【extundelete】Linux資料恢複軟體

    在Linux系統中，常見的資料恢複工具有extundelete、ext3grep、debugfs和R-Linux等。

    extundelete可以恢複Linux下的ext3、ext4檔案系統下被誤删的檔案，支援單個檔案、單個目錄、inode、block和完整磁盤的恢複等。

一、安裝extundelete

1、下載下傳extundelete

wget https://sourceforge.net/project/platformdownload.php?group_id=260221

2、安裝依賴軟體

[root@www ~]# rpm -qa |grep e2fsprogs*

e2fsprogs-libs-1.41.12-22.el6.x86_64

e2fsprogs-1.41.12-22.el6.x86_64

e2fsprogs-devel-1.41.12-22.el6.x86_6

3、編譯安裝extundelete（編譯過程報錯，需要安裝e2fsprogs-devel軟體包）

[root@www extundelete-0.2.4]# ./configure

Configuring extundelete 0.2.4

configure: error: Can't find ext2fs library

Writing generated files to disk

[root@www extundelete-0.2.4]# make

[root@www extundelete-0.2.4]# make install

Making install in src

  /usr/bin/install -c extundelete '/usr/local/bin'

4、檢視extundelete幫助資訊

[root@www ~]# extundelete --help

Usage: extundelete [options] [--] device-file

Options:

  --version, -[vV]       Print version and exit successfully.

  --help,                Print this help and exit successfully.

  --superblock           Print contents of superblock in addition to the rest.

                         If no action is specified then this option is implied.

  --journal              Show content of journal.

  --after dtime          Only process entries deleted on or after 'dtime'.

  --before dtime         Only process entries deleted before 'dtime'.

Actions:

  --inode ino            Show info on inode 'ino'.

  --block blk            Show info on block 'blk'.

  --restore-inode ino[,ino,...]

                         Restore the file(s) with known inode number 'ino'.

                         The restored files are created in ./RECOVERED_FILES

                         with their inode number as extension (ie, file.12345).

  --restore-file 'path'  Will restore file 'path'. 'path' is relative to root

                         of the partition and does not start with a '/'

                         The restored file is created in the current

                         directory as 'RECOVERED_FILES/path'.

  --restore-files 'path' Will restore files which are listed in the file 'path'.

                         Each filename should be in the same format as an option

                         to --restore-file, and there should be one per line.

  --restore-directory 'path'

                         Will restore directory 'path'. 'path' is relative to the

                         root directory of the file system.  The restored

                         directory is created in the output directory as 'path'.

  --restore-all          Attempts to restore everything.

  -j journal             Reads an external journal from the named file.

  -b blocknumber         Uses the backup superblock at blocknumber when opening

                         the file system.

  -B blocksize           Uses blocksize as the block size when opening the file

                         system.  The number should be the number of bytes.

  --log 0                Make the program silent.

  --log filename         Logs all messages to filename.

--log D1=0,D2=filename   Custom control of log messages with comma-separated

   Examples below:       list of options.  Dn must be one of info, warn, or

   --log info,error      error.  Omission of the '=name' results in messages

   --log warn=0          with the specified level to be logged to the console.

   --log error=filename  If the parameter is '=0', logging for the specified

                         level will be turned off.  If the parameter is

                         '=filename', messages with that level will be written

                         to filename.

   -o directory          Save the recovered files to the named directory.

                         The restored files are created in a directory

                         named 'RECOVERED_FILES/' by default.

二、利用extundelete單個檔案

    恢複前提：需要解除安裝被誤删除資料所在的磁盤或分區。

1、檢視分區資訊，利用/disk1試驗

[root@www ~]# df -Th

Filesystem     Type   Size  Used Avail Use% Mounted on

/dev/sda3      ext4   8.7G  3.5G  4.9G  42% /

tmpfs          tmpfs  491M     0  491M   0% /dev/shm

/dev/sda1      ext4   194M   27M  158M  15% /boot

/dev/sdb5      ext4   796M   17M  739M   3% /mnt

/dev/sdb1      ext4  1020M   34M  935M   4% /disk1

2、檢視/disk1分區下的資料

[root@www ~]# cd /disk1/

[root@www disk1]# ls

extundelete-0.2.4.tar.bz2  install.log.syslog  lost+found  passwd  test.txt

[root@www disk1]# cat test.txt 

11111

[root@www disk1]# md5sum passwd 

b65232cd93267437cc2691fb16a8f7ff  passwd

[root@www disk1]# md5sum test.txt 

fa8f294721ab3fbb37793c68ff2cf09b  test.txt

3、删除/disk1分區下的資料

[root@www disk1]# rm -rf ./*

4、解除安裝/disk1分區

[root@www disk1]# cd

[root@www ~]# umount /disk1/

5、查詢可恢複的資料，帶有Deleted标記的表示已經删除的檔案

[root@www ~]# extundelete /dev/sdb1 --inode 2

......

File name                                       | Inode number | Deleted status

.                                                 2

..                                                2

lost+found                                        11             Deleted

test.txt                                          12             Deleted

install.log.syslog                                13             Deleted

extundelete-0.2.4.tar.bz2                         14             Deleted

passwd                                            15             Deleted

6、恢複删除的檔案

[root@www ~]# extundelete /dev/sdb1 --restore-file test.txt

NOTICE: Extended attributes are not restored.

Loading filesystem metadata ... 9 groups loaded.

Loading journal descriptors ... 54 descriptors loaded.

Successfully restored file test.txt

[root@www ~]# extundelete /dev/sdb1 --restore-file passwd

Successfully restored file passwd

[root@www ~]# extundelete /dev/sdb1 --restore-file extundelete-0.2.4.tar.bz2

Successfully restored file extundelete-0.2.4.tar.bz2

    恢複過程中，extundelete會在目前目錄下生成一個存放恢複後檔案的存放目錄RECOVERED_FILES

--restore-file參數說明：指定檔案的存儲路徑，如果原檔案的存儲路徑為/disk1/data/test.txt，則在參數後指定data/test.txt即可。

[root@www ~]# ls RECOVERED_FILES/

extundelete-0.2.4.tar.bz2  passwd  test.txt

[root@www ~]# cat RECOVERED_FILES/test.txt 

[root@www ~]# md5sum RECOVERED_FILES/test.txt   //md5校驗結果

fa8f294721ab3fbb37793c68ff2cf09b  RECOVERED_FILES/test.txt

三、恢複單個目錄

1、建立測試目錄

[root@www ~]# mount /dev/sdb1 /disk1/

[root@www disk1]# mkdir dir1

[root@www disk1]# cp /etc/passwd dir1/passwd

2、删除目錄，并解除安裝分區

[root@www disk1]# cd 

[root@www ~]# rm -rf /disk1/*

[root@www ~]# umount /dev/sdb1

3、恢複目錄

dir1                                              11             Deleted

[root@www ~]# extundelete /dev/sdb1 --restore-directory /dir1

Loading journal descriptors ... 51 descriptors loaded.

Searching for recoverable inodes in directory /dir1 ... 

5 recoverable inodes found.

Looking through the directory structure for deleted files ... 

4 recoverable inodes still lost.

[root@www ~]# ll RECOVERED_FILES/dir1/passwd 

-rw-r--r-- 1 root root 2213 Dec 28 15:23 RECOVERED_FILES/dir1/passwd

四、恢複所有誤删的資料

[root@www ~]# extundelete /dev/sdb1 --restore-all

dir1  extundelete-0.2.4.tar.bz2  install.log.syslog  passwd

五、恢複某個時間段的資料

指定參數--before和--after

[root@www ~]# extundelete --before 1451288304 --restore-all /dev/sdb1

Only show and process deleted entries if they are deleted before 1451288304.

Searching for recoverable inodes in directory / ... 

0 recoverable inodes still lost.

extundelete-0.2.4.tar.bz2  install.log.syslog  passwd  passwd.v1  test.txt

本文轉自 HMLinux 51CTO部落格，原文連結:http://blog.51cto.com/7424593/1732064