Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to restore deleted files under the CentOS system". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Background description: today, my colleagues are updating the website with ftp: rename the original folder to back up, and then upload the file. After uploading, the test website can visit and delete the backup (brain cramp). As a result, it is found that the most important picture folder in the backup has been deleted, while only the program file has been uploaded, resulting in the loss of all pictures.

The method of recovery is as follows:

1. Try method 1: debugfs

With the debugfs tool, you can see the list of deleted files, but there is no way to recover files in batches (there are more than 10, 000 missing files). Maybe my method is wrong. For individual files, debugfs can be easily recovered.

Most Linux distributions provide a debugfs tool that you can use to edit the Ext3 file system. However, there is still some work to be done before using this tool.

First, remount the partition where the file was mistakenly deleted in a read-only manner. Use the following command: (assuming the file is in the / usr partition)

The code is as follows:

Mount-r-n-o remount / usr

-r means to mount read-only;-n means not to write / etc/mtab, and if you are restoring files on / etc, add this parameter. If the system says xxx partion busy, you can use the fuser command to see which processes are using the files on this partition:

The code is as follows:

Fuser-v-m / usr

If there are no important processes, stop them with the following command:

The code is as follows:

Fuser-k-v-m / usr

These file systems can then be remounted.

If all files are installed in a large / partition, you can use linux single to enter single-user mode at the boot prompt to minimize the chances of the system process writing data to the hard disk, or simply hang the hard drive on another machine. In addition, the recovered data should not be written on / above to avoid destroying the useful data. If you have dos/windows on your machine, you can write it on these partitions:

The code is as follows:

Mount-r-n / dev/hda1 / mnt/had

Then you can execute debugfs: (assuming Linux is in / dev/hda5)

The code is as follows:

# debugfs / dev/hda5

The debugfs prompt debugfs appears:

Use the lsdel command to list information about many deleted files:

Debugfs:lsdel

Debugfs: 2692 deleted inodes found.

Inode Owner Mode Size Blocks Time deleted

164821 0 100600 8192 1/ 1 Sun May 13 19:22:46 2001

.

36137 0 100644 4 1/ 1 Tue Apr 24 10:11:15 2001

196829 0 100644 149500 38/ 38 Mon May 27 13:52:04 2001

Debugfs:

There are many files listed (2692 found here). The first field is the file node number, the second field is the file owner, and the third field is read and write permissions, followed by file size, number of blocks occupied, and deletion time. Then we can judge which ones we need based on the file size and the deletion date. For example, we want to restore a file with a node of 196829:

You can first take a look at the file data status:

The code is as follows:

Debugfs:stat

Inode: 196829 Type: regular Mode: 0644 Flags: 0 × 0 Version: 1

User: 0 Group: 0 Size: 149500

File ACL: 0 Directory ACL: 0

Links: 0 Blockcount: 38

Fragment: Address: 0 Number: 0 Size: 0

Ctime: 0x31a9a574-Mon May 27 13:52:04 2001

Atime: 0x31a21dd1-Tue May 21 20:47:29 2001

Mtime: 0x313bf4d7-Tue Mar 5 08:01:27 2001

Dtime: 0x31a9a574-Mon May 27 13:52:04 2001

BLOCKS:

594810 594811 594814 594815 594816 594817... .

TOTAL: 38

You can then restore the file with the dump directive:

The code is as follows:

Debugfs:dump / mnt/hda/01.sav

In this way, the file is restored. Exit debugfs:

The code is as follows:

Debugfs:quit

Another way is to edit the inode manually:

The code is as follows:

Debugfs:mi

Mode [0100644]

User ID [0]

Group ID [0]

Size [149500]

Creation time [0x31a9a574]

Modification time [0x31a9a574]

Access time [0x31a21dd1]

Deletion time [0x31a9a574] 0

Link count [0] 1

Block count [38]

File flags [0x0]

Reserved1 [0]

File acl [0]

Directory acl [0]

Fragment address [0]

Fragment number [0]

Fragment size [0]

Direct Block # 0 [594810]

... .

Triple Indirect Block [0]

After using the mi instruction, one line of information is displayed for editing each time. Other lines can be confirmed by pressing enter directly, changing deletion time to 0 (not deleted) and Link count to 1. Exit debugfs after modification:

The code is as follows:

Debugfs:quit

Then check / dev/hda5 with fsck

The code is as follows:

Fsck / dev/hda5

The program will say to find the missing data block and put it in the lost+found.

In addition, debugfs is not suitable for restoring large files.

2. Try method 2. Foremost

Foremost is a very good software, very simple, a command to restore all the pictures, but the file name is lost, so many pictures how to restore the name, did not find a good way. As with the debugfs above, this method works if it is a single file, or if you know the name of the file. However, this method does not work if the number of files is too large and the file name must be restored.

The basic usage is as follows:

Download and compile and install foremost:

The code is as follows:

[root@b2bapp1 ~] # wget http://foremost.sourceforge.net/pkg/foremost-1.5.7.tar.gz

[root@b2bapp1] # tar xf foremost-1.5.7.tar.gz-C / usr/src/

[root@b2bapp1 ~] # cd / usr/src/foremost-1.5.7/

[root@crushlinux foremost-1.5.7] # make & & make install

[root@b2bapp1] # foremost-t png-I / dev/mapper/VolGroup-lv_root

Processing: / dev/mapper/VolGroup-lv_root

After the recovery is complete, an output directory will be created in your current directory, and all recovered png files will be included in the png subdirectory under the output directory.

Note: the name of the recovered file has been changed, and there is an audit.txt file in the output directory that is a list of successfully restored files.

3. Try method 3. Extundelete

Finally found a very good recovery software extundelete on the Internet, through it, I recovered most of the software (the branch was overwritten and lost). The method of operation is as follows:

Install the software:

Software download address: http://extundelete.sourceforge.net/

The code is as follows:

Yum install e2fsprogs-devel libcom_err-devel-y

Tar-jxf extundelete-0.2.4.tar.bz2

Cd extundelete-0.2.4

. / configure

Make

Make install

Perform a restore action:

The code is as follows:

[root@b2bapp1 ~] # extundelete / dev/mapper/VolGroup-lv_root-- restore-all

The above command restores all recently deleted files under the above partition. I recovered 99% of the files in this way, and a few were overwritten.

Other main uses of extundelete:

Recovery of a single file:

The code is as follows:

Extundelete / dev/sdaX-- restore-file / path/file

Directory recovery:

The code is as follows:

Extundelete / dev/sdaX-- restore-directory / path/dir

Lessons learned:

After the file is deleted, the recovery recommendations are as follows:

1. Stop all writes (can be disconnected to prevent new external access), and it is best to clone a copy of the disk dd. The file we lost is because our colleagues are in a hurry to recover, and some operations result in some data being overwritten.

2, if the deleted file is in use by the process, do not close the process, with losf cooperation can be found (because it is still in memory), this recovery method online many tutorials.

3. Recover with appropriate tools.

The code is as follows:

[root@b2bapp1 ~] # wget http://foremost.sourceforge.net/pkg/foremost-1.5.7.tar.gz

[root@b2bapp1] # tar xf foremost-1.5.7.tar.gz-C / usr/src/

[root@b2bapp1 ~] # cd / usr/src/foremost-1.5.7/

[root@crushlinux foremost-1.5.7] # make & & make install

[root@b2bapp1] # foremost-t png-I / dev/mapper/VolGroup-lv_root

Processing: / dev/mapper/VolGroup-lv_root

This is the end of the content of "how to recover deleted files under the CentOS system". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.