linux删除文件时其实删的是文件名,数据还是存储在硬盘中的。在误删除文件后不做其他操作(比如创建新的文件),然后用umount卸载掉存储该数据的硬盘,再进行恢复操作,可以通过一些工具来恢复被误删的文件,以extundelete文件恢复工具为例:
extundelete是文件恢复工具,支持ext3/ext4双格式分区恢复。
extundelete工具的下载地址:https://sourceforge.net/projects/extundelete/
安装extundelete工具前先安装依赖包:yum install e2fsprogs* -y
rz -y(从windows中下载extundelete软件包)
tar jxf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4.tar.bz2
./confgiure
make
make install
此时extundelete工具已经安装好了。下面我们模拟恢复误删文件。
首先添加一块测试的硬盘
然后开机查看一下硬盘是否成功加载到系统中
创建ext4文件系统并挂载到/data中:
mkfs -t ext4 /dev/sdb
mkdir /data
mount /dev/sdb /data/
向/data目录写入数据
删除/data中的数据rm -rf /data/*
卸载硬盘umount /data/并用extundelete /dev/sdb --inode 2查看可恢复文件
[root@liuhui ~]# umount /data/
[root@liuhui ~]# extundelete /dev/sdb --inode 2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 160 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 28 6a 9c 5b 24 6a 9c 5b | .A......(j.[$j.[
0010 | 24 6a 9c 5b 00 00 00 00 00 00 02 00 08 00 00 00 | $j.[............
0020 | 00 00 00 00 05 00 00 00 21 24 00 00 00 00 00 00 | ........!$......
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 68 dc ee 16 68 dc ee 16 44 83 ba de | ....h...h...D...
0090 | 9a 68 9c 5b 00 00 00 00 00 00 00 00 00 00 00 00 | .h.[............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1536977448
Creation time: 1536977444
Modification time: 1536977444
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 2
Blocks count: 8
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 9249, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11 Deleted
passwd 12 Deleted
test 262145 Deleted
检测到被删除的文件又三个
开始恢复数据。
注意:恢复过程不要在误删分区进行,谨防inode.block块相互覆盖
以恢复/data/passwd为例:extundelete /dev/sdb --restore-file passwd
恢复成功后会在当前目录下生成一个RECOVERED_FILES目录,在这个目录里就可以看到被误删后得到恢复的文件
也可以用inode恢复passwd文件,从上extundelete /dev/sdb --inode 2执行结果可 知passwd的inode为12
注:用inode恢复后的文件名会跟之前的文件名不一样
用md5sum校验RECOVERED_FILES/file.12是否跟源配置文件/etc/passwd相同
结果是一样的。证明已经恢复成功了
恢复/data中的全部文件用:extundelete /dev/sdb --restore-all这个命令