在Linux下,基于开源的数据恢复工具有很多,常见的有debugfs、R-Linux、ext3grep、extundelete等,比较常用的有ext3grep和extundelete,这两个工具的恢复原理基本一样,只是extundelete功能更加强大,本文重点介绍
**************************************************
* lsof 方式恢复 *
**************************************************
lsof
文件刚刚被删除,想要恢复,先尝试lsof.
#lsof |grep data.file1
# cp /proc/xxx/xxx/xx /dir/data.file1
或者ps -ef
**************************************************
* extundelete 方式恢复 *
**************************************************
第一时间要做的就是卸载被删除数据所在的分区,如果是根分区的数据遭到误删
yum install gcc gcc++
yum install gcc gcc-c++ gcc-g77
yum install e2fsprogs e2fsprogs-libs e2fsprogs-devel
[root@dg extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
Writing generated files to disk
tar xjf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
./configure
make && make install
[root@dg extundelete-0.2.4]# make
make -s all-recursive
Making all in src
extundelete.cc:571: 警告:未使用的参数‘flags’
[root@dg extundelete-0.2.4]# make install
Making install in src
/usr/bin/install -c extundelete '/usr/local/bin'
---查看帮助
root@dg extundelete-0.2.4]# make install
Making install in src
/usr/bin/install -c extundelete '/usr/local/bin'
[root@dg extundelete-0.2.4]# extundelete --help
Usage: extundelete [options] [--] device-file
Options:
--version, -[vV] Print version and exit successfully.
--help, Print this help and exit successfully.
--superblock Print contents of superblock in addition to the rest.
If no action is specified then this option is implied.
--journal Show content of journal.
--after dtime Only process entries deleted on or after 'dtime'.
--before dtime Only process entries deleted before 'dtime'.
Actions:
--inode ino Show info on inode 'ino'.
--block blk Show info on block 'blk'.
--restore-inode ino[,ino,...]
Restore the file(s) with known inode number 'ino'.
The restored files are created in ./RECOVERED_FILES
with their inode number as extension (ie, file.12345).
--restore-file 'path' Will restore file 'path'. 'path' is relative to root
of the partition and does not start with a '/'
The restored file is created in the current
directory as 'RECOVERED_FILES/path'.
--restore-files 'path' Will restore files which are listed in the file 'path'.
Each filename should be in the same format as an option
to --restore-file, and there should be one per line.
--restore-directory 'path'
Will restore directory 'path'. 'path' is relative to the
root directory of the file system. The restored
directory is created in the output directory as 'path'.
--restore-all Attempts to restore everything.
-j journal Reads an external journal from the named file.
-b blocknumber Uses the backup superblock at blocknumber when opening
the file system.
-B blocksize Uses blocksize as the block size when opening the file
system. The number should be the number of bytes.
--log 0 Make the program silent.
--log filename Logs all messages to filename.
--log D1=0,D2=filename Custom control of log messages with comma-separated
Examples below: list of options. Dn must be one of info, warn, or
--log info,error error. Omission of the '=name' results in messages
--log warn=0 with the specified level to be logged to the console.
--log error=filename If the parameter is '=0', logging for the specified
level will be turned off. If the parameter is
'=filename', messages with that level will be written
to filename.
-o directory Save the recovered files to the named directory.
The restored files are created in a directory
named 'RECOVERED_FILES/' by default.