，通过指定数据块大小来打开文件系统，一般用于查看已经知道大小的文件。

• 文件恢复

原理：从根节点(inode=2)开始找到被删除文件的i节点，然后recover i节点。 以下是模拟删除redis-4.0.11.tar.gz（文件）和redis-4.0.11 （目录）

[root@localhost extundelete-0.2.4]# extundelete /dev/sdb --inode 2extundelete: Bad magic number in super-block when trying to open filesystem /dev/sdb[root@localhost extundelete-0.2.4]# df -Th /dev/sdb1 Filesystem     Type  Size  Used Avail Use% Mounted on/dev/sdb1      xfs   100G  176K  100G   1% /mnt[root@localhost extundelete-0.2.4]#

不支持xfs文件格式的恢复，实验中重新格式化成ext4格式测试。

[root@localhost /]# extundelete /dev/sdb1 --inode 2NOTICE: Extended attributes are not restored.Loading filesystem metadata ... 800 groups loaded.Group: 0Contents of inode 2:0000 | ed 41 00 00 00 10 00 00 8a 33 0e 5c 3e 34 0e 5c | .A.......3.\>4.\0010 | 3e 34 0e 5c 00 00 00 00 00 00 03 00 08 00 00 00 | >4.\............0020 | 00 00 08 00 04 00 00 00 0a f3 01 00 04 00 00 00 | ................0030 | 00 00 00 00 00 00 00 00 01 00 00 00 2e 24 00 00 | .............$..0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0080 | 1c 00 00 00 24 de 02 30 24 de 02 30 24 0e 0b d4 | ....$..0$..0$...0090 | a0 31 0e 5c 00 00 00 00 00 00 00 00 00 00 00 00 | .1.\............00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................Inode is AllocatedFile mode: 16877Low 16 bits of Owner Uid: 0Size in bytes: 4096Access time: 1544434570Creation time: 1544434750Modification time: 1544434750Deletion Time: 0Low 16 bits of Group Id: 0Links count: 3Blocks count: 8File flags: 524288File version (for NFS): 0File ACL: 0Directory ACL: 0Fragment address: 0Direct blocks: 127754, 4, 0, 0, 1, 9262, 0, 0, 0, 0, 0, 0Indirect block: 0Double indirect block: 0Triple indirect block: 0File name                                       | Inode number | Deleted status.                                                 2..                                                2lost+found                                        11redis-4.0.11.tar.gz                               12             Deletedredis-4.0.11                                      5505025        Deleted[root@localhost /]#

恢复过程不要在误删分区进行，谨防inode. block块相互覆盖

恢复文件（可根据文件名进行恢复）：

[root@localhost /]# extundelete /dev/sdb1 --restore-file redis-4.0.11.tar.gzNOTICE: Extended attributes are not restored.Loading filesystem metadata ... 153 groups loaded.Loading journal descriptors ... 79 descriptors loaded.Successfully restored file redis-4.0.11.tar.gz[root@localhost /]#

恢复目录（根据目录名恢复）：

[root@localhost /]# extundelete /dev/sdb1 --restore-directory redis-4.0.11NOTICE: Extended attributes are not restored.Loading filesystem metadata ... 153 groups loaded.Loading journal descriptors ... 79 descriptors loaded.Searching for recoverable inodes in directory redis-4.0.11 ... 26 recoverable inodes found.Looking through the directory structure for deleted files ... 5 recoverable inodes still lost.[root@localhost /]#

恢复所有数据

[root@localhost /]# extundelete /dev/sdb1 --restore-allNOTICE: Extended attributes are not restored.Loading filesystem metadata ... 153 groups loaded.Loading journal descriptors ... 79 descriptors loaded.Searching for recoverable inodes in directory / ... 26 recoverable inodes found.Looking through the directory structure for deleted files ... 1 recoverable inodes still lost.[root@localhost /]#

在当前目录下ECOVERED_FILES的目录，在目录里就可以看到被误删除的文件以及目录，恢复回来的文件权限可能会变化。extundelete还可以实现恢复某个时间段的数据。可以通过“--after”和“--before”参数实现！