| |
Under Linux, the open source based data recovery tool There are many common are debugfs, R-Linux, ext3grep, extundelete and other, more commonly used ext3grep and extundelete, restore the principles of these two tools is basically the same, only more powerful extundelete , this article focuses
**************************************************
* Lsof recovery mode *
**************************************************
lsof
Just file is deleted, you want to restore, first try lsof.
#lsof | grep data.file1
# Cp / proc / xxx / xxx / xx /dir/data.file1
Or ps -ef
**************************************************
* Extundelete recovery mode *
**************************************************
The first time to do is to uninstall is to delete the partition where the data resides, if it is the root partition data was mistakenly deleted
yum install gcc gcc ++
yum install gcc gcc-c ++ gcc-g77
yum install e2fsprogs e2fsprogs-libs e2fsprogs-devel
[Root @ dg extundelete-0.2.4] # ./configure
Configuring extundelete 0.2.4
Writing generated files to disk
tar xjf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
./configure
make && make install
[Root @ dg extundelete-0.2.4] # make
make -s all-recursive
Making all in src
extundelete.cc:571: Warning: The parameter is not used 'flags'
[Root @ dg extundelete-0.2.4] # make install
Making install in src
/ Usr / bin / install -c extundelete '/ usr / local / bin'
--- View Help
root @ dg extundelete-0.2.4] # make install
Making install in src
/ Usr / bin / install -c extundelete '/ usr / local / bin'
[Root @ dg extundelete-0.2.4] # extundelete --help
Usage: extundelete [options] [-] device-file
Options:
--version, - [vV] Print version and exit successfully.
--help, Print this help and exit successfully.
--superblock Print contents of superblock in addition to the rest.
If no action is specified then this option is implied.
--journal Show content of journal.
--after dtime Only process entries deleted on or after 'dtime'.
--before dtime Only process entries deleted before 'dtime'.
Actions:
--inode ino Show info on inode 'ino'.
--block blk Show info on block 'blk'.
--restore-inode ino [, ino, ...]
Restore the file (s) with known inode number 'ino'.
The restored files are created in ./RECOVERED_FILES
with their inode number as extension (ie, file.12345).
--restore-file 'path' Will restore file 'path'. 'path' is relative to root
of the partition and does not start with a '/'
The restored file is created in the current
directory as 'RECOVERED_FILES / path'.
--restore-files 'path' Will restore files which are listed in the file 'path'.
Each filename should be in the same format as an option
to --restore-file, and there should be one per line.
--restore-directory 'path'
Will restore directory 'path'. 'Path' is relative to the
root directory of the file system. The restored
directory is created in the output directory as 'path'.
--restore-all Attempts to restore everything.
-j journal Reads an external journal from the named file.
-b blocknumber Uses the backup superblock at blocknumber when opening
the file system.
-B Blocksize Uses blocksize as the block size when opening the file
system. The number should be the number of bytes.
--log 0 Make the program silent.
--log filename Logs all messages to filename.
--log D1 = 0, D2 = filename Custom control of log messages with comma-separated
Examples below:. List of options Dn must be one of info, warn, or
--log info, error error. Omission of the '= name' results in messages
--log warn = 0 with the specified level to be logged to the console.
--log error = filename If the parameter is '= 0', logging for the specified
level will be turned off. If the parameter is
'= Filename', messages with that level will be written
to filename.
-o directory Save the recovered files to the named directory.
The restored files are created in a directory
named 'RECOVERED_FILES /' by default.
Parameters (options) are:
--version, - [vV], display the software version number.
--help, display software help.
--superblock, display the superblock information.
--journal, display the log information.
--after dtime, time parameters, indicating that after a certain period of time deleted files or directories.
--before dtime, time parameters, represents a period of time before being deleted files or directories.
Action (action) are:
--inode ino, display node "ino" information.
--block blk, display data block "blk" information.
--restore-inode ino [, ino, ...], restore command parameters, it indicates that the recovery node "ino" files, file recovery will be automatically placed in the current directory RESTORED_FILES file folder, use the node number as the extension .
--restore-file 'path', restore command parameters specified path that will restore the file, and the file recovery RECOVERED_FILES placed under the current directory.
--restore-files 'path', the restore command parameters, it said it would resume listed in the path of all the files.
--restore-all, restore command parameters, it said it will try to recover all the directories and files.
-j journal, indicates reading extension logs from the named file.
-b blocknumber, represents superblock backup before use to open the file system, generally used to view existing super block is not currently desired files.
-B Blocksize, that the use of the data block size to open the file system, generally used for viewing already know the size of the file.
1> fuser -k / dev / part && umount / dev / disk deleted data - kill processes accessing the disk, umount deleted data disc
2> extundelete --inode 2 / dev / disk deleted data
3> extundelete --restore-inode 13 / dev / disk deleted data
4> to return to RECOVERD_FILES /
After the data has been accidentally deleted, the first time to do is to uninstall is to delete the partition where the data resides, if it is the root partition data was mistakenly deleted,
The system will need to enter single-user mode, and the root partition mounted read-only. The reason is very simple, because the file will be deleted,
Just to the inode file pointer is cleared in the sector, but also the actual files stored on disk, if the disk read-write mode continues to mount,
These data blocks of the deleted files can be re-allocated out of the operating system, after which the database is overwritten by new data, these data really lost,
Recovery tool also powerless. and so! Mounted read-only disks can minimize the risk of data in the database is overwritten, in order to improve data recovery success ratio.
Delete 1.txt
Method 1: inode recovery
See delete files on which partition
root @ dg extundelete-0.2.4] # df -h
File system capacity has been available for use with the mount point %%
/ Dev / sda2 44G 3.0G 39G 8% /
tmpfs 1004M 76K 1004M 1% / dev / shm
/ Dev / sda1 194M 51M 134M 28% / boot
# Extundelete / dev / sda4 --inode 2
mkdir test
extundelete / dev / sda4 --restore-inode 8001 document
Compare Files
diff / etc / passwd recover_file / file12
If there is no output, indicating that the two documents exactly the same
Method 2: be recovered by file name
extundelete / dev / sdb1 --restore-file passwd
RECOVERED_FILES will generate a directory in the current directory, which has been restored to save the file
Method 3: restore by directory name
extundelete / dev / sdb1 --restore-directory / mongodb
Method 4: restore all accidentally deleted files:
extundelete / dev / sdb1 --restore-all
extundelete data recovery can also be achieved for a period of time. You can "--after" and "--before" parameter
You can not restore empty files and empty directories
Method 4:
extundelete / dev / sda4 --restore-all a
extundelete not restore empty files and empty directories
************************************************** *******************************
Use debugfs
With debugfs find deleted files inode, then the idea of recovery.
[Root @ hs12 ~] # debugfs / dev / sdb1
debugfs 1.41.12 (17-May-2010)
debugfs:
debugfs: lsdel
Inode Owner Mode Size Blocks Time deleted
0 deleted inodes found. |
|
|
|