1. Description of the virtual machine fault environment
The customer's physical machine operating system is Linux system, and the file system is EXT4 file system. The KVM virtual machines on it are deleted. Each virtual machine contains a disk file in qcow2 format and a disk file in raw format with a size of about 1.2T. It is mainly necessary to restore the disk file in raw format. Customers have backed up themselves.
Virtual machine 1: Main database server
Virtual disk: 10G system disk (qcow2) + 1.2T data disk (raw, main recovery)
File system: EXT4
Main data: MySQL database
Virtual machine 2: Backup database server
Virtual disk: 10G system disk (qcow2) + 1.2T data disk (raw, main recovery)
File system: EXT4
Main data: MySQL database
Virtual machine 3: code server
virtual machine disk: 10G system disk (qcow2) + 1.2T data disk (raw, main recovery)
File system: EXT4
Main data: program code
2. Virtual machine data recovery process
1. Analyze the EXT4 file system and locate the node position of the deleted virtual machine disk file;
2. Obtain the residual index information of the disk file;
3. Verify the correctness of the residual index information, and repair the damage is not serious The
picture shows the obtained index and other information: 
Screenshot of the virtual machine data recovery case 1
4. After the repair is completed, parse the remaining indexes at all levels, and extract the virtual disk file from the volume where the virtual machine is located;
5. According to the virtual disk file
6. Verify the correctness and integrity of the extracted disk files; 7. Obtain
valid information from the free space, and try to patch the virtual disk files (such as node , directory entries, database pages, etc.).
The picture shows the extracted free space: 
screenshot of the virtual machine data recovery case 2
3. Data recovery results
1. Due to the loss of the index, the extracted virtual disk file is not complete. For the database server, if the database file is lost, it can be recovered from the free space. The database page is obtained from the space to patch the database file, but because the area where some pages are located is covered and occupied, only as many pages can be patched as possible;
2. For the loss of nodes and directory items in the server where the program code is stored, if There are residual nodes or directory items, you can try to complete the nodes and directory items. However, it is found that the nodes and directory entries of some files are lost at the same time. According to the characteristics associated with the nodes and directory entries, it cannot be filled in this case. In addition, according to the characteristics of the program code file, it does not have certain regularity. If the data area is lost, it cannot be filled.
The picture shows part of the recovered directory structure: screenshot of virtual machine data 
recovery case 3 screenshot of 
virtual machine data recovery case 4
4. Data verification
The data is validated by the customer after as much attempt as possible to patch the virtual disk files and the database files within them. Part of the data is lost and cannot be recovered, but the whole is acceptable and the data recovery is effective.