linux 文件恢复原理,Linux 恢复删除的文件

说明

Linux系统下使用rm命令删除的文件，如果没有备份，想要找回需要借助一些第三方工具(系统自带debugfs不适用于ext4磁盘)。

原理是读取journal日志来恢复，若journal日志被删除或覆盖，可能导致恢复失败。

debugfs

使用于ext2/ext3，不适用于ext4。此处不作过多介绍。

extundelete

安装

Ubuntu

apt-get install extundelete

CentOS

yum install extundelete

查看磁盘信息

root@root:/etc/init.d# df -Th

Filesystem Type Size Used Avail Use% Mounted on

udev devtmpfs 484M 4.0K 484M 1% /dev

tmpfs tmpfs 100M 372K 99M 1% /run

/dev/vda1 ext4 40G 9.8G 28G 27% /

none tmpfs 4.0K 0 4.0K 0% /sys/fs/cgroup

none tmpfs 5.0M 0 5.0M 0% /run/lock

none tmpfs 497M 0 497M 0% /run/shm

none tmpfs 100M 0 100M 0% /run/user

查看文件或文件夹节点

root@root:/etc/init.d# ls -id /etc/init.d/

1048838 /etc/init.d/

查看指定磁盘的指定节点下是否有文件删除

extundelete /dev/vda1 --inode 1048838

输出：

WARNING: Extended attributes are not restored.

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.

The partition should be unmounted to undelete any files without further data loss.

If the partition is not currently mounted, this message indicates

it was improperly unmounted, and you should run fsck before continuing.

If you decide to continue, extundelete may overwrite some of the deleted

files and make recovering those files impossible. You should unmount the

file system and check it with fsck before using extundelete.

Would you like to continue? (y/n)

y

Loading filesystem metadata ... 320 groups loaded.

Contents of inode 1048838:

0000 | ed 41 00 00 00 10 00 00 e3 be 78 5d d2 bb 78 5d | .A........x]..x]

0010 | d2 bb 78 5d 00 00 00 00 00 00 02 00 08 00 00 00 | ..x]............

0020 | 00 00 08 00 97 00 00 00 0a f3 01 00 04 00 00 00 | ................

0030 | 00 00 00 00 00 00 00 00 01 00 00 00 44 20 40 00 | ............D @.

0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0060 | 00 00 00 00 09 78 b4 23 00 00 00 00 00 00 00 00 | .....x.#........

0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0080 | 00 00 00 00 00 00 00 00 11 10 00 00 00 00 00 00 | ................

0090 | a4 81 00 00 49 01 00 00 4a 2e 74 5d 8a ca 9e 59 | ....I...J.t]...Y

00a0 | 8e 65 48 53 00 00 00 00 00 00 01 00 08 00 00 00 | .eHS............

00b0 | 00 00 08 00 01 00 00 00 0a f3 01 00 04 00 00 00 | ................

00c0 | 00 00 00 00 00 00 00 00 01 00 00 00 b1 80 40 00 | ..............@.

00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00f0 | 00 00 00 00 04 78 b4 23 00 00 00 00 00 00 00 00 | .....x.#........

Inode is Allocated

Group: 128

File mode: 16877

Low 16 bits of Owner Uid: 0

Size in bytes: 4096

Access time: 1568194275

Creation time: 1568193490

Modification time: 1568193490

Deletion Time: 0

Low 16 bits of Group Id: 0

Links count: 2

Blocks count: 8

File flags: 524288

File version (for NFS): 599029769

File ACL: 0

Directory ACL: 0

Fragment address: 0

Direct blocks: 127754, 4, 0, 0, 1, 4202564, 0, 0, 0, 0, 0, 0

Indirect block: 0

Double indirect block: 0

Triple indirect block: 0

File name | Inode number | Deleted status

Directory block 4202564:

. 1048838

.. 1048577

.legacy-bootordering 1048839

ecs_mq-service 1069072

RECOVERED_FILES 1441808 Deleted

unattended-upgrades 1069084

x11-common 1069363

mysql 1060813 Deleted

redis-server 1063518

php7.2-fpm 1063474

nginx-debug.dpkg-new 1063779 Deleted

nscd.dpkg-new 1061182 Deleted

根据节点号恢复

恢复的文件在当前目录下的RECOVERED_FILES文件夹里。

root@root:/php# extundelete /dev/vda1 --restore-inode 1060813

输出：

WARNING: Extended attributes are not restored.

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.

The partition should be unmounted to undelete any files without further data loss.

If the partition is not currently mounted, this message indicates

it was improperly unmounted, and you should run fsck before continuing.

If you decide to continue, extundelete may overwrite some of the deleted

files and make recovering those files impossible. You should unmount the

file system and check it with fsck before using extundelete.

Would you like to continue? (y/n)

y

Loading filesystem metadata ... 320 groups loaded.

Loading journal descriptors ... 29796 descriptors loaded.

Restored inode 1060813 to file RECOVERED_FILES/file.1060813

字符终端工具 testdisk 和 phtorec

photorec是testdisk的伴侣程序，安装testdisk后photorec就可以使用了

Ubuntu

apt-get install testdisk

CentOS

yum install testdisk

testdisk no harddisk found stackoverflow

解决办法：指定磁盘。(photorec同理)

testdisk /dev/vda1

注意

testdisk与photorec恢复全部已删除的文件。对于只想恢复对应文件的，推荐使用extundelete。

参考