ext4、ext3、xfs文件系統數據恢復教程
一、文件刪除原理
在ext3/4文件系統中,inode索引節點除了存放文件屬性還指向文件的block節點,是書的目錄,block存放文件的實際數據,是書的每一頁,文件的上級目錄的block存放的是文件名及其inode節點編號,刪除文件實際上是刪除文件名和inode節點編號的關聯以及inode節點內的指針信息,那麽實際上,文件的block還在,加上ext3/4文件系統是日誌文件系統,格式化時會分配一個固定大小的空間的日誌文件journal,它記錄創建和刪除文件的記錄,當刪除一個文件,操作系統首先把文件inode信息和文件名稱寫入到journal,然後刪除文件並清空inode原始數據指針。
二、有兩種情況無法恢復
1)當新的數據寫入到被刪除文件占用的block後,原來的inode號就指向新的數據,那麽這樣是無法找回的。
2)當journal日誌文件存滿之後,會釋放前面的空間,循環使用,存放最新的記錄,如果刪除文件的記錄被覆蓋,是恢復不了的。
三、恢復文件的原理
根據journal日誌文件殘留inode的信息,定位到相關目錄,恢復殘留inode對應的block。但日誌文件恢復只適合小數據量的恢復,因為journal的空間有限,存放不了太多記錄。對於大文件如oracle等數據庫文件恢復采用逆向推算和數據文件本身特點來提取。
一、恢復ext4分區誤刪數據(親自測試過,正常)
1、同步服務器時間。
[root@localhost ~]#yum install -y rdate [root@localhost ~]#rdate -s time-b.nist.gov [root@localhost ~]#clock -w
2、安裝extundelete工具。
[root@localhost ~]#yum -y install e2fsprogs* gcc gcc-c++ gcc-g77 [root@localhost ~]#wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 [root@localhost ~]#tar -jxvf extundelete-0.2.4.tar.bz2 [root@localhost ~]#cd extundelete-0.2.4 [root@localhost ~]#./configure --prefix=/usr/local/extundelete [root@localhost ~]#make && make install [root@localhost ~]#/usr/local/extundelete/bin/extundelete --help
3、模擬誤刪除數據
[root@localhost ~]# rm -rf /home/netdisk 誤刪除
4、建議先停止一些頻繁讀寫磁盤的服務。
[root@localhost ~]# for i in `chkconfig --list |grep kkmail|awk '{print $1}'`;do /etc/init.d/$i stop;done
5、恢復操作。
(1)卸載/home分區
[root@localhost ~]# fuser -k /home [root@localhost ~]# umount /home/
(2)使用extundelete查看分區上存在的文件,如下:--inode 為查找某i節點中的內容,使用2則說明為搜索,如果需要進入目錄搜索,只須要指定目錄I節點即可
[root@localhost ~]# /usr/local/extundelete/bin/extundelete --inode 2 /dev/mapper/VolGroup-lv_home NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 45 groups loaded. Group: 0 Contents of inode 2: 0000 | ed 41 00 00 00 10 00 00 d5 21 9e 5a 3f 24 9e 5a | .A.......!.Z?$.Z 0010 | 3f 24 9e 5a 00 00 00 00 00 00 03 00 08 00 00 00 | ?$.Z............ 0020 | 00 00 00 00 02 00 00 00 68 21 00 00 00 00 00 00 | ........h!...... 0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0080 | 1c 00 00 00 64 61 01 9b 64 61 01 9b 68 7f 3e 58 | ....da..da..h.>X 0090 | 38 15 9e 5a 00 00 00 00 00 00 00 00 00 00 02 ea | 8..Z............ 00a0 | 07 06 3c 00 00 00 00 00 21 00 00 00 00 00 00 00 | ..<.....!....... 00b0 | 73 65 6c 69 6e 75 78 00 00 00 00 00 00 00 00 00 | selinux......... 00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 73 79 73 74 | ............syst 00e0 | 65 6d 5f 75 3a 6f 62 6a 65 63 74 5f 72 3a 68 6f | em_u:object_r:ho 00f0 | 6d 65 5f 72 6f 6f 74 5f 74 3a 73 30 00 00 00 00 | me_root_t:s0.... Inode is Allocated File mode: 16877 Low 16 bits of Owner Uid: 0 Size in bytes: 4096 Access time: 1520312789 Creation time: 1520313407 Modification time: 1520313407 Deletion Time: 0 Low 16 bits of Group Id: 0 Links count: 3 Blocks count: 8 File flags: 0 File version (for NFS): 0 File ACL: 0 Directory ACL: 0 Fragment address: 0 Direct blocks: 8552, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 Indirect block: 0 Double indirect block: 0 Triple indirect block: 0 File name | Inode number | Deleted status . 2 .. 2 lost+found 11 netdisk 130561 Deleted
備註:註意看Deleted。
(3)恢復數據
[root@localhost ~]# /usr/local/extundelete/bin/extundelete --restore-all /dev/mapper/VolGroup-lv_home # --restore-all是全部恢復 ,默認全將恢復出來的文件放在當前路徑 RECOVERED_FILES/ 目錄下,文件名為 file.I節點號 [root@localhost ~]# /usr/local/extundelete/bin/extundelete --restore-file 文件名 /dev/mapper/VolGroup-lv_home [root@localhost ~]# /usr/local/extundelete/bin/extundelete --restore-inode 12 /dev/mapper/VolGroup-lv_home
備註:恢復指定的時間點後被刪文件
1).指定一個時間點
# date -d "Sep 4 03:09:13 2013" +%s
------------------
1378235353
------------------
2).恢復這個時間點後的文件
# /usr/local/extundelete/bin/extundelete --restore-all --after “1378235353” /dev/mapper/VolGroup-lv_home
--------------------
..........
--------------------
註:如果要恢之前的就用before參數。extundelete命令與after結合使用,在進行恢復時非常有用,可以過濾掉那太舊的文件,減小恢復壓力。
6、重新掛載/home分區,並恢復數據,啟動服務。
備註:還有這個恢復工具ext4magic也可以。
官方這樣描述,如果您已經在ext4的文件系統中刪除了文件,選extundelete是一個不錯的選擇,它能夠恢復已刪除文件的文件名及內容.
二、恢復ext3分區誤刪數據(沒測試過,網上教程)
上面介紹的是在ext4文件格式下的文件刪除後的恢復,那如果是ext3文件格式下的文件刪除後想恢復,怎麽辦呢?
可以使用debugfs工具,這是linux系統自帶工具,debugfs恢復Ext3的文件系統中被rm、rm -f 掉的文件。
[root@slave-node ~]# df -T Filesystem Type 1K-blocks Used Available Use% Mounted on /dev/sda3 ext3 151189708 2370036 141139672 2% / tmpfs tmpfs 32960412 0 32960412 0% /dev/shm /dev/sda1 ext3 198337 26798 161299 15% /boot
創建一個文件
[root@slave-node ~]# mkdir test [root@slave-node ~]# echo "123456" > /root/test/test.file
刪除文件
[root@slave-node ~]# rm -rf /root/test/test.file
接著運用系統自帶工具debugfs來恢復已刪除的文件
首先打開,剛剛被刪除文件所在的分區
註意上面顯示的有<>尖括號內的數字就是我們要找的文件Inode號,執行logdump –i <8654024>
[root@slave-node ~]# debugfs debugfs 1.41.12 (17-May-2010) debugfs: open /dev/sda3 debugfs: ls -d /root/test 8654023 (12) . 8519681 (4084) .. <8654024> (4072) test.file debugfs: logdump -i 8654024 FS block 1006 logged at sequence 404351, journal block 7241 (inode block for inode 15): Inode: 15 Type: regular Mode: 0664 Flags: 0×0 Generation: 0 User: 0 Group: 0 Size: 20 File ACL: 0 Directory ACL: 0 Links: 1 Blockcount: 8 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0×48159f2d — Mon Apr 28 15:25:57 2008 atime: 0×48159f27 — Mon Apr 28 15:25:51 2008 mtime: 0×4806f070 — Thu Apr 17 12:08:40 2008 Blocks: (0+1): 102348 No magic number at block 7247: end of journal.
執行完命令後,顯示了一屏信息,需要註意的是下面Blocks這一行後面的值(如上信息,需要記住Blocks這一行後面的數字102348)
輸入quit,退出debugfs
debugfs: quit
[root@slave-node ~]#
執行如下命令進行恢復:
[root@slave-node ~]# dd if=/dev/sda3 of=/tmp/test.file.bk bs=4096 count=1 skip=102348 1+0 records in 1+0 records out 4096 bytes (4.1 kB) copied, 0.0110028 s, 372 kB/s
最後查看tmp目錄下,發現已經恢復了我們之前刪除的文件內容
[root@slave-node ~]# cd /tmp/ [root@slave-node tmp]# cat test.file.bk [root@slave-node tmp]# mv test.file.bk /root/test.file [root@slave-node tmp]# cat /root/test.file 123456
備註:還有這個恢復工具ext3grep。
如果是在ext3的文件系統中刪除了文件,extundelete和ext3grep比較仍然有一些優點,extundelete分析日誌文件後,能夠立即恢復一個文件,ext3grep分析整個硬盤才開始恢復硬盤中的文件,ext3grep方法是是有效的從一個小分區恢復多個文件,所以相比而言,如果需要從一個大的分區中恢復文件,extundelete要快些.
三、恢復xfs分區誤刪數據
xfs用xfs_irecover工具恢復。
http://www.ufsexplorer.com/rdr_xfs.php
以下摘自官網。
------------------------------------------------------------
Q: Does the filesystem have an undelete capability?
There is no undelete in XFS.
However, if an inode is unlinked but neither it nor its associated data blocks get immediately re-used and overwritten, there is some small chance to recover the file from the disk.
photorec, xfs_irecover or xfsr are some tools which attempt to do this, with varying success.
There are also commercial data recovery services and closed source software like Raise Data Recovery for XFS which claims to recover data, although this has not been tested by the XFS developers.
As always, the best advice is to keep good backups.
------------------------------------------------------------
ext4、ext3、xfs文件系統數據恢復教程