jimlu
V1
2023/05/26阅读:10主题:默认主题
extundelete恢复删除文件
extundelete恢复删除文件
1 思路
-
创建一块硬盘20G -
分区fdisk /dev/sdb -
格式化mkfs.ext4 -
挂载. /tmp/sdb1 -
创建文件空文件,空目录,普通文件,普通用户 -
删除文件 -
卸载分区 -
恢复文件
2 实验
2.1 extundelete安装
1、解压安装包
[root@localhost ~]# tar xf extundelete-0.2.4.tar.bz2
2、编译
[root@localhost ~]# cd extundelete-0.2.4/
[root@localhost extundelete-0.2.4]# ls
acinclude.m4 aclocal.m4 autogen.sh config.h.in configure configure.ac depcomp install-sh LICENSE Makefile.am Makefile.in missing README src
[root@localhost extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
configure: error: Can't find ext2fs library
3、报错处理
[root@localhost extundelete-0.2.4]# yum list|grep e2fs
e2fsprogs.x86_64 1.42.9-7.el7 @local
e2fsprogs-libs.x86_64 1.42.9-7.el7 @anaconda
e2fsprogs-devel.x86_64 1.42.9-7.el7 local
[root@localhost extundelete-0.2.4]# yum install e2fsprogs*
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Package e2fsprogs-libs-1.42.9-7.el7.x86_64 already installed and latest version
Package e2fsprogs-1.42.9-7.el7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package e2fsprogs-devel.x86_64 0:1.42.9-7.el7 will be installed
--> Processing Dependency: libcom_err-devel(x86-64) = 1.42.9-7.el7 for package: e2fsprogs-devel-1.42.9-7.el7.x86_64
--> Processing Dependency: pkgconfig(com_err) for package: e2fsprogs-devel-1.42.9-7.el7.x86_64
--> Running transaction check
---> Package libcom_err-devel.x86_64 0:1.42.9-7.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===================================================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================================================
Installing:
e2fsprogs-devel x86_64 1.42.9-7.el7 local 70 k
Installing for dependencies:
libcom_err-devel x86_64 1.42.9-7.el7 local 30 k
Transaction Summary
===================================================================================================================================================================
Install 1 Package (+1 Dependent package)
Total download size: 101 k
Installed size: 178 k
Is this ok [y/d/N]: y
Downloading packages:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 112 kB/s | 101 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : libcom_err-devel-1.42.9-7.el7.x86_64 1/2
Installing : e2fsprogs-devel-1.42.9-7.el7.x86_64 2/2
Verifying : libcom_err-devel-1.42.9-7.el7.x86_64 1/2
Verifying : e2fsprogs-devel-1.42.9-7.el7.x86_64 2/2
Installed:
e2fsprogs-devel.x86_64 0:1.42.9-7.el7
Dependency Installed:
libcom_err-devel.x86_64 0:1.42.9-7.el7
Complete!
4、重新编译安装
[root@localhost extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
Writing generated files to disk
[root@localhost extundelete-0.2.4]# make && make install && echo "is's ok"
make -s all-recursive
Making all in src
Making install in src
/usr/bin/install -c extundelete '/usr/local/bin'
is's ok
5、查看extundelete命令
[root@localhost extundelete-0.2.4]# extundelete
No action specified; implying --superblock.
extundelete: Missing device name.
Usage: extundelete [options] [--] device-file
Options:
--version, -[vV] Print version and exit successfully.
--help, Print this help and exit successfully.
--superblock Print contents of superblock in addition to the rest.
If no action is specified then this option is implied.
--journal Show content of journal.
--after dtime Only process entries deleted on or after 'dtime'.
--before dtime Only process entries deleted before 'dtime'.
Actions:
--inode ino Show info on inode 'ino'.
--block blk Show info on block 'blk'.
--restore-inode ino[,ino,...]
Restore the file(s) with known inode number 'ino'.
The restored files are created in ./RECOVERED_FILES
with their inode number as extension (ie, file.12345).
--restore-file 'path' Will restore file 'path'. 'path' is relative to root
of the partition and does not start with a '/'
The restored file is created in the current
directory as 'RECOVERED_FILES/path'.
--restore-files 'path' Will restore files which are listed in the file 'path'.
Each filename should be in the same format as an option
to --restore-file, and there should be one per line.
--restore-directory 'path'
Will restore directory 'path'. 'path' is relative to the
root directory of the file system. The restored
directory is created in the output directory as 'path'.
--restore-all Attempts to restore everything.
-j journal Reads an external journal from the named file.
-b blocknumber Uses the backup superblock at blocknumber when opening
the file system.
-B blocksize Uses blocksize as the block size when opening the file
system. The number should be the number of bytes.
--log 0 Make the program silent.
--log filename Logs all messages to filename.
--log D1=0,D2=filename Custom control of log messages with comma-separated
Examples below: list of options. Dn must be one of info, warn, or
--log info,error error. Omission of the '=name' results in messages
--log warn=0 with the specified level to be logged to the console.
--log error=filename If the parameter is '=0', logging for the specified
level will be turned off. If the parameter is
'=filename', messages with that level will be written
to filename.
-o directory Save the recovered files to the named directory.
The restored files are created in a directory
named 'RECOVERED_FILES/' by default.
extundelete: Error parsing command-line options.
2.2 测试环境准备
1、workstation创建一个20G硬盘
2、重启系统,识别到sdb盘
[root@localhost extundelete-0.2.4]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20G 0 disk
├─sda1 8:1 0 500M 0 part /boot
└─sda2 8:2 0 19.5G 0 part
├─centos-root 253:0 0 17.5G 0 lvm /
└─centos-swap 253:1 0 2G 0 lvm [SWAP]
sdb 8:16 0 20G 0 disk
sr0 11:0 1 4G 0 rom
3、磁盘分区并格式化成ext4文件系统
[root@localhost extundelete-0.2.4]# echo -e "o\nn\np\n1\n\n+5G\nw" |fdisk /dev/sdb
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0xbd392c3f.
Command (m for help): Building a new DOS disklabel with disk identifier 0xa38139f9.
Command (m for help): Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p): Partition number (1-4, default 1): First sector (2048-41943039, default 2048): Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-41943039, default 41943039): Partition 1 of type Linux and of size 5 GiB is set
Command (m for help): The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
[root@localhost extundelete-0.2.4]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20G 0 disk
├─sda1 8:1 0 500M 0 part /boot
└─sda2 8:2 0 19.5G 0 part
├─centos-root 253:0 0 17.5G 0 lvm /
└─centos-swap 253:1 0 2G 0 lvm [SWAP]
sdb 8:16 0 20G 0 disk
└─sdb1 8:17 0 5G 0 part
sr0 11:0 1 4G 0 rom
[root@localhost extundelete-0.2.4]# mkfs.ext4 /dev/sdb1
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
327680 inodes, 1310720 blocks
65536 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1342177280
40 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
4、挂载文件系统
[root@localhost extundelete-0.2.4]# mkdir /tmp/sdb1
[root@localhost extundelete-0.2.4]# mount /dev/sdb1 /tmp/sdb1
[root@localhost extundelete-0.2.4]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/centos-root 18G 1.2G 17G 7% /
devtmpfs 481M 0 481M 0% /dev
tmpfs 490M 0 490M 0% /dev/shm
tmpfs 490M 6.6M 484M 2% /run
tmpfs 490M 0 490M 0% /sys/fs/cgroup
/dev/sda1 497M 120M 378M 25% /boot
/dev/sdb1 4.8G 20M 4.6G 1% /tmp/sdb1
4、创建测试文件
[root@localhost extundelete-0.2.4]# cat >> a.sh << EOF
cp -a /etc/ssh /tmp/sdb1
cp /etc/hosts /tmp/sdb1
echo test >> a.txt
mkdir -p /tmp/sdb1/a/b/c
cp /etc/passwd /tmp/sdb1/a/b/
cp /etc/shadow /tmp/sdb1/a/
touch test.txt
cp test.txt /tmp/sdb1/a/b/
EOF
[root@localhost extundelete-0.2.4]# chmod +x a.sh
[root@localhost extundelete-0.2.4]# ./a.sh
[root@localhost extundelete-0.2.4]# tree /tmp/sdb1/
/tmp/sdb1/
├── a
│ ├── b
│ │ ├── c
│ │ ├── passwd
│ │ └── test.txt
│ └── shadow
├── hosts
├── lost+found
└── ssh
├── moduli
├── ssh_config
├── sshd_config
├── ssh_host_ecdsa_key
├── ssh_host_ecdsa_key.pub
├── ssh_host_ed25519_key
├── ssh_host_ed25519_key.pub
├── ssh_host_rsa_key
└── ssh_host_rsa_key.pub
5 directories, 13 files
[root@localhost extundelete-0.2.4]#
5、删除文件并卸载文件系统
[root@localhost extundelete-0.2.4]# cd /tmp/sdb1/
[root@localhost sdb1]# ls
a hosts lost+found ssh
[root@localhost sdb1]# tree ./
./
├── a
│ ├── b
│ │ ├── c
│ │ ├── passwd
│ │ └── test.txt
│ └── shadow
├── hosts
├── lost+found
└── ssh
├── moduli
├── ssh_config
├── sshd_config
├── ssh_host_ecdsa_key
├── ssh_host_ecdsa_key.pub
├── ssh_host_ed25519_key
├── ssh_host_ed25519_key.pub
├── ssh_host_rsa_key
└── ssh_host_rsa_key.pub
5 directories, 13 files
[root@localhost sdb1]# rm -rf ./*
[root@localhost sdb1]# ls
[root@localhost sdb1]# umount /tmp/sdb1/
umount: /tmp/sdb1: target is busy.
(In some cases useful info about processes that use
the device is found by lsof(8) or fuser(1))
[root@localhost sdb1]# cd
[root@localhost ~]# umount /tmp/sdb1/
2.3 查看并删除文件
1、查看删除了哪些文件
[root@localhost ~]# extundelete /dev/sdb1 --inode 2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 40 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 04 d0 6e 64 03 d0 6e 64 | .A........nd..nd
0010 | 03 d0 6e 64 00 00 00 00 00 00 02 00 08 00 00 00 | ..nd............
0020 | 00 00 08 00 07 00 00 00 0a f3 01 00 04 00 00 00 | ................
0030 | 00 00 00 00 00 00 00 00 01 00 00 00 a1 22 00 00 | ............."..
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 64 ee ee 14 64 ee ee 14 a4 bd aa af | ....d...d.......
0090 | a1 c9 6e 64 00 00 00 00 00 00 00 00 00 00 00 00 | ..nd............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1684983812
Creation time: 1684983811
Modification time: 1684983811
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 2
Blocks count: 8
File flags: 524288
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 127754, 4, 0, 0, 1, 8865, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11 Deleted
ssh 131073 Deleted
hosts 12 Deleted
a 131083 Deleted
2.4 恢复文件
extundelete /dev/sdb1 --restore-inode 12 //按文件inode恢复
[root@jin6 tmp]# extundelete /dev/sdb1 --restore-inode 12
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 41 groups loaded.
Loading journal descriptors ... 51 descriptors loaded.
[root@jin6 tmp]# ls RECOVERED_FILES/
file.12
extundelete /dev/sdb1 --restore-file hosts //按文件名恢复
[root@jin6 tmp]# extundelete /dev/sdb1 --restore-file a.txt
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 41 groups loaded.
Loading journal descriptors ... 51 descriptors loaded.
Successfully restored file a.txt
extundelete /dev/sdb1 --restore-directory ssh //根据目录名恢复
[root@jin6 tmp]# extundelete /dev/sdb1 --restore-directory a
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 41 groups loaded.
Loading journal descriptors ... 51 descriptors loaded.
Searching for recoverable inodes in directory a ...
22 recoverable inodes found.
Looking through the directory structure for deleted files ...
15 recoverable inodes still lost.
[root@jin6 tmp]# tree RECOVERED_FILES/
RECOVERED_FILES/
├── a
│ ├── a2.txt
│ ├── a4.txt
│ ├── b
│ │ ├── a3.txt
│ │ └── passwd
│ └── shadow
├── a.txt
└── file.12
2 directories, 7 files
extundelete /dev/sdb1 --restore-all //恢复所有
[root@jin6 tmp]# extundelete /dev/sdb1 --restore-all
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 41 groups loaded.
Loading journal descriptors ... 51 descriptors loaded.
Searching for recoverable inodes in directory / ...
22 recoverable inodes found.
Looking through the directory structure for deleted files ...
0 recoverable inodes still lost.
[root@jin6 tmp]# tree RECOVERED_FILES/
RECOVERED_FILES/
├── a
│ ├── a2.txt
│ ├── a2.txt.v1
│ ├── a4.txt
│ ├── a4.txt.v1
│ ├── b
│ │ ├── a3.txt
│ │ ├── a3.txt.v1
│ │ ├── passwd
│ │ └── passwd.v1
│ ├── shadow
│ └── shadow.v1
├── a1.txt
├── a.txt
├── a.txt.v1
├── file.12
├── hosts
└── ssh
├── moduli
├── ssh_config
├── sshd_config
├── ssh_host_dsa_key
├── ssh_host_dsa_key.pub
├── ssh_host_key
├── ssh_host_key.pub
├── ssh_host_rsa_key
└── ssh_host_rsa_key.pub
3 directories, 24 files
作者介绍
jimlu
V1