extundelete ext3/ext4文件系统上找回被删除的文件或者文件夹的工具
选项:
--after dtime Only process entries deleted on or after ‘dtime‘.
--before dtime Only process entries deleted before ‘dtime‘.
以s为单位
--restore-inode ino 根据指定节点恢复,通过ls -i 来查看文件的节点号
--restore-file ‘path‘ 指定恢复文件
--restore-files ‘path‘
--restore-directory ‘path‘
--restore-all 恢复全部,恢复完成后,恢复的文件就在当前目录下生成的RECOVERED_FILES的目录里
安装
注意:在安装extundelete之前,要确定已经安装了e2fsprogs和e2fslibs(确定e2fsprogs的版本在1.41或者更高版本,可通过运行命令dumpe2fs来查看版本).
$ unzip2 extundelete-0.2.0.tar.bz2
$ tar xvf extundelete-0.2.0.tar
$ cd extundelete-0.2.0
$ ./configure
Configuring extundelete 0.2.4
configure: error: Can‘t find ext2fs library
如果出现这个错误,则说明缺少ext2fs这个库,解决办法:
$ yum install -y e2fsprogs*
使用extundelete
$ mkdir /backup
$ mount /dev/sdb1 /backup/
$ cd /backup/
$ mkdir gnutool-delete
$ cd gnutool-delete/
$ man man >file1.txt
$ man man >file2.txt
$ mkdir folder1
$ cd folder1/
$ man man >file1.txt
$ tree
.
|-- file1.txt
|-- file2.txt
`-- folder1
`-- file1.txt
1 directory, 3 files
$ rm -rf /backup/gnu/
$ umount /backup/ or mount -o remount,ro /backup
卸载要恢复文件的分区,或者将所在分区修改为只读方式,防止数据被覆盖使用。
$ extundelete /dev/sdb1 --restore-all
此时可以将/dev/sdb1分区的被删除但是还没有被重用的block恢复,而如果block已经被重用了,此种方法不行了,而后会在当前目录下创建一个RECOVERD_FILES的目录,目录下就是extundelete恢复的文件或者文件夹(个人尝试恢复文件夹,发现恢复的文件夹可能存在部分文件丢失,无法恢复,可能是block被重用导致)。
$ pwd
/lianxi/RECOVERED_FILES/gnu
$ tree
.
|-- file1.txt
|-- file2.txt
`-- folder1
`-- file1.txt
1 directory, 3 files
ps:如果没有卸载分区
$ extundelete /dev/sdb1 --restore-all
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y 输入y,也能成功,而且没有卸载对应分区
Loading filesystem metadata ... 5 groups loaded.
Loading journal descriptors ... 48 descriptors loaded.
Searching for recoverable inodes in directory / ...
4 recoverable inodes found.
Looking through the directory structure for deleted files ...
0 recoverable inodes still lost.
$ df -Th
文件系统 类型 容量 已用 可用 已用%% 挂载点
/dev/mapper/VolGroup-lv_root
ext4 16G 11G 4.4G 70% /
tmpfs tmpfs 432M 260K 431M 1% /dev/shm
/dev/sda1 ext4 485M 54M 406M 12% /boot
/dev/sr0 iso9660 3.5G 3.5G 0 100% /media/RHEL_6.4 x86_64 Disc 1
/dev/sr0 iso9660 3.5G 3.5G 0 100% /iso
/dev/sdb1 ext4 38M 4.5M 32M 13% /backup
[root@localhost lianxi]# ls
RECOVERED_FILES
[root@localhost lianxi]# tree
.
`-- RECOVERED_FILES
`-- gnu
|-- file1.txt
`-- folder1
`-- file1.txt
3 directories, 2 files
本文出自 “爱武装一辈子” 博客,请务必保留此出处http://menglinux.blog.51cto.com/8733806/1434969
原文地址:http://menglinux.blog.51cto.com/8733806/1434969