linux 下文件误删恢复

linux 下文件误删恢复

0x01 事件背景

某天晚上写代码的时候，本来想删除当前目录下一个叫xxx的文件夹 rm -rdf ./xxx/*, 结果光顾着和人说话，一不留神手贱把命令敲成了rm -rdf ./*. 然后顿时懵逼了，整个目录全没了。心想完蛋了，这个目录有我写了好几天的代码啊，这可怎么是好，问了下周围的人，都说linux下使用-rf的方式删除文件是不可恢复的，叫我放弃，并且重写代码吧。....-_-||。

可我不甘心啊，写了好几天的代码说没就没了，于是Google了下解决方案，网上给出了很多解决方案，有的可行，有的不可行。在反复尝试之后，使用一款名叫exeundelete的工具完成了数据恢复，终于长舒一口气。我将这个工具的使用分享给大家，一是防止下次自己再遇到这种事情不知所措，二十也希望能够帮助到遇到同样问题的朋友。

0x02 extundelete简介

extundelete 是一款可以从ext3或ext4分区恢复已删除的文件的超级实用的开源工具。 ext3和ext4文件系统是Linux发行版中最常见的默认文件系统，如Mint，Mageia或Ubuntu等linux操作系统都在使用这类文件系统。 extundelete使用起来也非常简单，只需要一条命令就可以完成数据恢复。

extundelete下载地址：https://cytranet.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2

0x03 编译安装extundelete

extundelete 只提供源码，需要自己进行编译安装才能够使用，整个过程可以由如下的命令完成

$ wget https://cytranet.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
$ tar vxf extundelete-0.2.4.tar.bz2
$ cd extundelete-0.2.4/
$ ./configure
$ make && sudo make install

然后在终端输入extundelete即可看到此工具已经可以使用

sandy@ubuntu:~/Desktop/xxx/extundelete-0.2.4$ extundelete
No action specified; implying --superblock.
extundelete: Missing device name.
Usage: extundelete [options] [--] device-file
Options:
  --version, -[vV]       Print version and exit successfully.
  --help,                Print this help and exit successfully.
  --superblock           Print contents of superblock in addition to the rest.
                         If no action is specified then this option is implied.
  --journal              Show content of journal.
  --after dtime          Only process entries deleted on or after 'dtime'.
  --before dtime         Only process entries deleted before 'dtime'.
Actions:
  --inode ino            Show info on inode 'ino'.
  --block blk            Show info on block 'blk'.
  --restore-inode ino[,ino,...]
                         Restore the file(s) with known inode number 'ino'.
                         The restored files are created in ./RECOVERED_FILES
                         with their inode number as extension (ie, file.12345).
  --restore-file 'path'  Will restore file 'path'. 'path' is relative to root
                         of the partition and does not start with a '/'
                         The restored file is created in the current
                         directory as 'RECOVERED_FILES/path'.
  --restore-files 'path' Will restore files which are listed in the file 'path'.
                         Each filename should be in the same format as an option
                         to --restore-file, and there should be one per line.
  --restore-directory 'path'
                         Will restore directory 'path'. 'path' is relative to the
                         root directory of the file system.  The restored
                         directory is created in the output directory as 'path'.
  --restore-all          Attempts to restore everything.
  -j journal             Reads an external journal from the named file.
  -b blocknumber         Uses the backup superblock at blocknumber when opening
                         the file system.
  -B blocksize           Uses blocksize as the block size when opening the file
                         system.  The number should be the number of bytes.
  --log 0                Make the program silent.
  --log filename         Logs all messages to filename.
--log D1=0,D2=filename   Custom control of log messages with comma-separated
   Examples below:       list of options.  Dn must be one of info, warn, or
   --log info,error      error.  Omission of the '=name' results in messages
   --log warn=0          with the specified level to be logged to the console.
   --log error=filename  If the parameter is '=0', logging for the specified
                         level will be turned off.  If the parameter is
                         '=filename', messages with that level will be written
                         to filename.
   -o directory          Save the recovered files to the named directory.
                         The restored files are created in a directory
                         named 'RECOVERED_FILES/' by default.

　　

0x04 恢复误删文件

编译安装完毕extundelete之后，便可以使用它进行误删文件恢复。首先我们需要找到我们想要恢复的分区，用fdisk等命令可查看分区情况

sandy@ubuntu:~/Desktop/xxx/extundelete-0.2.4$ sudo fdisk -l
Disk /dev/sda: 40 GiB, 42949672960 bytes, 83886080 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xe184ba74

Device     Boot    Start      End  Sectors Size Id Type
/dev/sda1  *        2048 79693823 79691776  38G 83 Linux
/dev/sda2       79695870 83884031  4188162   2G  5 Extended
/dev/sda5       79695872 83884031  4188160   2G 82 Linux swap / Solaris
sandy@ubuntu:~/Desktop/xxx/extundelete-0.2.4$

　　

其中/dev/sda1是我想进行恢复的分区，因为刚才删除的文件位于其中。接着便是使用extundelete进行数据恢复，使用下面这条命令：

sudo extundelete /dev/sda1 --restore-all  #恢复所有数据

　　

运行完毕之后，在当前目录下会生成一个名叫11的目录，里面保了我们所有删除的数据

sandy@ubuntu:~/Desktop/xxx/extundelete-0.2.4$ ll RECOVERED_FILES/
total 3888
drwxr-xr-x   3 root  root    4096 Apr 10 18:49 home/
drwxr-xr-x 198 root  root  118784 Apr 10 18:50 lost+found/
drwxr-xr-x   6 root  root    4096 Apr 10 18:49 tmp/
drwxr-xr-x   7 root  root    4096 Apr 10 18:49 usr/
drwxr-xr-x   5 root  root    4096 Apr 10 18:49 var/
sandy@ubuntu:~/Desktop/xxx/extundelete-0.2.4$

　　

可以看到删除的文件都被恢复了。

0x05 总结

即便是extundelete这样的神器，也无法做到100%的数据恢复。这一次的经历，算是有惊无险，还好数据恢复了，不然几天的工作就付之东流了。总结一下，重要的数据注意备份，保证自己数据不丢失。如果没有备份再被误删，要是连extundelete这样的工具都无法恢复，那就只能呵呵了。

0x06 参考文章

1. http://extundelete.sourceforge.net/
2. https://unix.stackexchange.com/questions/122305/undelete-a-just-deleted-file-on-ext4-with-extundelete

欢迎加入程序设计交流与分享qq技术交流群：439261058

我的邮箱1215714557@qq.com，欢迎交流指正