1.介质下载
路径:
链接:extundelete
提取码:ztj0
版本:extundelete.0.2.4
2.实验环境
1.CentOS6.8
系统版本命令:
cat /etc/redhat-release
2.磁盘:/dev/sdb
磁盘查看命令:
lsblk |grep "sdb"
3.分区大小:5G(ext4文件系统),/dev/sdb1并挂载至/tmp/sdb1
分区命令:
echo -e "o\nn\np\n1\n\n+5G\nw" | fdisk /dev/sdb
格式化命令:
mkfs.ext4 /dev/sdb1
挂载命令:
mount /dev/sdb1 /tmp/sdb1
磁盘挂载后的验证:
3.误删除文件步骤恢复
1.创建空⽂件, 空⽬录,普通⽂件,普通目录
命令:
cd /tmp/sdb1
chmod +x a.sh
./a.sh
#a.sh源码
cp /etc/passwd /tmp/sdb1 cp /etc/hosts /tmp/sdb1 echo aaa >> a.txt mkdir -p /tmp/sdb1/a/b/c cp a.txt /tmp/sdb1/a/b/ cp a.txt /tmp/sdb1/a/ touch kong.txt cp kong.txt /tmp/sdb1/a/b/
共计:3个目录,8个文件
2.模式删除/tmp/sdb1(/dev/sdb1)下的文件
命令:
cd /tmp/sdb1
rm -rf *
cd
3.卸载/dev/sdb1
df -h
umount /dev/sdb1
df -h
4.上传恢复工具软件extundelete-0.2.4.tar.bz2
命令:
rz -byE
5.解压并设置软链接
命令:
tar -jxvf extundelete-0.2.4.tar.bz2
ln -sv extundelete-0.2.4 extundelete
6.安装编译包
命令:
yum install -y gcc gcc-c++ e2fsprogs e2fsprogs-libs e2fsprogs-devel
7.编译源码包
cd /root/extundelete
./configure && make && make install && echo "Success"
8.查看哪些文件被删除
命令:
cd /root
extundelete /dev/sdb1 --inode 2 #2含义:ext4文件系统的分区根目录的inode值为2
[root@centos68 ~]# cd /root [root@centos68 ~]# extundelete /dev/sdb1 --inode 2 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 41 groups loaded. Group: 0 Contents of inode 2: 0000 | ed 41 00 00 00 10 00 00 a9 10 6f 64 bc 11 6f 64 | .A........od..od 0010 | bc 11 6f 64 00 00 00 00 00 00 02 00 08 00 00 00 | ..od............ 0020 | 00 00 00 00 17 00 00 00 b2 20 00 00 00 00 00 00 | ......... ...... 0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0080 | 1c 00 00 00 f0 3e f4 4d f0 3e f4 4d cc 37 54 89 | .....>.M.>.M.7T. 0090 | 73 0b 6f 64 00 00 00 00 00 00 00 00 00 00 00 00 | s.od............ 00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ Inode is Allocated File mode: 16877 Low 16 bits of Owner Uid: 0 Size in bytes: 4096 Access time: 1685000361 Creation time: 1685000636 Modification time: 1685000636 Deletion Time: 0 Low 16 bits of Group Id: 0 Links count: 2 Blocks count: 8 File flags: 0 File version (for NFS): 0 File ACL: 0 Directory ACL: 0 Fragment address: 0 Direct blocks: 8370, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 Indirect block: 0 Double indirect block: 0 Triple indirect block: 0 File name | Inode number | Deleted status . 2 .. 2 a.sh 11 Deleted passwd 12 Deleted hosts 13 Deleted a.txt 14 Deleted a 128257 Deleted kong.txt 15 Deleted [root@centos68 ~]#
9.执行恢复
执行恢复的方式:
1)通过inode号(extundelete /dev/sdb1 --restore-inode InodeNum)
2)通过file文件名(extundelete /dev/sdb1 --restore-file FileName)
3)通过directory目录名(extundelete /dev/sdb1 --restore-directory DirectoryName)
4)all全部恢复(extundelete /dev/sdb1 --restore-all)
本实验以4)方式实现误删文件的全部恢复
命令:
cd /root
extundelete /dev/sdb1 --restore-all
10.验证
1)执行extundelete恢复出的文件存放在当前路径的RECOVERED_FILES目录下
2)extundelete在恢复文件的时候不会恢复之前创建的空文件和空目录
备注:
1.使用extundelete命令只能恢复centos6(rhel6)版本且文件系统为ext4(3/2)类型中文件误删的恢复。
2.对于centos7文件系统(xfs),通过在其挂载文件系统,并设置为ext4(3/2)类型来进行文件误删的恢复,命令extundelete命令是恢复不了,必须得是centos6(rhel6)版本且文件系统为ext4(3/2)类型的才行。
