Linux 恢复删除的文件

说明

Linux系统下使用rm命令删除的文件，如果没有备份，想要找回需要借助一些第三方工具（系统自带debugfs不适用于ext4磁盘）。

原理是读取journal日志来恢复，若journal日志被删除或覆盖，可能导致恢复失败。

debugfs

使用于ext2/ext3，不适用于ext4。此处不作过多介绍。

extundelete

安装

Ubuntu

apt-get install extundelete

CentOS

yum install extundelete

查看磁盘信息

root@root:/etc/init.d# df -Th
Filesystem     Type      Size  Used Avail Use% Mounted on
udev           devtmpfs  484M  4.0K  484M   1% /dev
tmpfs          tmpfs     100M  372K   99M   1% /run
/dev/vda1      ext4       40G  9.8G   28G  27% /
none           tmpfs     4.0K     0  4.0K   0% /sys/fs/cgroup
none           tmpfs     5.0M     0  5.0M   0% /run/lock
none           tmpfs     497M     0  497M   0% /run/shm
none           tmpfs     100M     0  100M   0% /run/user

查看文件或文件夹节点

root@root:/etc/init.d# ls -id /etc/init.d/
1048838 /etc/init.d/

查看指定磁盘的指定节点下是否有文件删除

extundelete /dev/vda1 --inode 1048838

输出：

WARNING: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates 
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible.  You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n) 
y


Loading filesystem metadata ... 320 groups loaded.
Contents of inode 1048838:
0000 | ed 41 00 00 00 10 00 00 e3 be 78 5d d2 bb 78 5d | .A........x]..x]
0010 | d2 bb 78 5d 00 00 00 00 00 00 02 00 08 00 00 00 | ..x]............
0020 | 00 00 08 00 97 00 00 00 0a f3 01 00 04 00 00 00 | ................
0030 | 00 00 00 00 00 00 00 00 01 00 00 00 44 20 40 00 | ............D @.
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 09 78 b4 23 00 00 00 00 00 00 00 00 | .....x.#........
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 00 00 00 00 00 00 00 00 11 10 00 00 00 00 00 00 | ................
0090 | a4 81 00 00 49 01 00 00 4a 2e 74 5d 8a ca 9e 59 | ....I...J.t]...Y
00a0 | 8e 65 48 53 00 00 00 00 00 00 01 00 08 00 00 00 | .eHS............
00b0 | 00 00 08 00 01 00 00 00 0a f3 01 00 04 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 01 00 00 00 b1 80 40 00 | ..............@.
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 04 78 b4 23 00 00 00 00 00 00 00 00 | .....x.#........

Inode is Allocated
Group: 128
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1568194275
Creation time: 1568193490
Modification time: 1568193490
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 2
Blocks count: 8
File flags: 524288
File version (for NFS): 599029769
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 127754, 4, 0, 0, 1, 4202564, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0

File name                                       | Inode number | Deleted status
Directory block 4202564:
.                                                 1048838
..                                                1048577
.legacy-bootordering                              1048839
ecs_mq-service                                    1069072
RECOVERED_FILES                                   1441808        Deleted
unattended-upgrades                               1069084
x11-common                                        1069363
mysql                                             1060813        Deleted
redis-server                                      1063518
php7.2-fpm                                        1063474
nginx-debug.dpkg-new                              1063779        Deleted
nscd.dpkg-new                                     1061182        Deleted

根据节点号恢复

恢复的文件在当前目录下的RECOVERED_FILES文件夹里。

root@root:/php# extundelete /dev/vda1 --restore-inode 1060813

输出：

WARNING: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates 
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible.  You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n) 
y

Loading filesystem metadata ... 320 groups loaded.
Loading journal descriptors ... 29796 descriptors loaded.
Restored inode 1060813 to file RECOVERED_FILES/file.1060813

字符终端工具 testdisk 和 phtorec

photorec是testdisk的伴侣程序，安装testdisk后photorec就可以使用了

Ubuntu

apt-get install testdisk

CentOS

yum install testdisk

testdisk no harddisk found stackoverflow

解决办法：指定磁盘。（photorec同理）

testdisk /dev/vda1

注意

testdisk与photorec恢复全部已删除的文件。对于只想恢复对应文件的，推荐使用extundelete。

参考

https://www.ibm.com/developerworks/cn/linux/1312_caoyq_linuxrestore/index.html