恢复Linux下误删除的文件
创建文件、查看,删除文件
touch
作用:常用来创建空文件
语法: touch 文件名
#touch 1.txt
mkdir
作用:创建目录
语法:mkdir 目录名
例: mkdir /tmp/test
[root@localhost ~]# mkdir -p 1/a/b/c
-p 连同父目录一起创建
cat
作用:查看文件内容
语法:cat 文件名
例:
cat /etc/passwd
复制文件:
cp
作用:复制文件
语法:cp 源文件 目标文件
-r 包含子目录和文件
-a 确保新文件和源文件一致
删除文件和文件夹
rm -rf 文件名或目录名
-r 递归删除(可以删除目录和目录里面的东西)
-f 强行删除
[root@localhost ~]# rm -rf /1/*
[root@localhost ~]# rm -rf /root/passwd
ext4文件系统上删除文件,可以恢复。
Linux文件系统:文件名,inode,block
a.txt -->inode -> block
文件名 存放文件元数据信息 真正存放数据
查看inode信息:
[root@localhost ~]# stat 1.txt
File: `1.txt'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 802h/2050d Inode: 440265 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-02-03 09:55:07.815574601 +0800
Modify: 2015-02-03 09:55:07.815574601 +0800
Change: 2015-02-03 09:55:07.815574601 +0800
[root@localhost /]# ll /root/1.txt
-rw-r--r-- 1 root root 4 May 8 14:14 /root/a.txt
查看inode号
[root@localhost /]# ls -i /root/a.txt
440380 /root/a.txt
实战:在RHEL6上恢复ext4文件系统
下载extundelete
http://sourceforge.net/ 开源软件发布中心
准备测试分区:
[root@localhost /]# fdisk -cu /dev/sdb #创建一个sda4分区
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x939f51ba.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
Command (m for help): p #查看现有分区表
Disk /dev/sdb: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders, total 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x939f51ba
Device Boot Start End Blocks Id System
Command (m for help): n #创建一个新分区
Command action
e extended
p primary partition (1-4)
p #创建一个主分区
Selected partition 1
First cylinder (1428-2610, default 1428):
Using default value 1428
Last cylinder, +cylinders or +size{K,M,G} (1428-2610, default 2610): +1G #指定分区大小
Command (m for help): w #保存
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
重读分区表:
[root@localhost ~]# partx -a /dev/sdb1
last arg is not the whole disk
call: partx -opts device wholedisk
格式化磁盘:
[root@localhost ~]# mkfs.ext4 /dev/sdb1
mke2fs 1.41.12 (17-May-2010)
文件系统标签=
操作系统:Linux
块大小=4096 (log=2)
分块大小=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
65536 inodes, 262144 blocks
13107 blocks (5.00%) reserved for the super user
第一个数据块=0
Maximum filesystem blocks=268435456
8 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376
正在写入inode表: 完成
Creating journal (8192 blocks): 完成
Writing superblocks and filesystem accounting information: 完成
This filesystem will be automatically checked every 23 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
[root@localhost /]# mkdir /tmp/sdb1 #创建挂载点
挂载
[root@localhost ~]# mount /dev/sdb1 /tmp/sdb1/
查看挂载情况
[root@localhost ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root 18G 1.5G 15G 10% /
tmpfs 491M 0 491M 0% /dev/shm
/dev/sda1 485M 34M 427M 8% /boot
/dev/sdb1 1008M 34M 924M 4% /tmp/sdb1
复制一些用于测试删除的文件:
[root@localhost ~]# cp /etc/shadow /tmp/sdb1
[root@localhost ~]# cp /etc/resolv.conf /tmp/sdb1/
[root@localhost ~]# echo 123123 >> /tmp/sdb1/123.txt
[root@localhost ~]# mkdir -p /tmp/sdb1/a/b/c
[root@localhost ~]# cp /tmp/sdb1/123.txt /tmp/sdb1/a/
[root@localhost ~]# cp /tmp/sdb1/123.txt /tmp/sdb1/a/b
[root@localhost ~]# touch /tmp/sdb1/a/b/c/ceshi.txt
[root@localhost ~]# mount /dev/cdrom /mnt ##挂载光盘
mount: block device /dev/sr0 is write-protected, mounting read-only
[root@localhost ~]# cat /etc/yum.repos.d/centos.repo ##查看yum源
[local]
name=local
baseurl=file:///mnt
enabled=1
gpgcheck=0
[root@localhost ~]# yum -y install tree ##安装tree命令
[root@localhost ~]# tree /tmp/sdb1/
/tmp/sdb1/
├── 123.txt
├── a
│ ├── 123.txt
│ └── b
│ ├── 123.txt
│ └── c
│ └── ceshi.txt
├── lost+found
├── resolv.conf
└── shadow
4 directories, 6 files
删除文件:
[root@localhost ~]# cd /tmp/sdb1/
[root@localhost sdb1]# ls
123.txt a lost+found resolv.conf shadow
[root@localhost sdb1]# rm -rf a resolv.conf shadow 123.txt
[root@localhost sda4]# ls
lost+found
卸载需要恢复文件的分区:或以只读的方式挂载
[root@localhost sdb1]# cd
[root@localhost ~]# umount /tmp/sdb1/
通过xshll的xftp上传extundelete到linux主机中
解压并安装extundelet
[root@localhost ~]# tar jxvf extundelete-0.2.4.tar.bz2
[root@localhost ~]# cd extundelete-0.2.4
[root@localhost extundelete-0.2.4]# ls
acinclude.m4 config.h.in depcomp Makefile.am README
aclocal.m4 configure install-sh Makefile.in src
autogen.sh configure.ac LICENSE missing
[root@localhost extundelete-0.2.4]# ./configure #检查系统安装环境
Configuring extundelete 0.2.4
configure: error: Can't find ext2fs library
解决方法:
[root@localhost Packages]# rpm -ivh e2fsprogs-libs-1.41.12-18.el6.x86_64.rpm
Preparing... ########################################### [100%]
package e2fsprogs-libs-1.41.12-18.el6.x86_64 is already installed
解决:
[root@localhost Packages]# rpm -ivh e2fsprogs-devel-1.41.12-18.el6.x86_64.rpm
Preparing... ########################################### [100%]
1:e2fsprogs-devel ########################################### [100%]
查看安装后生成的文件:
[root@localhost Packages]#rpm -qpl e2fsprogs-devel-1.41.12-11.el6.x86_64.rpm | more
[root@localhost extundelete-0.2.4]# make -j 4 #编译, 使用4线程同时编译,提升编译速度
make -s all-recursive
Making all in src
extundelete.cc:571: warning: unused parameter ‘flags’
使用top -》 P 查看哪个进程使用CPU最多
[root@localhost extundelete-0.2.4]# make install #安装
Making install in src
/usr/bin/install -c extundelete '/usr/local/bin'
[root@localhost extundelete-0.2.4]# ls /usr/local/bin/extundelete
/usr/local/bin/extundelete
开始恢复:
[root@localhost ~]# umount /tmp/sda4/
[root@localhost ~]# mkdir test #创建一个目录使用于存放恢复的数据
[root@localhost ~]# cd test/
方法1:
通过inode结点查看被删除的文件名字:
[root@localhost ~]# extundelete /dev/sdb1 --inode 2
......
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
shadow 12 Deleted
resolv.conf 13 Deleted
123.txt 14 Deleted
a 8193 Deleted
[root@localhost test]# extundelete /dev/sdb1 --restore-inode 12
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 9 groups loaded.
Loading journal descriptors ... 63 descriptors loaded.
[root@localhost test]# ls
RECOVERED_FILES
[root@localhost test]# diff /etc/passwd RECOVERED_FILES/file.12 # 没有任何输出,说明一样
方法二,通过文件名恢复
[root@localhost test]# extundelete /dev/sdb1 --restore-file passwd
方法三:恢复某个目录,如目录a下的所有文件:
[root@localhost test]# extundelete /dev/sdb1 --restore-directory a
[root@localhost test]# tree RECOVERED_FILES/a/
RECOVERED_FILES/a/
├── 123.txt
└── b
└── 123.txt
[root@localhost ~]# tree /root/sdb1-back/a/
/root/sdb1-back/a/
├── 123.txt
└── b
├── 123.txt
├── c
└── ceshi.txt
方法四:恢复所有的文件
[root@localhost test]# extundelete /dev/sdb1 --restore-all
[root@localhost test]# tree RECOVERED_FILES/
RECOVERED_FILES/
├── 123.txt
├── a
│ ├── 123.txt
│ └── b
│ └── 123.txt
├── resolv.conf
└── shadow
2 directories, 5 files
extundelete在恢复文件的时候能不能自动创建空文件和目录?
答:不能。
本文转自信自己belive51CTO博客,原文链接:http://blog.51cto.com/11638205/2048299 ,如需转载请自行联系原作者