Shulou(Shulou.com)06/03 Report--

Today, the editor shares with you the recovery method after linux mistakenly deleted files. I believe many people do not know much about it. In order to let you know more about the recovery method after linux mistakenly deleted files, I summarized the following contents for you. Let's look down together. I'm sure you'll get something.

Unlike windows, which has a recycle bin, linux uses rm-rf * basically no files can be found.

So here's the problem:

Is it really impossible for us to recover the files mistakenly deleted under linux through the software?

Of course, the answer is no, for mistakenly deleted files, we can still recover through the software. There are two ways to restore files that are mistakenly deleted:

One is to delete information in the process after deletion.

One is that the process cannot be found after deletion, and can only be restored with the help of a tool.

Next, we use examples to illustrate two different ways to restore erroneous deletions:

Case where the process of mistakenly deleting a file is still there:

This is generally an active process with continuous standard input or output, when the file is deleted, the process PID still exists. This is why some servers delete some files but do not release the disk.

Open a terminal to append a test file with cat:

[root@docking] # echo "This is DeleteFile test." > deletefile.txt [root@docking ~] # lsdeletefile.txt [root@docking ~] # cat > > deletefile.txt Add SomeLine into deletefile for fun.

Open another terminal to view this file and you can see the contents clearly:

[root@docking] # lsdeletefile.txt [root@docking ~] # cat deletefile.txt This is DeleteFile test.Add SomeLine into deletefile for fun.

At this point, delete the file rm-f deletefile.txt

The [root@docking ~] # rm-f deletefile.txt [root@docking ~] # ls# command looks at this directory and the file no longer exists, so let's restore it now.

Lsof checks to see if the deleted file process still exists.

If it is not installed, please use your own yum install lsof or apt-get install lsof

1. In a case like this, we can first lsof to see if the deleted file is still there.

[root@docking ~] # lsof | grep deletefilecat 21796 root 1w REG 253 1.63 138860 / root/deletefile.txt (deleted)

2. Restore cp / proc/pid/fd/1 / specify directory / file name

Enter the process directory and generally enter / proc/pid/fd/, according to the current situation:

[root@docking ~] # cd / proc/21796/fd [root@docking fd] # ll Total usage 0lrwx-1 root root 64 January 18 22:21 0-> / dev/pts/0l-wx- 1 root root 64 January 18 22:21 1-> root/deletefile.txt (deleted) lrwx- 1 root root 1 root root 64 January 18 22:21 2-> / dev/pts/0

Restore operation:

[root@docking fd] # cp 1 ~ / deletefile.txt.backup [root@docking fd] # cat ~ / deletefile.txt.backup This is DeleteFile test.Add SomeLine into deletefile for fun.

3. The recovery is complete.

The process of mistakenly deleted files no longer exists. Restore with the help of tools.

Prepare some file directories

# prepare a mounted disk mkdir backuptestcd backuptestmkdir deletetestmkdir deletetest/innerfolderecho "Delete a folder test." > deletetest/innerfolder/deletefile.txt echo "tcpdump:x:172:72::/:/sbin/nologin" > tmppasswd

The final prepared directory structure is as follows:

Taroballs@taroballs-PC:/media/taroballs/taroballs/backuptest$ cd.. taroballs@taroballs-PC:/media/taroballs/taroballs$ tree backuptest/backuptest/ ├── deletetest │ └── innerfolder │ └── deletefile.txt └── tmppasswd2 directories, 2 files

Now start deleting the directory rm-rf backuptest/

Total dosage of taroballs@taroballs-PC:/media/taroballs/taroballs$ rm-rf backuptest/taroballs@taroballs-PC:/media/taroballs/taroballs$ ls- l 0

In this case, there is usually no daemon or continuous input by the background process, so the deletion is really deleted. Lsof can't see it either, so you need to use a tool for recovery.

Now start the recovery of mistakenly deleted files.

The tool we use is the extundelete third-party tool. The recovery steps and considerations are as follows:

Stop doing anything on the current partition to prevent inode from being overwritten. Inode was overwritten and basically said goodbye to recovery.

To exaggerate, for example, stop the service of the partition, uninstall the device where the directory is located, and disconnect the network if necessary.

Backup the current partition through the dd command to prevent data loss caused by the failure of third-party software recovery.

Suitable for situations where data is very important, here is an example, so there is no backup. For example, backup can be considered in the following ways: dd if=/path/filename of=/dev/vdc1

Uninstall the current device partition through the umount command. Or the fuser command umount / dev/vdb1

If you prompt the device busy, you can use the fuser command to force uninstall: fuser-m-v-I-k. /

Download the third-party tool extundelete installation, search for mistakenly deleted files to restore

Extundelete tool installation

Extundelete download address: http://extundelete.sourceforge.net/

Wget https://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2

Extract the file tar jxvf extundelete-0.2.4.tar.bz2

If you report this kind of error

[root@docking ~] # tar jxvf extundelete-0.2.4.tar.bz2 tar (child): bzip2: cannot exec: does not have that file or directory tar (child): Error is not recoverable: exiting nowtar: Child returned status 2tar: Error is not recoverable: exiting now

Then use yum-y install bzip2 to solve the problem

[root@docking ~] # tar jxvf extundelete-0.2.4.tar.bz2 extundelete-0.2.4/extundelete-0.2.4/acinclude.m4extundelete-0.2.4/missingextundelete-0.2.4/autogen.shextundelete-0.2.4/aclocal.m4extundelete-0.2.4/configureextundelete-0.2.4/LICENSEextundelete-0.2.4/README.. .. cd extundelete-0.2.4./configure

If this step is wrong

[root@docking extundelete-0.2.4] #. / configure Configuring extundelete 0.2.4configure: error: in `/ root/extundelete-0.2.4':configure: error: C++ compiler cannot create executablesSee `config.log' for more details

Then use yum-y install gcc-c++ to solve.

If you still report an error if you perform the previous step

[root@docking extundelete-0.2.4] #. / configure Configuring extundelete 0.2.4configure: error: Can't find ext2fs library

Then use yum-y install e2fsprogs e2fsprogs-devel to solve the problem.

# the solution to Ubuntu is sudo apt-get install e2fslibs-dev e2fslibs-dev

If nothing happens, configure should be able to finish it here.

[root@docking extundelete-0.2.4] #. / configure Configuring extundelete 0.2.4Writing generated files to disk [root@docking extundelete-0.2.4] #

Finally, make, then make install.

[root@docking extundelete-0.2.4] # makemake-s all-recursiveMaking all in srcextundelete.cc: in the function 'ext2_ino_t find_inode (ext2_filsys, ext2_filsys, ext2_inode*, std::string, int)': extundelete.cc:1272:29: warning: convert 'search_flags' from' int' to narrower type 'ext2_ino_t {aka unsigned int}' [- Wnarrowing] buf, match_name2, priv, 0} within {} ^ [root@docking extundelete-0.2.4] # make installMaking install in src / usr/bin/install-c extundelete'/ usr/local/bin'

Extundelete installation completed.

Scan for mistakenly deleted files:

Use df-lh to view the mount:

Taroballs@taroballs-PC:~$ df-lh file system capacity used available mount point udev 1.9G 0.1.9g 0% / devtmpfs 387M 1.8m 385m 1% / run/dev/sda2 92G 61G 26G 71% / tmpfs 1.9G 49M 1.9G 3% / dev/shmtmpfs 5.0M 4. 0K 5.0M1% / run/locktmpfs 1.9G 01.9G 0% / sys/fs/cgroup/dev/sda3 104G 56G 44G 57% / hometmpfs 387M 40K 387M 1% / run/user/1000/dev/sda4 70G 20G 47G 30% / media/taroballs/d8423f8c-d687-4c03-a7c8-06a7fb57f96d/dev/sdb1 6.8G 4.1G 2.8g 60% / media/taroballs/taroballs/dev/sr0 4.0G 4.0G 0100% / media/taroballs/2018-01-16-12-36-00-00taroballsAfter $cd / media/taroballs/taroballs/taroballs@taroballs-PC:/media/taroballs/taroballs$

As you can see, our directory / media/taroballs/taroballs

Mount to the file system / dev/sdb1.

Umount our mount disk

For example:

Taroballs@taroballs-PC:~$ df-lh | grep / dev/sdb1/dev/sdb1 6.8g 4.1g 2.8g 60% / media/taroballs/taroballs

Umount this directory

Taroballs@taroballs-PC:~$ umount / media/taroballs/taroballstaroballs@taroballs-PC:~$ df-lh | grep / dev/sdb1taroballs@taroballs-PC:~$ # remember to umount after deletion, otherwise no one can help you with the second write.

Restore through inode nod

Taroballs@taroballs-PC:~$ mkdir recovertesttaroballs@taroballs-PC:~$ cd recovertest/taroballs@taroballs-PC:~/recovertest$

Perform recovery extundelete / dev/sdb1-- inode 2

Taroballs@taroballs-PC:/media/taroballs/taroballs$ sudo extundelete / dev/sdb1-- inode 2NOTICE: Extended attributes are not restored.Loading filesystem metadata... 8 groups loaded.Group: 0Contents of inode 2:.. Omit N line File name | Inode number | Deleted status. 2.. 2deletetest 12 Deletedtmppasswd 14 Deleted

The folder we deleted was found through the scan, and the restore operation is now performed.

(1) restore a single file tmppasswd

Taroballs@taroballs-PC:~/recovertest$ extundelete / dev/sdb1-- restore-file passwd NOTICE: Extended attributes are not restored.Loading filesystem metadata. 8 groups loaded.Loading journal descriptors. 46 descriptors loaded.Successfully restored file tmppasswd

The recovery file is placed in the current directory RECOVERED_FILES.

View the recovered files:

Taroballs@taroballs-PC:~/recovertest$ cat tmppasswd tcpdump:x:172:72::/:/sbin/nologin

(2) restore directory deletetest

Extundelete / dev/sdb1-- restore-directory deletetestNOTICE: Extended attributes are not restored.Loading filesystem metadata... 8 groups loaded.Loading journal descriptors... 46 descriptors loaded.Searching for recoverable inodes in directory deletetest... 5 recoverable inodes found.Looking through the directory structure for deleted files...

(3) restore all

Taroballs@taroballs-PC:~/recovertest$ extundelete / dev/sdb1-- restore-allNOTICE: Extended attributes are not restored.Loading filesystem metadata... 8 groups loaded.Loading journal descriptors... 46 descriptors loaded.Searching for recoverable inodes in directory /... 5 recoverable inodes found.Looking through the directory structure for deleted files... 0 recoverable inodes still lost. Taroballs@taroballs-PC:~/recovertest$ tree backuptest/ ├── deletetest │ └── innerfolder │ └── deletefile.txt └── tmppasswd2 directories, 2 files

(4) restore the specified inode

Taroballs@taroballs-PC:~/recovertest$ extundelete / dev/sdb1-- restore-inode 14NOTICE: Extended attributes are not restored.Loading filesystem metadata. 8 groups loaded.Loading journal descriptors. 46 descriptors loaded.taroballs@taroballs-PC:~/recovertest$ cat file.14 tcpdump:x:172:72::/:/sbin/nologin# Note: when restoring inode, the recovered file name is different from that before, and needs to be renamed separately.

Finally, the usage of extundelete is attached:

Extundelete-- helpUsage: extundelete [options] [- -] device-fileOptions:-- version,-[vV] Print version and exit successfully. -- help, Print this help and exit successfully. -- superblock Print contents of superblock in addition to the rest. If no action is specified then this option is implied. -- journal Show content of journal. -- after dtime Only process entries deleted on or after 'dtime'. -- before dtime Only process entries deleted before 'dtime'.Actions:-- inode ino Show info on inode' ino'. -- block blk Show info on block 'blk'. -- restore-inode ino [, ino,...] Restore the file (s) with known inode number 'ino'. The restored files are created in. / RECOVERED_FILES with their inode number as extension (ie, file.12345). -- restore-file 'path' Will restore file' path'. 'path' is relative to root of the partition and does not start with a' / 'The restored file is created in the current directory as' RECOVERED_FILES/path'. -- restore-files' path' Will restore files which are listed in the file 'path'. Each filename should be in the same format as an option to-restore-file, and there should be one per line. -- restore-directory 'path' Will restore directory' path'. 'path' is relative to the root directory of the file system. The restored directory is created in the output directory as' path'. -- restore-all Attempts to restore everything. -j journal Reads an external journal from the named file. -b blocknumber Uses the backup superblock at blocknumber when opening the file system. -B blocksize Uses blocksize as the blocksize when opening the file system. The number should be the number of bytes. -- log 0 Make the program silent. -- log filename Logs all messages to filename.--log D1 filename Custom control of log messages with comma-separated Examples below: list of options. Dn must be one of info, warn, or-log info,error error. Omission of the'= name' results in messages-- log warn=0 with the specified level to be logged to the console. -- log error=filename If the parameter is'= zero, logging for the specified level will be turned off. If the parameter is'= filename', messages with that level will be written to filename. -o directory Save the recovered files to the named directory. The restored files are created in a directory named 'RECOVERED_FILES/' by default.

On the linux mistakenly deleted files after the recovery method is shared here, I hope that the above content can have a certain reference value, you can learn to apply. If you like this article, you might as well share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.