rm accidentally deleted file recovery

Problem Description
- Three parts of the file system
The process is still there after accidentally deleting the file
- recover
Install extundelete
- yum install extundelete
- Compile and install extundelete
extundelete common parameters
- Action:
‘What to do immediately’ after accidentally deleting a file
Recover files

Problem Description

In a Linux instance, use rm命令误删除文件the following method to recover data 且没有on the disk where the file is located .进行任何写操作

# 执行不成功的
rm -Rf /

## 使用 --no-preserve-root 选项跳过安全模式
rm -rf --no-preserve-root /*

Three parts of the file system

Linuxand consists Windowsof :文件系统三部分

file name
inode
block

file name	Store file metadata information	actually store data
a.txt	–>inode	–> block

block块: Where the data is actually stored
逻辑删除: Fake deletion (equivalent to just deleting the table of contents of the book)
Why is deletion faster than copying?

The process is still there after accidentally deleting the file

https://www.lxlinux.net/1124.html

# 查看当前正在使用的、已被删除的文件
lsof | grep deleted

Fortunately this is the case 进程还存在, then recovery operations begin.

recover

# 恢复命令
cp /proc/pid/fd/1/指定目录/文件名 /tmp/恢复/

Enter 进程目录, usually enter /proc/pid/fd/, copy the file to the specified location

Insert image description here
Recovery operation

Install extundelete

Reference: https://www.lxlinux.net/8012.html
ext4 To delete files on the file system, you can use extundeleterecovery;
ext3to delete files on the file system, you can use ext3greprecovery;
windowsto recover accidentally deleted files: final data v2.0汉化版andeasyrecovery

extundeleteOfficial website: http://extundelete.sourceforge.net/

extundeleteThe tool can recover from ext3or ext4partition 已删除的文件.
extundeleteWith files stored in a partition that have been deleted in the 分区日志中的信息past 尝试恢复, there is no guarantee that any specific deleted file can be successfully recovered.
extundeleteThe tool temporarily recovers 不支持from xfsthe file system 误删文件, you can try to use it to recover TestDiskaccidentallyxfs

yum install extundelete

# 检查是否安装有extundelete工具
rpm -qa extundelete

# yum安装extundelete
yum install -y extundelete

# 查看extundelete版本
extundelete -v

Compile and install extundelete

# 安装依赖包
yum -y install e2fsprogs-libs e2fsprogs e2fsprogs-devel

# 下载压缩安装包
wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2

# 备用下载地址
wget https://raw.githubusercontent.com/omaidb/qiaofei_notes/main/shell_code/extundelete/extundelete-0.2.4.tar.bz2

# 解压
tar -jxvf extundelete-0.2.4.tar.bz2

cd extundelete-0.2.4

# 构建编译选项
./configure

# 编译安装
make && make install

# 检查是否安装成功
extundelete -v

extundelete common parameters

Among them, the parameters (options) are:

parameter	explain
–version, -[vV]	Display software version number
–help	Display software help information
–superblock	Show superblock information
–journal	Show log information
–after dtime	Time parameter, indicating files or directories that will be deleted after a certain period of time
–before dtime	Time parameter, indicating files or directories that were deleted before a certain period of time

Action:

parameter	explain
–inode ino	Display information about node "ino"
–block blk	Display information about data block "blk"
–restore-inode ino[,ino,…]	Restoration command parameter, which means restoring the files of node "ino". The restored files will be automatically placed in the RESTORED_FILES folder in the current directory, using the node number as the extension.
–restore-file ‘path’	Recovery command parameters, indicating that the files in the specified path will be recovered and the recovered files will be placed in the RECOVERED_FILES directory under the current directory.
–restore-files ‘path’	Restore command parameters, indicating that all files listed in the path will be restored
–restore-all	Recovery command parameters, indicating that all directories and files will be attempted to be recovered
-j journal	Indicates reading the extended log from the named file
-b blocknumber	Indicates using the previously backed up super block to open the file system. It is generally used to check whether the existing super block is the currently required file.
-B blocksize	Open the file system by specifying the data block size, generally used to view files whose size is already known

After accidentally deleting a file`立即要做的事情`

hint:

误删除文件Finally, 第一the first thing to do 立即停止继续写入数据is to 避免delete the contents of the file by mistake.被覆盖
extundeleteand are 不能automatically created when recovering files .空文件目录
Install extundeletethe tool, 切勿install extundeletethe tool to 误删文件所在磁盘. It is recommended to install it to 系统盘, or install it together 新的数据盘.
Since the subsequent operation of using this tool to restore deleted files requires executing umounta command to cancel the partition mount operation or to 只读方式mount the partition, the command cannot be executed on the system disk partition umount.
系统盘误删文件Data recovery in the system needs to be mounted liveCDafter startup .只读方式要恢复的系统盘

1. Back up the current partition through the dd command

Use the dd command to back up the current partition to prevent data loss caused by third-party software recovery failure. It is suitable for situations where the data is very important. In this test, there is no backup. If the backup is done, the following methods can be considered:

# 通过dd命令对当前分区进行备份
dd if=/path/filename of=/dev/vdc1

2. Unmount the partition where files need to be recovered or mount it in read-only mode

Unmount the disk partition where the deleted files are located.

# 查看当前系统磁盘分区
df -h

# 卸载需要恢复文件的分区
## umount 挂载点
umount /mnt

# 查看谁在占用挂载点
## -m 显示挂载点
## -u 显示用户
## -v 显示详情
fuser -muv /mnt

# 识别和终止正在访问指定文件或文件系统的进程
## -m：指定匹配模式为挂载点,只管挂载点相关的进程
## -v：显示详细信息，包括进程的命令行参数
## -i：交互式模式，要求在终止进程之前进行确认
## -k：终止进程
fuser -m -v -i -k /mnt

# 以只读的方式挂载
## remount 重新挂载
## ro 只读方式挂载
mount -o remount,ro /mnt

3. Check the inode number

Extensions:

ext4inodeThe value of the partition root directory is2
xfsinodeThe value of the partition root directory is64
- 本示例is 根分区created usingLVM96

# 查看etx4文件系统磁盘的inode值
ls -id /mnt/data/

Insert image description here

# 查看xfs文件系统中/boot的inode值
ls -id /boot/

Insert image description here
定位被误删的文件If you need to search step by step, you can first 根分区 inodesearch from

# 查看inode号：
## 常识：每个文件，有一个inode号。
ls -i a.txt

# 查看inode中的文件属性
## 通过stat命令查看inode中包含的内容
stat a.txt

4. View deleted data information

https://blog.51cto.com/bosszhang/2069542

# 通过inode结点查看被删除的文件名字：
# 查看sdb1分区根目录下面可被恢复的文件及文件夹
# 查询可恢复的数据，带有Deleted标记的表示已经删除的文件
## --inode 2 显示inode号为2的文件的信息
# extundelete 磁盘设备路径 --inode 2
extundelete /dev/sdb1 --inode 2

The system display is similar to the following:
the one in the picture Deleted状态is 被删除的数据.
Restore 被删除数据to RECOVERED_FILES目录next, 该RECOVERED_FILES目录default created 当前目录below .

Recover files

https://developer.aliyun.com/article/563603

Restore the file with specified inode number

# 恢复对应inode的文件
extundelete 磁盘镜像文件 --restore-inode 21

Restore specified file name

# 指定文件名test.txt尝试恢复
extundelete /dev/sdb1 --restore-file test.txt

Restore specified directory

空目录不会被恢复

# 恢复指定目录
extundelete /dev/sdb1 --restore-directory /dir1

Recover all recoverable files

# 恢复该磁盘下的所有可恢复文件
extundelete 磁盘设备路径 --restore-all

The system display is similar to the following:

Recover files from a specified time

Unix时间戳Conversion: https://tool.chinaz.com/tools/unixtime.aspx

Restore files deleted before specified timestamp

# 恢复指定时间戳之前删除的文件
## --before UNIX时间戳,从1970年1月1日 00:00:00 UTC 起的秒数。
extundelete --before 1451288304 --restore-all /dev/sdb1

Restore files deleted after specified timestamp

# 恢复指定时间戳之后删除的文件
## --after UNIX时间戳
extundelete --after 1451288304 --restore-all /dev/sdb1

View recovered files

# 查看恢复出的文件
ls RECOVERED_FILES/