centos6,ext4文件系统上恢复被误删除的文件
指尖二进制 • 1 年前 • 768 次点击 • LINUX
Linux文件系统由三部分组成:文件名,inode,block
windows也由这三部分组成。
a.txt 文件名
-->inode 存放文件元数据信息
--> block 真正存放数据
查看inode号:
常识:每个文件,有一个inode号。
[root@localhost ~]# cp /etc/passwd a.txt
[root@localhost ~]# ls -i a.txt
135250 a.txt查看inode中的文件属性; 通过stat命令查看inode中包含的内容
[root@localhost ~]# stat a.txt
File: "a.txt"
Size: 1576 Blocks: 8 IO Block: 4096 普通文件
Device: fd00h/64768d Inode: 135250 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-10-18 11:31:17.486247415 +0800
Modify: 2018-10-18 11:31:17.487247397 +0800
Change: 2018-10-18 11:31:17.487247397 +0800
[root@localhost ~]# ls -l a.txt
-rw-r--r--. 1 root root 1576 10月 18 11:31 a.txtblock块:真正存储数据的地方
逻辑删除:
删除的时候只删除了文件的名字 inode 并没有删除掉,理解成可用状态,可以被其他人使用了。删除之后通过 inode 还可以看到文件的名字,当然也可以找回文件。
只要是误删除之后数据没有被人改写,就能找回来。改写之后花钱去吧。
误删除文件后第一件事情就是要卸载需要恢复文件的分区或以只读方式挂在,避免文件内容被覆盖。
加一块儿硬盘。分区、格式化、挂载
[root@localhost ~]# fdisk /dev/sdb
[root@localhost ~]# mkfs.ext4 /dev/sdb1
[root@localhost ~]# mount /dev/sdb1 /sdb1/创建测试文件
[root@localhost ~]# cp /etc/passwd /sdb1/
[root@localhost ~]# cp /etc/hosts /sdb1/
[root@localhost ~]# echo aaa > a.txt
[root@localhost ~]# mkdir -p /sdb1/a/b/c
[root@localhost ~]# cp a.txt /sdb1/a/
[root@localhost ~]# cp a.txt /sdb1/a/b/
[root@localhost ~]# touch /sdb1/a/b/kong.txt安装tree命令
[root@localhost ~]# rpm -ivh /mnt/Packages/tree-1.5.3-3.el6.x86_64.rpm
[root@localhost ~]# tree /sdb1/
/sdb1/
├── a
│ ├── a.txt
│ └── b
│ ├── a.txt
│ ├── c
│ └── kong.txt
├── hosts
├── lost+found
└── passwd删除文件
[root@localhost ~]# cd /sdb1/
[root@localhost sdb1]# ls
a hosts lost+found passwd
[root@localhost sdb1]# rm -rf * 上面说过,误删除之后第一件事情要卸载需要恢复的分区。
[root@localhost sdb1]# cd
[root@localhost ~]#
[root@localhost ~]# umount /sdb1/安装extundelet
[root@localhost ~]# tar jxvf extundelete-0.2.4.tar.bz2
[root@localhost ~]# cd extundelete-0.2.4
[root@localhost extundelete-0.2.4]# yum install -y e2fsprogs-devel gcc-c++
[root@localhost extundelete-0.2.4]# ./configure #检查系统安装环境
[root@localhost extundelete-0.2.4]# make -j 4 #编译,把源代码编译成可执行的二进制文件。 -j 4 使用4进程同时编译,提升编译速度或使用4核CPU同时编译。
[root@localhost extundelete-0.2.4]# make install #安装查看是否安装成功
[root@localhost extundelete-0.2.4]# ls /usr/local/bin/extundelete
/usr/local/bin/extundelete开始恢复
[root@localhost ~]# mkdir test #恢复使用
[root@localhost ~]# cd test/通过inode结点查看被删除的文件名字:::在最下面。注意看,passwd、hosts、a后面都有deleted。这个就是删除的。
[root@localhost test]# extundelete /dev/sdb1 --inode 2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 9 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 9d 13 c8 5b f3 25 c8 5b | .A.........[.%.[
0010 | f3 25 c8 5b 00 00 00 00 00 00 03 00 08 00 00 00 | .%.[............
0020 | 00 00 00 00 06 00 00 00 4b 00 00 00 00 00 00 00 | ........K.......
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 1c b4 a4 78 1c b4 a4 78 44 a9 fc 38 | .......x...xD..8
0090 | 5b 0c c8 5b 00 00 00 00 00 00 00 00 00 00 00 00 | [..[............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1539838877
Creation time: 1539843571
Modification time: 1539843571
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 3
Blocks count: 8
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 75, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
passwd 12 Deleted
hosts 13 Deleted
a 7377 Deleted扩展:ext4文件系统的分区根目录的inode值为2,xfs分区根目录的inode值为64
ext4文件系统
[root@localhost test]# ls -id /sdb1/
2 /sdb1/xfs文件系统
[root@localhost test]# ls -id /sdb1/
64 /sdb1/方法1:通过inode结点恢复
[root@localhost test]# extundelete /dev/sdb1 --restore-inode 12
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 9 groups loaded.
Loading journal descriptors ... 62 descriptors loaded.
[root@localhost test]# ls
RECOVERED_FILES
[root@localhost test]# cd RECOVERED_FILES/
[root@localhost RECOVERED_FILES]# ls
file.12
[root@localhost RECOVERED_FILES]# vim file.12 没有任何输出说明一样的
[root@localhost RECOVERED_FILES]# diff /etc/passwd file.12方法二:通过文件名恢复
[root@localhost test]# extundelete /dev/sdb1 --restore-file passwd
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 9 groups loaded.
Loading journal descriptors ... 62 descriptors loaded.
Successfully restored file passwd
[root@localhost test]# cd RECOVERED_FILES/
[root@localhost RECOVERED_FILES]# ls
file.12 passwd
[root@localhost test]# cdiff /etc/passwd RECOVERED_FILES/passwd方法三:恢复某个目录,如目录a下的所有文件
[root@localhost test]# extundelete /dev/sdb1 --restore-directory a
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 9 groups loaded.
Loading journal descriptors ... 63 descriptors loaded.
Searching for recoverable inodes in directory a ...
7 recoverable inodes found.
Looking through the directory structure for deleted files ...
3 recoverable inodes still lost.方法四:恢复所有的文件
[root@localhost test]# extundelete /dev/sdb1 --restore-all在tree查看一下恢复的文件,与之前的做一下对比。
[root@localhost test]# tree RECOVERED_FILES/