在Linux下,基于开源的数据恢复工具有很多,常见的有debugfs、R-Linux、ext3grep、extundelete等,比较常用的有ext3grep和extundelete,这两个工具的恢复原理基本一样,只是extundelete功能更加强大,本文重点介绍
**************************************************
* lsof 方式恢复 *
**************************************************
lsof
文件刚刚被删除,想要恢复,先尝试lsof.
#lsof |grep data.file1
# cp /proc/xxx/xxx/xx /dir/data.file1
或者ps -ef
**************************************************
* extundelete 方式恢复 *
**************************************************
第一时间要做的就是卸载被删除数据所在的分区,如果是根分区的数据遭到误删
yum install gcc gcc++
yum install gcc gcc-c++ gcc-g77
yum install e2fsprogs e2fsprogs-libs e2fsprogs-devel
[root@dg extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
Writing generated files to disk
tar xjf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
./configure
make && make install
[root@dg extundelete-0.2.4]# make
make -s all-recursive
Making all in src
extundelete.cc:571: 警告:未使用的参数‘flags’
[root@dg extundelete-0.2.4]# make install
Making install in src
/usr/bin/install -c extundelete ‘/usr/local/bin’
—查看帮助
root@dg extundelete-0.2.4]# make install
Making install in src
/usr/bin/install -c extundelete ‘/usr/local/bin’
[root@dg extundelete-0.2.4]# extundelete –help
Usage: extundelete [options] [–] device-file
Options:
–version, -[vV] Print version and exit successfully.
–help, Print this help and exit successfully.
–superblock Print contents of superblock in addition to the rest.
If no action is specified then this option is implied.
–journal Show content of journal.
–after dtime Only process entries deleted on or after ‘dtime’.
–before dtime Only process entries deleted before ‘dtime’.
Actions:
–inode ino Show info on inode ‘ino’.
–block blk Show info on block ‘blk’.
–restore-inode ino[,ino,…]
Restore the file(s) with known inode number ‘ino’.
The restored files are created in ./RECOVERED_FILES
with their inode number as extension (ie, file.12345).
–restore-file ‘path’ Will restore file ‘path’. ‘path’ is relative to root
of the partition and does not start with a ‘/’
The restored file is created in the current
directory as ‘RECOVERED_FILES/path’.
–restore-files ‘path’ Will restore files which are listed in the file ‘path’.
Each filename should be in the same format as an option
to –restore-file, and there should be one per line.
–restore-directory ‘path’
Will restore directory ‘path’. ‘path’ is relative to the
root directory of the file system. The restored
directory is created in the output directory as ‘path’.
–restore-all Attempts to restore everything.
-j journal Reads an external journal from the named file.
-b blocknumber Uses the backup superblock at blocknumber when opening
the file system.
-B blocksize Uses blocksize as the block size when opening the file
system. The number should be the number of bytes.
–log 0 Make the program silent.
–log filename Logs all messages to filename.
–log D1=0,D2=filename Custom control of log messages with comma-separated
Examples below: list of options. Dn must be one of info, warn, or
–log info,error error. Omission of the ‘=name’ results in messages
–log warn=0 with the specified level to be logged to the console.
–log error=filename If the parameter is ‘=0’, logging for the specified
level will be turned off. If the parameter is
‘=filename’, messages with that level will be written
to filename.
-o directory Save the recovered files to the named directory.
The restored files are created in a directory
named ‘RECOVERED_FILES/’ by default.
中参数(options)有:
–version, -[vV],显示软件版本号。
–help,显示软件帮助信息。
–superblock,显示超级块信息。
–journal,显示日志信息。
–after dtime,时间参数,表示在某段时间之后被删的文件或目录。
–before dtime,时间参数,表示在某段时间之前被删的文件或目录。
动作(action)有:
–inode ino,显示节点“ino”的信息。
–block blk,显示数据块“blk”的信息。
–restore-inode ino[,ino,…],恢复命令参数,表示恢复节点“ino”的文件,恢复的文件会自动放在当前目录下的RESTORED_FILES文件夹中,使用节点编号作为扩展名。
–restore-file ‘path’,恢复命令参数,表示将恢复指定路径的文件,并把恢复的文件放在当前目录下的RECOVERED_FILES目录中。
–restore-files ‘path’,恢复命令参数,表示将恢复在路径中已列出的所有文件。
–restore-all,恢复命令参数,表示将尝试恢复所有目录和文件。
-j journal,表示从已经命名的文件中读取扩展日志。
-b blocknumber,表示使用之前备份的超级块来打开文件系统,一般用于查看现有超级块是不是当前所要的文件。
-B blocksize,表示使用数据块大小来打开文件系统,一般用于查看已经知道大小的文件。
1>fuser -k /dev/part && umount /dev/被删除数据的盘 –杀掉访问磁盘的进程,umount 被删除数据的盘
2>extundelete –inode 2 /dev/被删除数据的盘
3>extundelete –restore-inode 13 /dev/被删除数据的盘
4>恢复到 RECOVERD_FILES/
在数据被误删除后,第一时间要做的就是卸载被删除数据所在的分区,如果是根分区的数据遭到误删,
就需要将系统进入单用户模式,并且将根分区以只读模式挂载。这样做的原因很简单,因为将文件删除后,
仅仅是将文件的inode节点中的扇区指针清零,实际文件还储存在磁盘上,如果磁盘继续以读写模式挂载,
这些已删除的文件的数据块就可能被操作系统重新分配出去,在这些数据库被新的数据覆盖后,这些数据就真的丢失了,
恢复工具也无力回天。所以!以只读模式挂载磁盘可以尽量降低数据库中数据被覆盖的风险,以提高恢复数据成功的比例。
删除1.txt
方法1:通过inode恢复
查看删除文件在哪个分区上
root@dg extundelete-0.2.4]# df -h
文件系统 容量 已用 可用 已用%% 挂载点
/dev/sda2 44G 3.0G 39G 8% /
tmpfs 1004M 76K 1004M 1% /dev/shm
/dev/sda1 194M 51M 134M 28% /boot
# extundelete /dev/sda4 –inode 2
mkdir test
extundelete /dev/sda4 –restore-inode 8001 文件号
对比文件
diff /etc/passwd recover_file/file12
如果没有任何输出结果,说明两个文件完全一样
方法2:通过文件名称进行恢复
extundelete /dev/sdb1 –restore-file passwd
会在当前目录下生成一个RECOVERED_FILES目录,里面保存已经恢复的文件
方法3:通过目录名称进行恢复
extundelete /dev/sdb1 –restore-directory /mongodb
方法4:恢复所有误删文件:
extundelete /dev/sdb1 –restore-all
extundelete还可以实现恢复某个时间段的数据。可以通过“–after”和“–before”参
不能恢复空文件和空目录
方法4:
extundelete /dev/sda4 –restore-all a
extundelete 不能恢复空文件和空目录
*********************************************************************************
使用debugfs
用debugfs查找被删文件的inode,再想法恢复。
[root@hs12 ~]# debugfs /dev/sdb1
debugfs 1.41.12 (17-May-2010)
debugfs:
debugfs: lsdel
Inode Owner Mode Size Blocks Time deleted
0 deleted inodes found.
本文永久更新链接地址:http://www.linuxidc.com/Linux/2016-01/127804.htm