阅读建议

你可能感兴趣的关键词：Linux、rm -rf、extundelete、文件恢复

阅读时长：5分钟

建议阅读方式：收藏+动手实验

前言

被布置了几个写linux内核设备驱动的作业，周末断断续续写了两天，也付出了不少精力。当我想在Makefile里面的clean多写点东西，把该删除的都删除了，想删除一个.mod.c的文件，一不小心直接写了个*.c，结果把.c文件也匹配到，一起删了……：

clean:$(shell rm -f *.bak *o *.ko *.c *.order *.symvers)

呆呆地望着剩下的Makefile，欲哭无泪……

于是赶紧查了查有没有补救方案，果然查到了extundelete这款软件可以恢复，尝试了一下，成功了。

一、使用条件

extundelete只适用于ext3、ext4文件系统，vmware虚拟机的硬盘大多都挂在/dev/sda1上，ubuntu常用的都是ext4。

你可以通过以下命令查看操作系统和linux版本：

uname -aLinux ubuntu 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:43:14 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

上面的信息表明这是一个ubuntu系统。

你可以通过以下命令查看分区格式：

df -hTFilesystem Type Size Used Avail Use% Mounted on/dev/sda1 ext4 46G 13G 31G 30% /none tmpfs 4.0K 0 4.0K 0% /sys/fs/cgroupudev devtmpfs 2.0G 4.0K 2.0G 1% /devtmpfs tmpfs 395M 3.5M 392M 1% /runnone tmpfs 5.0M 0 5.0M 0% /run/locknone tmpfs 2.0G 152K 2.0G 1% /run/shmnone tmpfs 100M 60K 100M 1% /run/user

上面的信息表明/dev/sda1硬盘是ext4格式的。

二、安装过程

1、下载extundelete

可以从extundelete官网（http://extundelete.sourceforge.net/）的Download the latest version中的链接进行下载。

extundelete官网下载页面

2、安装——configure

sudo ./configure

这里configure可能会遇到问题：

Configuring extundelete 0.2.4 configure: error: Can't find ext2fs library

说是找不到ext2fs库，解决办法是：

sudo apt-get install e2fslibs-dev e2fslibs-dev

再配置就不会有问题了，就会提示成功：

Configuring extundelete 0.2.4Writing generated files to disk

3、安装——make

sudo make && make install

注意一定要用root权限，否则安装出错。

可能会提示警告信息，不过可以无视它：

make -s all-recursiveMaking all in srcextundelete.cc: In function ‘ext2_ino_t find_inode(ext2_filsys, ext2_filsys, ext2_inode*, std::string, int)’:extundelete.cc:1272:29: warning: narrowing conversion of ‘search_flags’ from ‘int’ to ‘ext2_ino_t {aka unsigned int}’ inside { } [-Wnarrowing] buf, match_name2, priv, 0}; ^

4、检查是否安装成功

sudo extundelete --help

会出现帮助信息：

Usage: extundelete [options] [--] device-fileOptions: --version, -[vV] Print version and exit successfully. --help, Print this help and exit successfully. --superblock Print contents of superblock in addition to the rest. If no action is specified then this option is implied. --journal Show content of journal. --after dtime Only process entries deleted on or after 'dtime'. --before dtime Only process entries deleted before 'dtime'.Actions: --inode ino Show info on inode 'ino'. --block blk Show info on block 'blk'. --restore-inode ino[,ino,...] Restore the file(s) with known inode number 'ino'. The restored files are created in ./RECOVERED_FILES with their inode number as extension (ie, file.12345). --restore-file 'path' Will restore file 'path'. 'path' is relative to root of the partition and does not start with a '/' The restored file is created in the current directory as 'RECOVERED_FILES/path'. --restore-files 'path' Will restore files which are listed in the file 'path'. Each filename should be in the same format as an option to --restore-file, and there should be one per line. --restore-directory 'path' Will restore directory 'path'. 'path' is relative to the root directory of the file system. The restored directory is created in the output directory as 'path'. --restore-all Attempts to restore everything. -j journal Reads an external journal from the named file. -b blocknumber Uses the backup superblock at blocknumber when opening the file system. -B blocksize Uses blocksize as the block size when opening the file system. The number should be the number of bytes. --log 0 Make the program silent. --log filename Logs all messages to filename.--log D1=0,D2=filename Custom control of log messages with comma-separated Examples below: list of options. Dn must be one of info, warn, or --log info,error error. Omission of the '=name' results in messages --log warn=0 with the specified level to be logged to the console. --log error=filename If the parameter is '=0', logging for the specified level will be turned off. If the parameter is '=filename', messages with that level will be written to filename. -o directory Save the recovered files to the named directory. The restored files are created in a directory named 'RECOVERED_FILES/' by default.

三、恢复文件过程

1、找到删除的那个文件的Inode编号

列出/dev/sda1硬盘上的根节点inode信息：

sudo extundelete --inode 2 /dev/sda1

可能会提示你警告信息，可以无视，输入y就行了：

NOTICE: Extended attributes are not restored.WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.The partition should be unmounted to undelete any files without further data loss.If the partition is not currently mounted, this message indicates it was improperly unmounted, and you should run fsck before continuing.If you decide to continue, extundelete may overwrite some of the deletedfiles and make recovering those files impossible. You should unmount thefile system and check it with fsck before using extundelete.Would you like to continue? (y/n)y

得到的结果：

我的文件在home，进入home，home的inode编号为1703937，继续搜索：

sudo extundelete --inode 1703937 /dev/sda1

得到的结果：

就这样一直搜索下去，直到找到删除的文件：

我希望恢复那个c文件，编号是2247885，用小本本记下来。

2、恢复文件

sudo extundelete --restore-inode 2247885 /dev/sda1

2247885是刚刚那个Inode的编号，操作过后查看根目录，会发现多了一个RECOVERED_FILES目录：

ls /bin dev initrd.img lost+found opt root srv usrboot etc lib media proc run sys varcdrom home lib64 mnt RECOVERED_FILES sbin tmp vmlinuz

然后查看一下：

bwb@ubuntu:/RECOVERED_FILES$ lsfile.2247885

这个file.2247885就是那个.c文件的内容了。至此，我们使用extundelete恢复rm-rf删除的文件成功~

扩展阅读

私信“extundelete”可以得到一些信息，包括：

（1）本人博客的完整版文章链接《利用extundelete找回rm-rf彻底删除的文件》

（2）extundelete官网地址

（3）extundelete v0.2.4版本 百度网盘下载地址

（4）本人个人wiki：对extundelete官网文档的中文翻译链接

重大发现！

关注三颗豆子分裂中的同学刚买了彩票就中奖！

点赞评论三颗豆子分裂中文章的同学刚写完代码就跑通！

收藏转发三颗豆子分裂中文章的同学刚转身就遇到了真爱！