How to recover deleted files in Linux?

How to recover deleted files in Linux? The following article will introduce to you how to recover deleted files in Linux. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to everyone.

Linux does not have a recycle bin like Windows. Basically, files cannot be retrieved using rm -rf *.

Then the question is:

For files accidentally deleted under Linux, are we really unable to recover them through software?

The answer is of course no. Deleted files can still be recovered through software. Restoration of accidentally deleted files can be divided into two situations:

• One is that deletion information exists in the process after deletion

• The other is deletion In the future, the process cannot be found and can only be restored with the help of tools.

Next, we will use examples to explain two different recovery methods of accidental deletion:

The situation when the process of accidentally deleting a file is still there:

This usually means that an active process has continuous standard input or output. After the file is deleted, the process PID still exists. This is also the reason why some servers delete some files but the disk is not released.

Open a terminal and perform cat append operation on a test file:

[root@docking ~]# echo "This is DeleteFile test." > deletefile.txt
[root@docking ~]# ls
deletefile.txt
[root@docking ~]# cat >> deletefile.txt 
Add SomeLine into deletefile for fun.

Open another terminal to view the file and you can clearly see the content:

[root@docking ~]# ls
deletefile.txt
[root@docking ~]# cat deletefile.txt 
This is DeleteFile test.
Add SomeLine into deletefile for fun.

At this time, delete the file rm -f deletefile.txt

[root@docking ~]# rm -f deletefile.txt 
[root@docking ~]# ls
#命令查看这个目录，文件已经不存在了，那么现在我们将其恢复出来。

• lsof checks whether the deleted file process still exists.

• If it is not installed, please yum install lsof or apt-get install lsof

1. In a similar situation, we can first check with lsof whether the deleted file is still there

[root@docking ~]# lsof | grep deletefile
cat       21796          root    1w      REG              253,1        63     138860 /root/deletefile.txt (deleted)

2. Recoverycp /proc/pid/fd/1 /specified directory/file name

Enter the process directory, usually /proc/pid/fd/, for the current situation:

[root@docking ~]# cd /proc/21796/fd
[root@docking fd]# ll
总用量 0
lrwx------ 1 root root 64 1月  18 22:21 0 -> /dev/pts/0
l-wx------ 1 root root 64 1月  18 22:21 1 -> /root/deletefile.txt (deleted)
lrwx------ 1 root root 64 1月  18 22:21 2 -> /dev/pts/0

Recovery operation:

[root@docking fd]# cp 1 ~/deletefile.txt.backup
[root@docking fd]# cat ~/deletefile.txt.backup 
This is DeleteFile test.
Add SomeLine into deletefile for fun.

3. Recovery is completed.

The accidentally deleted file process no longer exists, use the tool to restore it

Prepare some file directories

#准备一份挂载的盘
mkdir backuptest
cd backuptest
mkdir deletetest
mkdir deletetest/innerfolder
echo "Delete a folder test." > deletetest/innerfolder/deletefile.txt 

echo "tcpdump:x:172:72::/:/sbin/nologin" > tmppasswd

The finally prepared directory structure is as follows:

taroballs@taroballs-PC:/media/taroballs/taroballs/backuptest$ cd ..
taroballs@taroballs-PC:/media/taroballs/taroballs$ tree backuptest/
backuptest/
├── deletetest
│   └── innerfolder
│       └── deletefile.txt
└── tmppasswd

2 directories, 2 files

Now start deleting the directoryrm -rf backuptest/

taroballs@taroballs-PC:/media/taroballs/taroballs$ rm -rf backuptest/
taroballs@taroballs-PC:/media/taroballs/taroballs$  ls  -l
总用量 0

In this case, there is usually no daemon or background process continues to input it, so the deletion is really deleted. lsof can't see it either, so you need to use tools to restore it.

Now start recovering accidentally deleted files.

The tool we use is extundelete third-party tool. The recovery steps and precautions are as follows:

• Stop doing any operations on the current partition to prevent the inode from being overwritten. If the inode is overwritten, it will basically be restored.

• To exaggerate, for example, stop the service of the partition where it is located, uninstall the device where the directory is located, and disconnect the network if necessary.

• Use the dd command to back up the current partition to prevent data loss caused by third-party software recovery failure.

• Suitable for situations where the data is very important. Here is an example, so there is no backup. For backup, you can consider the following method: dd if=/path/filename of=/dev/vdc1

• Use the umount command to unmount the current device partition. Or use the fuser command umount /dev/vdb1

• If it prompts that the device is busy, you can use the fuser command to force the uninstall: fuser -m -v -i -k ./

• Download the third-party tool extundelete installation, search for accidentally deleted files and restore them

extundelete tool installation

extundelete download address: http://extundelete.sourceforge.net/

wget https://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2

Extract the filetar jxvf extundelete-0.2.4.tar.bz2

If this error is reported

[root@docking ~]# tar jxvf extundelete-0.2.4.tar.bz2 
tar (child): bzip2：无法 exec: 没有那个文件或目录
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now

Use yum -y install bzip2 to solve the problem

[root@docking ~]# tar jxvf extundelete-0.2.4.tar.bz2 
extundelete-0.2.4/
extundelete-0.2.4/acinclude.m4
extundelete-0.2.4/missing
extundelete-0.2.4/autogen.sh
extundelete-0.2.4/aclocal.m4
extundelete-0.2.4/configure
extundelete-0.2.4/LICENSE
extundelete-0.2.4/README
...................................................

cd  extundelete-0.2.4
./configure

If an error is reported in this step

[root@docking extundelete-0.2.4]# ./configure 
Configuring extundelete 0.2.4
configure: error: in `/root/extundelete-0.2.4':
configure: error: C++ compiler cannot create executables
See `config.log' for more details

Use yum -y install gcc-c Solution.

If you still get an error after executing the previous step,

[root@docking extundelete-0.2.4]# ./configure 
Configuring extundelete 0.2.4
configure: error: Can't find ext2fs library

then use yum -y install e2fsprogs e2fsprogs-devel to solve it.
#The solution for Ubuntu is sudo apt-get install e2fslibs-dev e2fslibs-dev

If nothing unexpected happens, configure should be able to complete successfully here.

[root@docking extundelete-0.2.4]# ./configure 
Configuring extundelete 0.2.4
Writing generated files to disk
[root@docking extundelete-0.2.4]#

FinallymakeThen make install

[root@docking extundelete-0.2.4]# make
make -s all-recursive
Making all in src
extundelete.cc: 在函数‘ext2_ino_t find_inode(ext2_filsys, ext2_filsys, ext2_inode*, std::string, int)’中:
extundelete.cc:1272:29: 警告：在 {} 内将‘search_flags’从‘int’转换为较窄的类型‘ext2_ino_t {aka unsigned int}’ [-Wnarrowing]
    buf, match_name2, priv, 0};
                             ^
[root@docking extundelete-0.2.4]# make install
Making install in src
  /usr/bin/install -c extundelete '/usr/local/bin'

extundelete installation is completed.

Scan for accidentally deleted files:

Use df -lh to view the mount:

taroballs@taroballs-PC:~$ df -lh
文件系统        容量  已用  可用 已用% 挂载点
udev            1.9G     0  1.9G    0% /dev
tmpfs           387M  1.8M  385M    1% /run
/dev/sda2        92G   61G   26G   71% /
tmpfs           1.9G   49M  1.9G    3% /dev/shm
tmpfs           5.0M  4.0K  5.0M    1% /run/lock
tmpfs           1.9G     0  1.9G    0% /sys/fs/cgroup
/dev/sda3       104G   56G   44G   57% /home
tmpfs           387M   40K  387M    1% /run/user/1000
/dev/sda4        70G   20G   47G   30% /media/taroballs/d8423f8c-d687-4c03-a7c8-06a7fb57f96d
/dev/sdb1       6.8G  4.1G  2.8G   60% /media/taroballs/taroballs
/dev/sr0        4.0G  4.0G     0  100% /media/taroballs/2018-01-16-12-36-00-00
taroballs@taroballs-PC:~$ cd /media/taroballs/taroballs/
taroballs@taroballs-PC:/media/taroballs/taroballs$

You can see that our directory /media/taroballs/taroballs

is mounted to /dev/sdb1 In this file system.

umount our mounting disk

For example:

taroballs@taroballs-PC:~$ df -lh | grep /dev/sdb1
/dev/sdb1       6.8G  4.1G  2.8G   60% /media/taroballs/taroballs

umount this directory

taroballs@taroballs-PC:~$ umount /media/taroballs/taroballs
taroballs@taroballs-PC:~$ df -lh | grep /dev/sdb1
taroballs@taroballs-PC:~$ 
#记得删除一定要后umount哦，不然二次写入谁也帮不了你呢。

Restore through inode node

taroballs@taroballs-PC:~$ mkdir recovertest
taroballs@taroballs-PC:~$ cd recovertest/
taroballs@taroballs-PC:~/recovertest$

Perform recoveryextundelete /dev/sdb1 --inode 2

taroballs@taroballs-PC:/media/taroballs/taroballs$ sudo extundelete /dev/sdb1 --inode 2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 8 groups loaded.
Group: 0
Contents of inode 2:
 
.
.省略N行
 
File name                                       | Inode number | Deleted status
.                                                 2
..                                                2
deletetest                                        12             Deleted
tmppasswd                                            14             Deleted

The folder we deleted was discovered through scanning, now Perform recovery operations.

(1) Recover a single file tmppasswd

taroballs@taroballs-PC:~/recovertest$  extundelete /dev/sdb1 --restore-file passwd   
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 8 groups loaded.
Loading journal descriptors ... 46 descriptors loaded.
Successfully restored file tmppasswd

The recovered file is placed in the current directory RECOVERED_FILES.

View the recovered files:

taroballs@taroballs-PC:~/recovertest$ cat tmppasswd 
tcpdump:x:172:72::/:/sbin/nologin

(2) Restore directory deletetest

extundelete /dev/sdb1 --restore-directory  deletetest
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 8 groups loaded.
Loading journal descriptors ... 46 descriptors loaded.
Searching for recoverable inodes in directory deletetest ... 
5 recoverable inodes found.
Looking through the directory structure for deleted files ...

(3) Restore all

taroballs@taroballs-PC:~/recovertest$ extundelete /dev/sdb1 --restore-all
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 8 groups loaded.
Loading journal descriptors ... 46 descriptors loaded.
Searching for recoverable inodes in directory / ... 
5 recoverable inodes found.
Looking through the directory structure for deleted files ... 
0 recoverable inodes still lost. 
taroballs@taroballs-PC:~/recovertest$ tree 
backuptest/
├── deletetest
│   └── innerfolder
│       └── deletefile.txt
└── tmppasswd
2 directories, 2 files

(4) Restore specified inode

taroballs@taroballs-PC:~/recovertest$ extundelete /dev/sdb1 --restore-inode 14
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 8 groups loaded.
Loading journal descriptors ... 46 descriptors loaded.
taroballs@taroballs-PC:~/recovertest$ cat file.14 
tcpdump:x:172:72::/:/sbin/nologin
#注意恢复inode的时候，恢复 出来的文件名和之前不一样，需要单独进行改名。

Finally attached is the usage of extundelete:

$ extundelete --help
Usage: extundelete [options] [--] device-file
Options:
  --version, -[vV]       Print version and exit successfully.
  --help,                Print this help and exit successfully.
  --superblock           Print contents of superblock in addition to the rest.
                         If no action is specified then this option is implied.
  --journal              Show content of journal.
  --after dtime          Only process entries deleted on or after 'dtime'.
  --before dtime         Only process entries deleted before 'dtime'.Actions:
  --inode ino            Show info on inode 'ino'.
  --block blk            Show info on block 'blk'.
  --restore-inode ino[,ino,...]
                         Restore the file(s) with known inode number 'ino'.
                         The restored files are created in ./RECOVERED_FILES                         with their inode number as extension (ie, file.12345).
  --restore-file 'path'  Will restore file 'path'. 'path' is relative to root
                         of the partition and does not start with a '/'
                         The restored file is created in the current
                         directory as 'RECOVERED_FILES/path'.
  --restore-files 'path' Will restore files which are listed in the file 'path'.
                         Each filename should be in the same format as an option
                         to --restore-file, and there should be one per line.
  --restore-directory 'path'
                         Will restore directory 'path'. 'path' is relative to the
                         root directory of the file system.  The restored
                         directory is created in the output directory as 'path'.
  --restore-all          Attempts to restore everything.
  -j journal             Reads an external journal from the named file.
  -b blocknumber         Uses the backup superblock at blocknumber when opening
                         the file system.
  -B blocksize           Uses blocksize as the block size when opening the file
                         system.  The number should be the number of bytes.
  --log 0                Make the program silent.
  --log filename         Logs all messages to filename.--log D1=0,D2=filename   Custom control of log messages with comma-separated
   Examples below:       list of options.  Dn must be one of info, warn, or   --log info,error      error.  Omission of the '=name' results in messages   --log warn=0          with the specified level to be logged to the console.
   --log error=filename  If the parameter is '=0', logging for the specified
                         level will be turned off.  If the parameter is
                         '=filename', messages with that level will be written
                         to filename.
   -o directory          Save the recovered files to the named directory.
                         The restored files are created in a directory
                         named 'RECOVERED_FILES/' by default.

推荐：《linux教程》

The above is the detailed content of How to recover deleted files in Linux?. For more information, please follow other related articles on the PHP Chinese website!