在日常操作中,难免会误删除一些文件,然后想找回.
- 情况一
删除的文件被进程正在调用
- 情况二
删除的文件没有被进程调用
情况一的演示及恢复
系统版本:CentOS release 6.9 (Final)
开启两个终端
第一个终端,生成测试文件
第二个终端,使用tail -f查看文件,并占用
然后第一个终端,进行删除文件
查看123.txt文件已经在当前目录不存在了.
使用lsof命令查看被删除的文件,查看tail命令,进程号是4868,文件/root/wukang/123.txt被删除的状态.
/proc是一个伪文件系统,里面都是内存里面的数据,包含进程,文件描述符,文件链接等信息.
[root@ljsd-test-23 wukang]# lsof |grep deletetail 4868 root 3r REG 8,3 33 29889765 /root/wukang/123.txt (deleted)[root@ljsd-test-23 wukang]# cd /proc/4868/fd[root@ljsd-test-23 fd]# ls0 1 2 3 4[root@ljsd-test-23 fd]# lltotal 0lrwx------ 1 root root 64 May 28 15:31 0 -> /dev/pts/1lrwx------ 1 root root 64 May 28 15:31 1 -> /dev/pts/1lrwx------ 1 root root 64 May 28 15:31 2 -> /dev/pts/1lr-x------ 1 root root 64 May 28 15:31 3 -> /root/wukang/123.txt (deleted)lr-x------ 1 root root 64 May 28 15:31 4 -> inotify[root@ljsd-test-23 fd]# cp 3 /root/wukang/456.txt[root@ljsd-test-23 fd]# cat /root/wukang/456.txttestdeletetestdeletetestdelete
至此,123.txt文件已经恢复了成456.txt文件了.
情况二的演示及恢复
准备一块磁盘/dev/sdb,格式化成ext4格式
新建/wukang目录,并将sdb挂载至/wukang
拷贝文件和一些目录到/wukang目录下
[root@ljsd-test-23 ~]# cp /var/log/messages /wukang/
[root@ljsd-test-23 ~]# cp -r /etc/init.d/ /wukang/
[root@ljsd-test-23 ~]# cp -r /tmp/ /wukang/
[root@ljsd-test-23 ~]# tree /wukang/
/wukang/
├── init.d
│ ├── auditd
│ ├── blk-availability
│ ├── crond
│ ├── functions
│ ├── halt
│ ├── ip6tables
│ ├── iptables
│ ├── iscsi
│ ├── iscsid
│ ├── killall
│ ├── lvm2-lvmetad
│ ├── lvm2-monitor
│ ├── mdmonitor
│ ├── multipathd
│ ├── netconsole
│ ├── netfs
│ ├── network
│ ├── ntpdate
│ ├── postfix
│ ├── rdisc
│ ├── restorecond
│ ├── rsyslog
│ ├── salt-minion
│ ├── sandbox
│ ├── saslauthd
│ ├── single
│ ├── sshd
│ ├── udev-post
│ └── zabbix_agentd
├── lost+found
├── messages
└── tmp
├── hsperfdata_root
│ └── 1642
├── supervisord.log
├── supervisord.pid
├── supervisor.sock
├── yum.log
├── yum_save_tx-2019-12-18-18-23SyM6FG.yumtx
└── zabbix_agentd.log
4 directories, 37 files
删除/wukang目录下的所有文件,并查看,已经没有任何文件了
[root@ljsd-test-23 ~]# rm -rf /wukang/*
[root@ljsd-test-23 ~]# ls /wukang/
文件被删除后,应该立刻卸载磁盘,防止数据二次写入.
[root@ljsd-test-23 ~]# umount /dev/sdb
安装恢复工具extundelete
yum -y install bzip2 e2fsprogs e2fsprogs-devel gcc-c++
wget https://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
tar jxvf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
./configure
make && make install
扫描sdb盘所有的数据 extundelete /dev/sdb —inode 2
linux /的inode号固定是2
[root@ljsd-test-23 ~]# extundelete /dev/sdb --inode 2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 1864 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 66 6d cf 5e 64 6d cf 5e | .A......fm.^dm.^
0010 | 64 6d cf 5e 00 00 00 00 00 00 02 00 08 00 00 00 | dm.^............
0020 | 00 00 00 00 07 00 00 00 21 24 00 00 00 00 00 00 | ........!$......
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 28 98 63 47 28 98 63 47 7c 6c 29 09 | ....(.cG(.cG|l).
0090 | ac 6b cf 5e 00 00 00 00 00 00 00 00 00 00 00 00 | .k.^............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1590652262
Creation time: 1590652260
Modification time: 1590652260
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 2
Blocks count: 8
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 9249, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11 Deleted
messages 12 Deleted
init.d 6815745 Deleted
tmp 131073 Deleted
恢复这个分区的数据 extundelete /dev/sdb —restore-all
[root@ljsd-test-23 ~]# extundelete /dev/sdb --restore-all
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 1864 groups loaded.
Loading journal descriptors ... 67 descriptors loaded.
Searching for recoverable inodes in directory / ...
40 recoverable inodes found.
Looking through the directory structure for deleted files ...
0 recoverable inodes still lost.
[root@ljsd-test-23 ~]# ls RECOVERED_FILES/
init.d messages tmp
[root@ljsd-test-23 ~]# tree RECOVERED_FILES/
RECOVERED_FILES/
├── init.d
│ ├── auditd
│ ├── blk-availability
│ ├── crond
│ ├── functions
│ ├── halt
│ ├── ip6tables
│ ├── iptables
│ ├── iscsi
│ ├── iscsid
│ ├── killall
│ ├── lvm2-lvmetad
│ ├── lvm2-monitor
│ ├── mdmonitor
│ ├── multipathd
│ ├── netconsole
│ ├── netfs
│ ├── network
│ ├── ntpdate
│ ├── postfix
│ ├── rdisc
│ ├── restorecond
│ ├── rsyslog
│ ├── salt-minion
│ ├── sandbox
│ ├── saslauthd
│ ├── single
│ ├── sshd
│ ├── udev-post
│ └── zabbix_agentd
├── messages
└── tmp
├── hsperfdata_root
│ └── 1642
├── supervisord.log
├── supervisord.pid
├── yum_save_tx-2019-12-18-18-23SyM6FG.yumtx
└── zabbix_agentd.log
3 directories, 35 files
查看所有文件已经恢复到当前目录的RECOVERED_FILES下面了.
至此,被删除的文件就恢复完成了.
恢复单个文件
extundelete /dev/sdb —restore-file /messages
恢复某个目录
extundelete /dev/sdb /tmp/hsperfdata_root
恢复指定inode
extundelete /dev/sdb —restore-inode 6815745
若有收获,就点个赞吧
0 人点赞
