solution: restore deleted file in linux

by Posted on

1. background

emergency, some signficant data deleted by mistake, besides there is no backup.

the path of data is /data/webapps/xxxx/upload. It’s very urgent and I have no

data recovery experience in linux platform. but after searching my meterials and

perform many test, most of lost files had been recovery.

2. install data recovery tool by yum.

(1) install epel repository

yum install epel -y

(2) install extundelete -y

extundelete -v

extudelete_version

3. install data recovery tool by source code.

yum -y install bzip2 e2fsprogs-devel e2fsprogs gcc-c++ make

wget http://zy-res.oss-cn-hangzhou.aliyuncs.com/server/extundelete-0.2.4.tar.bz2

tar jxvf extundelete-0.2.4.tar.bz2

cd extundelete-0.2.4

./configure

make && make install

 

4. check data which is deleted by mistake

As path of missing data is a little deep, so I need look for the date from root dictionary.

partition

extundelete /dev/sda2 –inode 2

check_delete1

check_delete2

check_delete3

I can seen the inode of webapps,

extundelete /dev/sda2 –inode 913921

check_delete4

I can seen the inode of this project,

extundelete /dev/sda2 –inode 913922

check_delete5

Finally, I had found the missing data dictionary “upload”.

extundelete /dev/sda2 –inode 913923

check_delete6

we can see the missing data which were marked by “deleted”,so those data need to

be recovered.

 

5.  kill some process tree which use this partition and umount

fuser -k /
umount /

6、data recovery

I can recover dictionary which is specified. set path based on current root partition.

extundelete /dev/sda2 –restore-directory /webapps/xxxx/upload

 

As there exist read and write to disk all the time, so some inode which belong to the missing

data had already been alocated,which lead to some data can’t be recoved. The recover tool

told me which file can’t be recovered. but most of files had beenrecovered.

So I checked the recovered data. one folder named RECOVERED_FILES had generated in

current dictionary. The recoverd data in named RECOVERED_FILES.

You can excute the following command if there is a need that all missing data will be recovered.

extundelete /dev/sda5 –restore-all

the option of extundelete

Options:

–version, -[vV] Print version and exit successfully.

–help, Print this help and exit successfully.

–superblock Print contents of superblock in addition to the rest.

If no action is specified then this option is implied.

–journal Show content of journal.

–after dtime Only process entries deleted on or after ‘dtime’.

–before dtime Only process entries deleted before ‘dtime’.

Actions:

–inode ino Show info on inode ‘ino’.

–block blk Show info on block ‘blk’.

–restore-inode ino[,ino,…]

Restore the file(s) with known inode number ‘ino’.

The restored files are created in ./RECOVERED_FILES

with their inode number as extension (ie, file.12345).

–restore-file ‘path’ Will restore file ‘path’. ‘path’ is relative to root

of the partition and does not start with a ‘/’

The restored file is created in the current

directory as ‘RECOVERED_FILES/path’.

–restore-files ‘path’ Will restore files which are listed in the file ‘path’.

Each filename should be in the same format as an option

to –restore-file, and there should be one per line.

–restore-directory ‘path’

Will restore directory ‘path’. ‘path’ is relative to the

root directory of the file system. The restored

directory is created in the output directory as ‘path’.

–restore-all Attempts to restore everything.

-j journal Reads an external journal from the named file.

-b blocknumber Uses the backup superblock at blocknumber when opening

the file system.

-B blocksize Uses blocksize as the block size when opening the file

system. The number should be the number of bytes.

–log 0 Make the program silent.

–log filename Logs all messages to filename.

–log D1=0,D2=filename Custom control of log messages with comma-separated

Examples below: list of options. Dn must be one of info, warn, or

–log info,error error. Omission of the ‘=name’ results in messages

–log warn=0 with the specified level to be logged to the console.

–log error=filename If the parameter is ‘=0’, logging for the specified

level will be turned off. If the parameter is

‘=filename’, messages with that level will be written to filename.

-o directory Save the recovered files to the named directory.

The restored files are created in a directory

named ‘RECOVERED_FILES/’ by default.

 

The first thing is to umount disk or partition on which the deleted data resides after the data deleted.

Reason: If the root partition encounterd deleted, you must enter single user mode, and then mount this

partition in read only mode. because system just delete pointer of inode of the fle, the real file still in disk.

Those deleted data block will be realocated by file system if disk is mounted by read-write mode, and the

data will lost really if data blocks had been coveraged.

 

Donate

Published by byron

Leave a Reply