linux 下文件誤刪恢復

linux 下文件誤刪恢復

0x01 事件背景

某天晚上寫代碼的時候，原本想刪除當前目錄下一個叫xxx的文件夾 rm -rdf ./xxx/*, 結果光顧着和人說話，一不留神手賤把命令敲成了rm -rdf ./*. 而後頓時懵逼了，整個目錄全沒了。心想完蛋了，這個目錄有我寫了好幾天的代碼啊，這可怎麼是好，問了下週圍的人，都說linux下使用-rf的方式刪除文件是不可恢復的，叫我放棄，而且重寫代碼吧。....-_-||。

可我不甘心啊，寫了好幾天的代碼說沒就沒了，因而Google了下解決方案，網上給出了不少解決方案，有的可行，有的不可行。在反覆嘗試以後，使用一款名叫exeundelete的工具完成了數據恢復，終於長舒一口氣。我將這個工具的使用分享給你們，一是防止下次本身再遇到這種事情不知所措，二十也但願可以幫助到遇到一樣問題的朋友。

0x02 extundelete簡介

extundelete 是一款能夠從ext3或ext4分區恢復已刪除的文件的超級實用的開源工具。 ext3和ext4文件系統是Linux發行版中最多見的默認文件系統，如Mint，Mageia或Ubuntu等linux操做系統都在使用這類文件系統。 extundelete使用起來也很是簡單，只須要一條命令就能夠完成數據恢復。

extundelete下載地址：https://cytranet.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2

0x03 編譯安裝extundelete

extundelete 只提供源碼，須要本身進行編譯安裝纔可以使用，整個過程能夠由以下的命令完成

$ wget https://cytranet.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
$ tar vxf extundelete-0.2.4.tar.bz2
$ cd extundelete-0.2.4/
$ ./configure
$ make && sudo make install

而後在終端輸入extundelete便可看到此工具已經可使用

sandy@ubuntu:~/Desktop/xxx/extundelete-0.2.4$ extundelete
No action specified; implying --superblock.
extundelete: Missing device name.
Usage: extundelete [options] [--] device-file
Options:
  --version, -[vV]       Print version and exit successfully.
  --help,                Print this help and exit successfully.
  --superblock           Print contents of superblock in addition to the rest.
                         If no action is specified then this option is implied.
  --journal              Show content of journal.
  --after dtime          Only process entries deleted on or after 'dtime'.
  --before dtime         Only process entries deleted before 'dtime'.
Actions:
  --inode ino            Show info on inode 'ino'.
  --block blk            Show info on block 'blk'.
  --restore-inode ino[,ino,...]
                         Restore the file(s) with known inode number 'ino'.
                         The restored files are created in ./RECOVERED_FILES
                         with their inode number as extension (ie, file.12345).
  --restore-file 'path'  Will restore file 'path'. 'path' is relative to root
                         of the partition and does not start with a '/'
                         The restored file is created in the current
                         directory as 'RECOVERED_FILES/path'.
  --restore-files 'path' Will restore files which are listed in the file 'path'.
                         Each filename should be in the same format as an option
                         to --restore-file, and there should be one per line.
  --restore-directory 'path'
                         Will restore directory 'path'. 'path' is relative to the
                         root directory of the file system.  The restored
                         directory is created in the output directory as 'path'.
  --restore-all          Attempts to restore everything.
  -j journal             Reads an external journal from the named file.
  -b blocknumber         Uses the backup superblock at blocknumber when opening
                         the file system.
  -B blocksize           Uses blocksize as the block size when opening the file
                         system.  The number should be the number of bytes.
  --log 0                Make the program silent.
  --log filename         Logs all messages to filename.
--log D1=0,D2=filename   Custom control of log messages with comma-separated
   Examples below:       list of options.  Dn must be one of info, warn, or
   --log info,error      error.  Omission of the '=name' results in messages
   --log warn=0          with the specified level to be logged to the console.
   --log error=filename  If the parameter is '=0', logging for the specified
                         level will be turned off.  If the parameter is
                         '=filename', messages with that level will be written
                         to filename.
   -o directory          Save the recovered files to the named directory.
                         The restored files are created in a directory
                         named 'RECOVERED_FILES/' by default.

　　

0x04 恢復誤刪文件

編譯安裝完畢extundelete以後，即可以使用它進行誤刪文件恢復。首先咱們須要找到咱們想要恢復的分區，用fdisk等命令可查看分區狀況

sandy@ubuntu:~/Desktop/xxx/extundelete-0.2.4$ sudo fdisk -l
Disk /dev/sda: 40 GiB, 42949672960 bytes, 83886080 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xe184ba74

Device     Boot    Start      End  Sectors Size Id Type
/dev/sda1  *        2048 79693823 79691776  38G 83 Linux
/dev/sda2       79695870 83884031  4188162   2G  5 Extended
/dev/sda5       79695872 83884031  4188160   2G 82 Linux swap / Solaris
sandy@ubuntu:~/Desktop/xxx/extundelete-0.2.4$

　　

其中/dev/sda1是我想進行恢復的分區，由於剛纔刪除的文件位於其中。接着即是使用extundelete進行數據恢復，使用下面這條命令：

sudo extundelete /dev/sda1 --restore-all  #恢復全部數據

　　

運行完畢以後，在當前目錄下會生成一個名叫11的目錄，裏面保了咱們全部刪除的數據

sandy@ubuntu:~/Desktop/xxx/extundelete-0.2.4$ ll RECOVERED_FILES/
total 3888
drwxr-xr-x   3 root  root    4096 Apr 10 18:49 home/
drwxr-xr-x 198 root  root  118784 Apr 10 18:50 lost+found/
drwxr-xr-x   6 root  root    4096 Apr 10 18:49 tmp/
drwxr-xr-x   7 root  root    4096 Apr 10 18:49 usr/
drwxr-xr-x   5 root  root    4096 Apr 10 18:49 var/
sandy@ubuntu:~/Desktop/xxx/extundelete-0.2.4$

　　

能夠看到刪除的文件都被恢復了。

0x05 總結

即使是extundelete這樣的神器，也沒法作到100%的數據恢復。這一次的經歷，算是有驚無險，還好數據恢復了，否則幾天的工做就付之東流了。總結一下，重要的數據注意備份，保證本身數據不丟失。若是沒有備份再被誤刪，要是連extundelete這樣的工具都沒法恢復，那就只能呵呵了。

0x06 參考文章

1. http://extundelete.sourceforge.net/
2. https://unix.stackexchange.com/questions/122305/undelete-a-just-deleted-file-on-ext4-with-extundelete

 

歡迎加入程序設計交流與分享qq技術交流羣：439261058

個人郵箱1215714557@qq.com，歡迎交流指正