Linux 环境误删文件后恢复

文章

林里克斯

大家都知道，在 Linux 下是没有回收站功能的，不像 Windows 大多数文件删除了还有反悔的机会。本文就实验一下恢复 Linux 下误删文件后如何恢复，并不是所有环境都适合恢复！

实验平台：CentOS 7.7.1908
常见的开源恢复工具有：debugfs、R-Linux、ext3grep、extundelete
ext3grep：只支持 ext3 文件系统
extundelete：支持 ext3 和 ext4 文件系统
使用恢复工具：extundelete
工具版本：0.2.4

一、伪造误删环境
二、尝试恢复

一、伪造误删环境

1.首先说下自己的实验环境

系统内有 2 个硬盘，一个系统盘，一个数据盘。实际操作在数据盘内操作

$ df -lh

Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        485M     0  485M   0% /dev
tmpfs           496M   24K  496M   1% /dev/shm
tmpfs           496M  456K  496M   1% /run
tmpfs           496M     0  496M   0% /sys/fs/cgroup
/dev/vda1        50G  1.9G   46G   5% /
tmpfs           100M     0  100M   0% /run/user/0
/dev/sdb1       9.8G   37M  9.2G   1% /data
# data 目录为数据盘

$ blkid /dev/sdb1 
#查看文件系统类型
/dev/sdb1: UUID="89fa587b-ce13-4c4b-80f5-d04f84c8f1fd" SEC_TYPE="ext2" TYPE="ext3"

2.伪造误删环境

$ pwd
/data
$ ls
tomcat
$ rm -rf tomcat/
$ pkill -15 -f tomcat
#误删了 tomcat ，首先要停止业务避免再次写入数据

二、尝试恢复

1.首先卸载硬盘

$ umount /data/
#误在 /data 目录下操作，因为会报错 在使用，你占用了此目录。

2.安装工具

yum 安装

$ yum -y install extundelete
#需 epel 源，若没有用以下命令安装
$ yum -y install epel-release
#会在 /etc/yum.repos.d 下生成 epel.repo  epel-testing.repo 两个文件

编译安装

extundelete主页

http://extundelete.sourceforge.net/

下载

$ wget https://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2

安装

$ tar -xf extundelete-0.2.4.tar.bz2 
bz2 需要 tar 依赖 bzip2（$ yum -y install bzip2）
$ cd extundelete-0.2.4/
$ yum -y install gcc gcc-c++ 
#安装编译环境
$ ./configure --prefix=/usr/local/extundelete
报错 configure: error: Can't find ext2fs library
$ yum -y install e2fsprogs  e2fsprogs-devel
#安装依赖
$ ./configure --prefix=/usr/local/extundelete
Configuring extundelete 0.2.4
Writing generated files to disk
$ make && make install
#编译安装
$ cp -rp /usr/local/extundelete/bin/extundelete /usr/bin/

3.尝试恢复

$ extundelete /dev/sdb1 --inode 2

NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 80 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 5d f4 29 5f 5c f4 29 5f | .A......].)_\.)_
0010 | 5c f4 29 5f 00 00 00 00 00 00 02 00 08 00 00 00 | \.)_............
0020 | 00 00 00 00 09 00 00 00 83 04 00 00 00 00 00 00 | ................
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 28 76 ac e3 28 76 ac e3 a4 08 27 59 | ....(v..(v....'Y
0090 | 12 f4 29 5f 00 00 00 00 00 00 00 00 00 00 00 00 | ..)_............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1596585053
Creation time: 1596585052
Modification time: 1596585052
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 2
Blocks count: 8
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 1155, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0

File name                                       | Inode number | Deleted status
.                                                 2
..                                                2
apache-tomcat-9.0.31.zip                          11             Deleted
apache-tomcat-9.0.31                              163841         Deleted
tomcat                                            163841         Deleted
#可以看到被删除的目录状态为 Deleted ，inode 为 163841

$ extundelete --restore-all  /dev/sdb1
#恢复全部
sda       sda2      sdb1      sg1       shm/      snd/      stderr    stdout    
sda1      sdb       sg0       sg2       snapshot  sr0       stdin     
[root@linlikesi ~]# extundelete --restore-all  /dev/sd
sda   sda1  sda2  sdb   sdb1  
[root@linlikesi ~]# extundelete --restore-all  /dev/sdb
sdb   sdb1  
[root@linlikesi ~]# extundelete --restore-all  /dev/sdb1 
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 80 groups loaded.
Loading journal descriptors ... 316 descriptors loaded.
Searching for recoverable inodes in directory / ... 
761 recoverable inodes found.
Looking through the directory structure for deleted files ... 
0 recoverable inodes still lost.

$ extundelete /dev/sdb1 --restore-directory /tomcat
#恢复指定目录
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 80 groups loaded.
Loading journal descriptors ... 316 descriptors loaded.
Searching for recoverable inodes in directory /tomcat ... 
761 recoverable inodes found.
Looking through the directory structure for deleted files ... 
1 recoverable inodes still lost.

4.查看恢复内容

$ cd /root/RECOVERED_FILES/
$ ls -l
total 11380
drwxr-xr-x. 6 root root      184 Aug  5 07:51 apache-tomcat-9.0.31
-rw-r--r--. 1 root root 11651113 Aug  5 07:51 apache-tomcat-9.0.31.zip
drwxr-xr-x. 6 root root      184 Aug  5 07:55 tomcat
#均已恢复

5.参数详解

--after dtime            #时间参数，表示在某段时间之后被删除的文件或目录
--before dtime           #时间参数，表示在某段时间之前被删除的文件或目录
--inode ino              #显示节点 ino 的信息
--block blk              #显示数据块 blk 的信息
--restore-inode ino      #表示恢复节点 ino 的文件，用来恢复单个文件
--restore-file path      #表示恢复指定路径下的文件，用来恢复目录下所有文件
--restore-all            #表示恢复所有被删除的目录跟文件

6.担心误删不能恢复可以为 Linux 添加一个类似回收站功能

点我查看回收站文章

Over ~