- 安裝extundelete工具包,用於恢復數據用
[root@centos01 ~]# yum install extundelete -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/metalink | 8.0 kB- base: mirrors.zju.edu.cn
- epel: mirrors.sohu.com
- extras: mirrors.sohu.com
- updates: mirrors.163.com
base | 3.7 kB
epel | 4.7 kB
epel/primary_db | 6.0 MB
extras | 3.4 kB
updates | 3.4 kB
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package extundelete.x86_64 0:0.2.4-6.el6 will be inst
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================
Package Arch Version Repos
==========================================================
Installing:
extundelete x86_64 0.2.4-6.el6 epel
Transaction Summary
==========================================================
Install 1 Package(s)
Total download size: 60 k
Installed size: 143 k
Downloading Packages:
extundelete-0.2.4-6.el6.x86_64.rpm | 60 kB
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : extundelete-0.2.4-6.el6.x86_64
Verifying : extundelete-0.2.4-6.el6.x86_64
Installed:
extundelete.x86_64 0:0.2.4-6.el6
Complete!
2.查看extundelete的用法
[root@centos01 ~]# extundelete --help
Usage: extundelete [options] [--] device-file
Options:
--version, -[vV] Print version and exit successfully.
--help, Print this help and exit successfully.
--superblock Print contents of superblock in addition to the rest.
If no action is specified then this option is implied.
--journal Show content of journal.
--after dtime Only process entries deleted on or after 'dtime'.
--before dtime Only process entries deleted before 'dtime'.
Actions:
--inode ino Show info on inode 'ino'.
--block blk Show info on block 'blk'.
--restore-inode ino[,ino,...]
Restore the file(s) with known inode number 'ino'.
The restored files are created in ./RECOVERED_FILES
with their inode number as extension (ie, file.12345).
--restore-file 'path' Will restore file 'path'. 'path' is relative to root
of the partition and does not start with a '/'
The restored file is created in the current
directory as 'RECOVERED_FILES/path'.
--restore-files 'path' Will restore files which are listed in the file 'path'.
Each filename should be in the same format as an option
to --restore-file, and there should be one per line.
--restore-directory 'path'
Will restore directory 'path'. 'path' is relative to the
root directory of the file system. The restored
directory is created in the output directory as 'path'.
--restore-all Attempts to restore everything.
-j journal Reads an external journal from the named file.
-b blocknumber Uses the backup superblock at blocknumber when opening
the file system.
-B blocksize Uses blocksize as the block size when opening the file
system. The number should be the number of bytes.
--log 0 Make the program silent.
--log filename Logs all messages to filename.
--log D1=0,D2=filename Custom control of log messages with comma-separated
Examples below: list of options. Dn must be one of info, warn, or
--log info,error error. Omission of the '=name' results in messages
--log warn=0 with the specified level to be logged to the console.
--log error=filename If the parameter is '=0', logging for the specified
level will be turned off. If the parameter is
'=filename', messages with that level will be written
to filename.
-o directory Save the recovered files to the named directory.
The restored files are created in a directory
named 'RECOVERED_FILES/' by default.
3.創建測試數據
[root@centos01 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 18G 4.5G 13G 27% /
tmpfs 116M 0 116M 0% /dev/shm
/dev/sda1 194M 27M 158M 15% /boot
/dev/sdb1 6.0G 140M 5.5G 3% /test
[root@centos01 ~]# cp -pr /etc/ssh /test/
[root@centos01 ~]# ls -ltr /test/
total 24
-rw-r--r--. 1 root root 1006 Dec 18 23:12 passwd
drwxr-xr-x. 2 root root 4096 Dec 20 23:15 ssh
drwx------. 2 root root 16384 Dec 25 19:46 lost+found
[root@centos01 ~]# ls -ltr /test/ssh/
total 156
-rw-------. 1 root root 3879 Sep 1 01:40 sshd_config
-rw-r--r--. 1 root root 2047 Sep 1 01:40 ssh_config
-rw-------. 1 root root 125811 Sep 1 01:40 moduli
-rw-r--r--. 1 root root 627 Dec 7 01:17 ssh_host_key.pub
-rw-------. 1 root root 963 Dec 7 01:17 ssh_host_key
-rw-r--r--. 1 root root 382 Dec 7 01:17 ssh_host_rsa_key.pub
-rw-------. 1 root root 1675 Dec 7 01:17 ssh_host_rsa_key
-rw-r--r--. 1 root root 590 Dec 7 01:17 ssh_host_dsa_key.pub
-rw-------. 1 root root 672 Dec 7 01:17 ssh_host_dsa_key
[root@centos01 ~]# ls -ltr /test/
total 24
-rw-r--r--. 1 root root 1006 Dec 18 23:12 passwd
drwxr-xr-x. 2 root root 4096 Dec 20 23:15 ssh
drwx------. 2 root root 16384 Dec 25 19:46 lost+found
[root@centos01 ~]# mkdir /test/cbm.sh
[root@centos01 ~]# echo test > /test/cbm.sh/CBN
[root@centos01 ~]# ls -ltr /test/
total 28
-rw-r--r--. 1 root root 1006 Dec 18 23:12 passwd
drwxr-xr-x. 2 root root 4096 Dec 20 23:15 ssh
drwx------. 2 root root 16384 Dec 25 19:46 lost+found
drwxr-xr-x. 2 root root 4096 Dec 25 22:10 cbm.sh
[root@centos01 ~]# ls -ltrR /test/
/test/:
total 28
-rw-r--r--. 1 root root 1006 Dec 18 23:12 passwd
drwxr-xr-x. 2 root root 4096 Dec 20 23:15 ssh
drwx------. 2 root root 16384 Dec 25 19:46 lost+found
drwxr-xr-x. 2 root root 4096 Dec 25 22:10 cbm.sh
/test/ssh:
total 156
-rw-------. 1 root root 3879 Sep 1 01:40 sshd_config
-rw-r--r--. 1 root root 2047 Sep 1 01:40 ssh_config
-rw-------. 1 root root 125811 Sep 1 01:40 moduli
-rw-r--r--. 1 root root 627 Dec 7 01:17 ssh_host_key.pub
-rw-------. 1 root root 963 Dec 7 01:17 ssh_host_key
-rw-r--r--. 1 root root 382 Dec 7 01:17 ssh_host_rsa_key.pub
-rw-------. 1 root root 1675 Dec 7 01:17 ssh_host_rsa_key
-rw-r--r--. 1 root root 590 Dec 7 01:17 ssh_host_dsa_key.pub
-rw-------. 1 root root 672 Dec 7 01:17 ssh_host_dsa_key
/test/lost+found:
total 0
/test/cbm.sh:
total 4
-rw-r--r--. 1 root root 5 Dec 25 22:10 CBN
[root@centos01 ~]# ls -ltr /test/
total 28
-rw-r--r--. 1 root root 1006 Dec 18 23:12 passwd
drwxr-xr-x. 2 root root 4096 Dec 20 23:15 ssh
drwx------. 2 root root 16384 Dec 25 19:46 lost+found
drwxr-xr-x. 2 root root 4096 Dec 25 22:10 cbm.sh
[root@centos01 ~]# md5sum --help
Usage: md5sum [OPTION]... [FILE]...
Print or check MD5 (128-bit) checksums.
With no FILE, or when FILE is -, read standard input.
-b, --binary read in binary mode
-c, --check read MD5 sums from the FILEs and check them
-t, --text read in text mode (default)
Note: There is no difference between binary and text mode option on GNU system.
The following three options are useful only when verifying checksums:
--quiet don't print OK for each successfully verified file
--status don't output anything, status code shows success
-w, --warn warn about improperly formatted checksum lines
--help display this help and exit
--version output version information and exitThe sums are computed as described in RFC 1321. When checking, the input
should be a former output of this program. The default mode is to print
a line with checksum, a character indicating type (*' for binary, ' for
text), and name for each FILE.
Report md5sum bugs to [email protected]
GNU coreutils home page: <http://www.gnu.org/software/coreutils/>
General help using GNU software: <http://www.gnu.org/gethelp/>
For complete documentation, run: info coreutils 'md5sum invocation'
[root@centos01 ~]# ls -ltr /test/
total 28
-rw-r--r--. 1 root root 1006 Dec 18 23:12 passwd
drwxr-xr-x. 2 root root 4096 Dec 20 23:15 ssh
drwx------. 2 root root 16384 Dec 25 19:46 lost+found
drwxr-xr-x. 2 root root 4096 Dec 25 22:10 cbm.sh
4.先檢查幾個文件md5校驗值,由於後面恢復數據後做對比
[root@centos01 ~]# md5sum /test/passwd
8614b886726a2c67b112e6f624196827 /test/passwd
[root@centos01 ~]# md5sum /test/ssh
md5sum: /test/ssh: Is a directory
[root@centos01 ~]# md5sum /test/cbm.sh/CBN
d8e8fca2dc0f896fd7cb4cb0031ba249 /test/cbm.sh/CBN
[root@centos01 ~]# cd /test/
5.刪除測試數據
[root@centos01 test]# rm -rf *
[root@centos01 test]# ls -ltr
total 0
[root@centos01 test]# cd /
[root@centos01 /]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 18G 4.5G 13G 27% /
tmpfs 116M 0 116M 0% /dev/shm
/dev/sda1 194M 27M 158M 15% /boot
/dev/sdb1 6.0G 140M 5.5G 3% /test
6.卸載數據所在的分區
[root@centos01 /]# umount /test
[root@centos01 /]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 18G 4.5G 13G 27% /
tmpfs 116M 0 116M 0% /dev/shm
/dev/sda1 194M 27M 158M 15% /boot
7.檢查數據所在分區文件的inode值
[root@centos01 /]# extundelete /dev/sdb1 --inode 2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 48 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 24 07 41 5a 22 07 41 5a | .A......$.AZ".AZ
0010 | 22 07 41 5a 00 00 00 00 00 00 02 00 08 00 00 00 | ".AZ............
0020 | 00 00 00 00 07 00 00 00 a1 21 00 00 00 00 00 00 | .........!......
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 bc b8 81 48 bc b8 81 48 e8 ed 3a 72 | .......H...H..:r
0090 | 26 e5 40 5a 00 00 00 00 00 00 00 00 00 00 00 00 | &.@Z............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1514211108
Creation time: 1514211106
Modification time: 1514211106
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 2
Blocks count: 8
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 8609, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11 Deleted
passwd 12 Deleted
ssh 262145 Deleted
cbm.sh 8193 Deleted
[root@centos01 /]# pwd
/
[root@centos01 /]# ls -ltr
total 94
drwxr-xr-x. 2 root root 4096 Sep 23 2011 srv
drwxr-xr-x. 2 root root 4096 Sep 23 2011 mnt
drwxr-xr-x. 2 root root 4096 Sep 23 2011 media
drwxr-xr-x. 2 root root 4096 Sep 23 2011 home
drwx------. 2 root root 16384 Dec 7 01:01 lost+found
drwxr-xr-x. 13 root root 4096 Dec 7 01:07 usr
drwxr-xr-x. 17 root root 4096 Dec 7 01:07 var
dr-xr-xr-x. 8 root root 4096 Dec 7 01:11 lib
dr-xr-xr-x. 5 root root 1024 Dec 7 01:15 boot
dr-xr-xr-x. 2 root root 4096 Dec 13 23:13 bin
drwxr-xr-x. 10 root root 4096 Dec 13 23:18 cgroup
drwxr-xr-x. 3 root root 4096 Dec 18 23:16 thmmedia
dr-xr-xr-x. 2 root root 4096 Dec 18 23:22 sbin
dr-xr-xr-x. 8 root root 12288 Dec 18 23:31 lib64
dr-xr-x---. 4 root root 4096 Dec 21 18:47 root
drwxr-xr-x. 7 root root 4096 Dec 25 19:26 opt
drwxr-xr-x. 2 root root 4096 Dec 25 19:47 test
dr-xr-xr-x. 94 root root 0 Dec 25 19:48 proc
drwxr-xr-x. 13 root root 0 Dec 25 19:48 sys
drwxr-xr-x. 7 root root 0 Dec 25 19:48 selinux
drwxr-xr-x. 17 root root 3760 Dec 25 19:50 dev
drwxrwxrwt. 4 root root 4096 Dec 25 20:32 tmp
drwxr-xr-x. 75 root root 4096 Dec 25 22:12 etc
[root@centos01 /]# mkdir /restore
[root@centos01 /]# cd /restore
8.恢復一個文件
[root@centos01 restore]# extundelete /dev/sdb1 --restore-file passwd
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 48 groups loaded.
Loading journal descriptors ... 63 descriptors loaded.
Successfully restored file passwd
[root@centos01 restore]# ls -ltr
total 4
drwxr-xr-x. 2 root root 4096 Dec 25 22:14 RECOVERED_FILES
[root@centos01 restore]# ls -ltr RECOVERED_FILES
total 4
-rw-r--r--. 1 root root 1006 Dec 25 22:14 passwd
9.校驗所恢復文件的md5值,和刪除前是一樣的
[root@centos01 restore]# md5sum RECOVERED_FILES/passwd
8614b886726a2c67b112e6f624196827 RECOVERED_FILES/passwd
10.恢復文件夾
[root@centos01 restore]# extundelete /dev/sdb1 --restore-directory ssh
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 48 groups loaded.
Loading journal descriptors ... 63 descriptors loaded.
Searching for recoverable inodes in directory ssh ...
14 recoverable inodes found.
Looking through the directory structure for deleted files ...
5 recoverable inodes still lost.
[root@centos01 restore]# ls -ltr
total 4
drwxr-xr-x. 3 root root 4096 Dec 25 22:16 RECOVERED_FILES
[root@centos01 restore]# ls -ltr RECOVERED_FILES/
total 8
-rw-r--r--. 1 root root 1006 Dec 25 22:14 passwd
drwxr-xr-x. 2 root root 4096 Dec 25 22:16 ssh
11.所恢復的文件夾裏的文件權限有變化,可以自己更正過來
[root@centos01 restore]# ls -ltr RECOVERED_FILES/ssh/
total 156
-rw-r--r--. 1 root root 590 Dec 25 22:16 ssh_host_dsa_key.pub
-rw-r--r--. 1 root root 382 Dec 25 22:16 ssh_host_rsa_key.pub
-rw-r--r--. 1 root root 1675 Dec 25 22:16 ssh_host_rsa_key
-rw-r--r--. 1 root root 627 Dec 25 22:16 ssh_host_key.pub
-rw-r--r--. 1 root root 3879 Dec 25 22:16 sshd_config
-rw-r--r--. 1 root root 963 Dec 25 22:16 ssh_host_key
-rw-r--r--. 1 root root 672 Dec 25 22:16 ssh_host_dsa_key
-rw-r--r--. 1 root root 2047 Dec 25 22:16 ssh_config
-rw-r--r--. 1 root root 125811 Dec 25 22:16 moduli
[root@centos01 restore]# date
Mon Dec 25 22:17:01 CST 2017
12.對比文件權限
[root@centos01 restore]# ls -ltr /etc/ssh/
total 156
-rw-------. 1 root root 3879 Sep 1 01:40 sshd_config
-rw-r--r--. 1 root root 2047 Sep 1 01:40 ssh_config
-rw-------. 1 root root 125811 Sep 1 01:40 moduli
-rw-r--r--. 1 root root 627 Dec 7 01:17 ssh_host_key.pub
-rw-------. 1 root root 963 Dec 7 01:17 ssh_host_key
-rw-r--r--. 1 root root 382 Dec 7 01:17 ssh_host_rsa_key.pub
-rw-------. 1 root root 1675 Dec 7 01:17 ssh_host_rsa_key
-rw-r--r--. 1 root root 590 Dec 7 01:17 ssh_host_dsa_key.pub
-rw-------. 1 root root 672 Dec 7 01:17 ssh_host_dsa_key
13.一鍵恢復所有數據
[root@centos01 restore]# extundelete /dev/sdb1 --restore-all
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 48 groups loaded.
Loading journal descriptors ... 63 descriptors loaded.
Searching for recoverable inodes in directory / ...
14 recoverable inodes found.
Looking through the directory structure for deleted files ...
0 recoverable inodes still lost.
[root@centos01 restore]# ls -ltr
total 4
drwxr-xr-x. 4 root root 4096 Dec 25 22:18 RECOVERED_FILES
[root@centos01 restore]# ls -ltr RECOVERED_FILES/
total 16
-rw-r--r--. 1 root root 1006 Dec 25 22:14 passwd
-rw-r--r--. 1 root root 1006 Dec 25 22:18 passwd.v1
drwxr-xr-x. 2 root root 4096 Dec 25 22:18 ssh
drwxr-xr-x. 2 root root 4096 Dec 25 22:18 cbm.sh
[root@centos01 restore]# ls -ltr RECOVERED_FILES/cbm.sh/
total 4
-rw-r--r--. 1 root root 5 Dec 25 22:18 CBN
[root@centos01 restore]# ls -ltr RECOVERED_FILES/cbm.sh/CBN
-rw-r--r--. 1 root root 5 Dec 25 22:18 RECOVERED_FILES/cbm.sh/CBN
[root@centos01 restore]# md5sum RECOVERED_FILES/cbm.sh/CBN
d8e8fca2dc0f896fd7cb4cb0031ba249 RECOVERED_FILES/cbm.sh/CBN