The use of several common data recovery tools under Linux systems

As an operation and maintenance personnel, it is the fundamental responsibility to ensure the security of datalinux file recovery tool, so when maintaining the system, you must be cautious, and sometimes it is inevitable that data will be accidentally deleted If the data is lost, how can you quickly and effectively recover data at this time? In this article, we will introduce several commonly used data recovery tools under Linux systems.

1. How to use the “rm-rf” command

Under the Linux system, any data can be deleted directly from the hard disk through the command "rm-rf" without any prompts. At the same time, there is no similar function to the recycle bin under Windows, which means, It is difficult to recover data after deletion through conventional means, so use this command with special caution. When using the rm command for a Linux virtual host, a safer way is to put the command parameters in front, which will serve as a reminder. Although there is another way, that is, use the mv command to connect the things that are about to be deleted to the /tmp directory under the system, and then write a script to perform cleanup operations regularly. This can reduce the risk of deleting data to a certain extent. .

Although the best way to ensure data security is to make backups, although backups are not omnipotentLinux file recovery tools, and it is impossible to do without backups. Any data recovery tool has certain limitations and cannot guarantee the complete recovery of all data. Therefore, taking backup as the core and using data recovery tools as an auxiliary is a principle that operation and maintenance personnel must adhere to.

2. Advantages and disadvantages of extundelete and ext3grep

Under Linux, there are many open source data recovery tools. Common ones include debugfs, R-Linux, ext3grep, extundelete, etc. The more commonly used ones are ext3grep and extundelete. The recovery principles of these two tools are basically the same, except extundelete. The function is even greater. This article focuses on the use of extundelete.

3. Recovery principle of extundelete

Before introducing the use of extundelete to recover data, let’s briefly introduce the knowledge about inode. Under Linux, you can use the "ls–id" command to view the inode value of a file or directory. For example, to view the inode value of the root directory, you can enter:

[root@cloud1~]#ls-id/

2/

It can be seen that the inode value of the root directory is 2.

When recovering files with extundelete, it does not rely on a specific file format. First, extundelete will obtain information about all files in the current file system through the inode information of the file system (the inode of the root directory is usually 2), including existing and existing files. Deleted files, this information includes file name and inode. Then use the inode information combined with the log to query the block location where the inode is located, including direct block red flag linux system download, indirect block and other information. Finally, use the dd command to back up this information and restore the data file.

4. Install extundelete

The official website of extundelete is /zixunimg/eepwimg//, and its current stable version is extundelete-0.2.4. , before installing extundelete, you need to install two dependency packages, e2fsprogs and e2fsprogs-libs.

The installation of e2fsprogs and e2fsprogs-libs is very simple and will not be introduced here. The following is the compilation and installation process of extundelete:

[root@cloud1app]#tarjxvfextundelete-0.2.4.tar.bz2

[root@cloud1app]#cdextundelete-0.2.4

[[email protected]]#./configure

[[email protected]]#make

[[email protected]]#makeinstall

After successfully installing extundelete, an extundelete executable file will be generated in the system. The use of extundelete is very simple. Readers can get how to use this software through "extundelete --help".

5. Interpretation of extundelete usage

After the installation of extundelete is completed, you can perform data recovery operations. This section introduces in detail the meaning of each parameter of extundelete. The usage of extundelete is as follows:

extundelete--help

Command format:

extundelete[options][action]device-file

The parameters (options) are:

--version,-[vV], displays the software version number.

--help, displays software help information.

--superblock, displays superblock information.

--journal, display log information.

--afterdtime, time parameter, indicates files or directories that were deleted after a certain period of time.

--beforedtime, time parameter, indicating files or directories that were deleted before a certain period of time.

Actions include:

--inodeino, displays the information of node "ino".

--blockblk, displays the information of data block "blk".

--restore-inodeino[,ino,...], restore command parameters, indicating to restore the files of node "ino". The restored files will be manually placed in the RESTORED_FILES folder in the current directory, using the node number as extension.

--restore-file'path', restore command parameter, means that the file in the specified path will be restored and the restored file will be placed in the RECOVERED_FILES directory in the current directory.

--restore-files'path', restore command parameter, means that all files listed in the path will be restored.

--restore-all, restore command parameter, indicates that all directories and files will be attempted to be restored.

-jjournal, means reading the extended log from the already named file.

-bblocknumber means using the previously backed up super block to open the file system. It is usually used to check whether the existing super block is the currently required file.

-Bblocksize, means using the data block size to open the file system, usually used to view files whose size is already known.

6. Practical combat: Extundelete data recovery process

After the data is accidentally deleted, the first thing to do is to uninstall the c drive or c drive partition where the deleted data is located. If the data in the system root partition is accidentally deleted, you need to enter the system. Single user, but mount the root partition in read-only mode. The reason for this is very simple, because after deleting the file, only the track pointer in the inode node of the file is cleared, and the actual file is still stored on the c drive. If the c drive is mounted in read-write mode, this The data blocks of deleted files may be reallocated by the operating system. After these data blocks are overwritten by new data, the data is really lost, and recovery tools are unable to recover. Therefore, mounting the c drive in read-only mode can minimize the risk of data being overwritten in data blocks and increase the success rate of data recovery.

6.1 Restore a single file through extundelete

1. Simulation data accidentally deleted environment

Before demonstrating data recovery through extundelete, we must first simulate an accidental data deletion environment. Here we take the ext3 file system as an example. The recovery method under the ext4 file system is exactly the same. The simple simulation operation process is as follows:

[root@cloud1~]#mkdir/data

[root@cloud1~]#mkfs.ext3/dev/sdc1

[root@cloud1~]#mount/dev/sdc1/data

[root@cloud1~]#cp/etc/passwd/data

[root@cloud1~]#cp-r/app/ganglia-3.4.0/data

The above is the detailed content of The use of several common data recovery tools under Linux systems. For more information, please follow other related articles on the PHP Chinese website!