preface
When it comes to deleting files in linux environment, sudo rm -rf / * is absolutely indispensable. Every time I see this command, I think of a spoof picture:
The explanation of "cleaning up garbage" is really "just right". It is said that Xiaobai asked questions in the forum and was jokingly replied to the sudo rm -rf / * command. As a result, the problem was solved and people said goodbye~
From deleting the library to running away, it's a prison trick every day, so we must carefully use the rm -rf command. This is equivalent to using the Shift+Delete combination on Windows. The files will not be put in the recycle bin, but will be deleted directly and permanently. Executing the rm command in Linux is equivalent to permanent deletion.
Although sudo rm -rf / * is extremely dangerous, we rarely write it directly, but the rm command is often used. Not only a few days ago, I directly deleted the Shell script I worked hard to write. Fortunately, I printed the content to the console before, otherwise the whole script would be written in vain.
Is there any help after rm
Although the rm command indicates permanent deletion, it does not mean that the file will not be found, but the probability of recovery varies. In fact, the delete command only marks the deletion in the file node and does not really clear the file content. If it is restored immediately after deletion, the probability of success is still high. However, if other users have been using this machine or some disk writing processes have been executing, this part of the data may be overwritten soon. At this time, it is basically impossible to recover the file.
Retrieving files using foremost
foremost is a command-line tool for recovering files based on file header and tail information and the built-in data structure of files. The next steps are installation and recovery:
- Install foremost
Run sudo Yum install directly on CentOS system https://forensics.cert.org/centos/cert/7/x86_ 64//foremost-1.5.7-13.1.el7.x86_ The 64.rpm - y command can be completed
For Ubuntu systems, try the command: sudo apt install foremost
[root@VM-0-3-centos ~]# sudo yum install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm -y Loaded plugins: fastestmirror, langpacks Repository epel is listed more than once in the configuration foremost-1.5.7-13.1.el7.x86_64.rpm | 46 kB 00:00:01 Examining /var/tmp/yum-root-XJIfxM/foremost-1.5.7-13.1.el7.x86_64.rpm: foremost-1.5.7-13.1.el7.x86_64 Marking /var/tmp/yum-root-XJIfxM/foremost-1.5.7-13.1.el7.x86_64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package foremost.x86_64 0:1.5.7-13.1.el7 will be installed --> Finished Dependency Resolution epel/7/x86_64 | 4.7 kB 00:00:00 epel/7/x86_64/group_gz | 96 kB 00:00:00 epel/7/x86_64/updateinfo | 1.0 MB 00:00:00 epel/7/x86_64/primary_db | 7.0 MB 00:00:01 extras/7/x86_64 | 2.9 kB 00:00:00 extras/7/x86_64/primary_db | 243 kB 00:00:00 os/7/x86_64 | 3.6 kB 00:00:00 updates/7/x86_64 | 2.9 kB 00:00:00 updates/7/x86_64/primary_db | 12 MB 00:00:01 Dependencies Resolved ===================================================================================================================== Package Arch Version Repository Size ===================================================================================================================== Installing: foremost x86_64 1.5.7-13.1.el7 /foremost-1.5.7-13.1.el7.x86_64 85 k Transaction Summary ===================================================================================================================== Install 1 Package Total size: 85 k Installed size: 85 k Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : foremost-1.5.7-13.1.el7.x86_64 1/1 Verifying : foremost-1.5.7-13.1.el7.x86_64 1/1 Installed: foremost.x86_64 0:1.5.7-13.1.el7 Complete! [root@VM-0-3-centos ~]#
- Create a test file
[root@VM-0-3-centos ~]# echo "this is a important file">important.txt [root@VM-0-3-centos ~]# pwd /root [root@VM-0-3-centos ~]# ls connecttendis.sh important.txt restore tarlist tendis test.iso [root@VM-0-3-centos ~]# mkdir -p /tmp/restore
- Attempt to restore after deleting files
[root@VM-0-3-centos ~]# rm important.txt [root@VM-0-3-centos ~]# foremost -i /dev/vda1 -o /tmp/restore/ Processing: /dev/vda1 |***********Segmentation fault
- After a few minutes of execution, it crashes and the recovery fails. Open the directory and find:
[root@VM-0-3-centos ~]# ls /tmp/restore/ audit.txt bmp doc exe htm jpg mov mpg pdf ppt rar sdw sxc sxw wav xls zip avi dll docx gif jar mbd mp4 ole png pptx rif sx sxi vis wmv xlsx
- It seems that it is related to the file type to be recovered. Try another PNG file on another machine. First find a showball.png test file, and then confirm the partition / dev/vda1
[root@VM-0-3-centos ~]# df Filesystem 1K-blocks Used Available Use% Mounted on devtmpfs 930496 0 930496 0% /dev tmpfs 941004 24 940980 1% /dev/shm tmpfs 941004 508 940496 1% /run tmpfs 941004 0 941004 0% /sys/fs/cgroup /dev/vda1 51473868 6458344 42692404 14% / /dev/loop0 361650 361650 0 100% /mnt/iso tmpfs 188204 0 188204 0% /run/user/0 [root@VM-0-3-centos ~]# pwd /root [root@VM-0-3-centos ~]# ls restore showball.png
- After deleting the png file, try to restore it. After the progress bar is completed, you can enter the specified directory / root/restore / to view it
[root@VM-0-3-centos ~]# rm showball.png rm: remove regular file 'showball.png'? y [root@VM-0-3-centos ~]# pwd /root [root@VM-0-3-centos ~]# foremost -t png -i /dev/vda1 -o /root/restore/ Processing: /dev/vda1 |*********************************************************************************************|
- In the specified directory, there will be an audit.txt statistics file and a type folder png
[root@VM-0-3-centos ~]# ll restore/ total 40 -rw-r--r-- 1 root root 24548 Nov 27 22:57 audit.txt drwxr-xr-- 2 root root 16384 Nov 27 22:56 png [root@VM-0-3-centos ~]# cd restore/ [root@VM-0-3-centos restore]# ll png total 43764 -rw-r--r-- 1 root root 3500 Nov 27 22:53 00367400.png -rw-r--r-- 1 root root 3578 Nov 27 22:53 00367408.png -rw-r--r-- 1 root root 3445 Nov 27 22:53 00367416.png -rw-r--r-- 1 root root 368 Nov 27 22:53 00367432.png -rw-r--r-- 1 root root 363 Nov 27 22:53 00367456.png -rw-r--r-- 1 root root 392 Nov 27 22:53 00367464.png -rw-r--r-- 1 root root 199 Nov 27 22:53 00367616.png ...
- The file names in the png directory are all numbers, which are completely different from the original deleted files. You need to confirm according to the audit.txt file and open the file for confirmation:
[root@VM-0-3-centos restore]# head audit.txt Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus Audit File Foremost started at Sat Nov 27 22:53:48 2021 Invocation: foremost -t png -i /dev/vda1 -o /root/restore/ Output directory: /root/restore Configuration file: /etc/foremost.conf ------------------------------------------------------------------ File: /dev/vda1 Start: Sat Nov 27 22:53:48 2021 [root@VM-0-3-centos restore]# head -n 20 audit.txt Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus Audit File Foremost started at Sat Nov 27 22:53:48 2021 Invocation: foremost -t png -i /dev/vda1 -o /root/restore/ Output directory: /root/restore Configuration file: /etc/foremost.conf ------------------------------------------------------------------ File: /dev/vda1 Start: Sat Nov 27 22:53:48 2021 Length: 49 GB (53686025728 bytes) Num Name (bs=512) Size File Offset Comment 0: 00367400.png 3 KB 188108800 (16 x 16) 1: 00367408.png 3 KB 188112896 (16 x 16) 2: 00367416.png 3 KB 188116992 (16 x 16) 3: 00367432.png 368 B 188125184 (16 x 16) 4: 00367456.png 363 B 188137472 (16 x 16) 5: 00367464.png 392 B 188141568 (16 x 16) ...
- The audit.txt file records the brief information of the recovered files, which requires you to know the relevant information of the original deleted files, otherwise you can only open them one by one. I found them through the resolution
[root@VM-0-3-centos restore]# grep "1217" audit.txt 116: 12888200.png 40 KB 6598758400 (1217 x 690) 360: 38088960.png 40 KB 19501547520 (1217 x 690)
- According to the filtered information, open 12888200.png and find that it is the file "deleted by mistake", which is restored
Retrieve files using extundelete
extundelete supports file recovery under ext3 and ext4 file systems. You can use cat /etc/fstab to view file system types in linux environment
[root@VM-0-3-centos ~]# cat /etc/fstab UUID=21dbe030-aa71-4b3a-8610-3b942dd447fa / ext4 noatime,acl,user_xattr 1 1 proc /proc proc defaults 0 0 sysfs /sys sysfs noauto 0 0 debugfs /sys/kernel/debug debugfs noauto 0 0 devpts /dev/pts devpts mode=0620,gid=5 0 0 [root@VM-0-3-centos ~]#
- Install dependent files
[root@VM-0-3-centos ~]# yum install e2fsprogs-devel Loaded plugins: fastestmirror, langpacks Repository epel is listed more than once in the configuration Determining fastest mirrors epel | 4.7 kB 00:00:00 extras | 2.9 kB 00:00:00 os | 3.6 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/2): epel/7/x86_64/updateinfo | 1.0 MB 00:00:00 (2/2): epel/7/x86_64/primary_db | 7.0 MB 00:00:01 Resolving Dependencies --> Running transaction check ---> Package e2fsprogs-devel.x86_64 0:1.42.9-19.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved =============================================================================================================== Package Arch Version Repository Size =============================================================================================================== Installing: e2fsprogs-devel x86_64 1.42.9-19.el7 os 73 k Transaction Summary =============================================================================================================== Install 1 Package Total download size: 73 k Installed size: 162 k Is this ok [y/d/N]: y Downloading packages: e2fsprogs-devel-1.42.9-19.el7.x86_64.rpm | 73 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : e2fsprogs-devel-1.42.9-19.el7.x86_64 1/1 Verifying : e2fsprogs-devel-1.42.9-19.el7.x86_64 1/1 Installed: e2fsprogs-devel.x86_64 0:1.42.9-19.el7 Complete! [root@VM-0-3-centos ~]#
- Download extundelete source code
[root@VM-0-3-centos ~]# wget https://src.fedoraproject.org/repo/pkgs/extundelete/extundelete-0.2.4.tar.bz2/77e626ad31433680c0a222069295d2ca/extundelete-0.2.4.tar.bz2 --2021-11-28 18:36:15-- https://src.fedoraproject.org/repo/pkgs/extundelete/extundelete-0.2.4.tar.bz2/77e626ad31433680c0a222069295d2ca/extundelete-0.2.4.tar.bz2 Resolving src.fedoraproject.org (src.fedoraproject.org)... 38.145.60.20, 38.145.60.21 Connecting to src.fedoraproject.org (src.fedoraproject.org)|38.145.60.20|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 108472 (106K) [application/x-bzip2] Saving to: 'extundelete-0.2.4.tar.bz2' 100%[============================================================================>] 108,472 33.5KB/s in 3.2s 2021-11-28 18:36:20 (33.5 KB/s) - 'extundelete-0.2.4.tar.bz2' saved [108472/108472] [root@VM-0-3-centos ~]# ls extundelete-0.2.4.tar.bz2
- Extract the extundelete source code
[root@VM-0-3-centos ~]# tar -jxvf extundelete-0.2.4.tar.bz2 extundelete-0.2.4/ extundelete-0.2.4/acinclude.m4 extundelete-0.2.4/missing extundelete-0.2.4/autogen.sh extundelete-0.2.4/aclocal.m4 extundelete-0.2.4/configure extundelete-0.2.4/LICENSE extundelete-0.2.4/README extundelete-0.2.4/install-sh extundelete-0.2.4/config.h.in extundelete-0.2.4/src/ extundelete-0.2.4/src/extundelete.cc extundelete-0.2.4/src/block.h extundelete-0.2.4/src/kernel-jbd.h extundelete-0.2.4/src/insertionops.cc extundelete-0.2.4/src/block.c extundelete-0.2.4/src/cli.cc extundelete-0.2.4/src/extundelete-priv.h extundelete-0.2.4/src/extundelete.h extundelete-0.2.4/src/jfs_compat.h extundelete-0.2.4/src/Makefile.in extundelete-0.2.4/src/Makefile.am extundelete-0.2.4/configure.ac extundelete-0.2.4/depcomp extundelete-0.2.4/Makefile.in extundelete-0.2.4/Makefile.am [root@VM-0-3-centos ~]# cd extundelete-0.2.4/ [root@VM-0-3-centos extundelete-0.2.4]# ls acinclude.m4 aclocal.m4 autogen.sh config.h.in configure configure.ac depcomp install-sh LICENSE Makefile.am Makefile.in missing README src [root@VM-0-3-centos extundelete-0.2.4]#
- Compile xtundelete source code and install
[root@VM-0-3-centos extundelete-0.2.4]# ./configure --prefix=/usr/local/extundelete && make && make install
Configuring extundelete 0.2.4
Writing generated files to disk
make -s all-recursive
Making all in src
extundelete.cc: In function 'ext2_ino_t find_inode(ext2_filsys, ext2_filsys, ext2_inode*, std::string, int)':
extundelete.cc:1272:29: warning: narrowing conversion of 'search_flags' from 'int' to 'ext2_ino_t {aka unsigned int}' inside { } [-Wnarrowing]
buf, match_name2, priv, 0};
^
Making install in src
/usr/bin/install -c extundelete '/usr/local/extundelete/bin'
[root@VM-0-3-centos extundelete-0.2.4]# which extundelete
/usr/bin/which: no extundelete in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
[root@VM-0-3-centos extundelete-0.2.4]# ll /usr/local/extundelete/bin/
total 1296
-rwxr-xr-x 1 root root 1323360 Nov 28 18:45 extundelete
If an error is reported at this step, configure: error: C++ compiler cannot create executables, you can run the yum -y install gcc-c + + command to install the compilation environment
- Prepare test documents
[root@VM-0-3-centos examples]# df -T Filesystem Type 1K-blocks Used Available Use% Mounted on devtmpfs devtmpfs 930496 0 930496 0% /dev tmpfs tmpfs 941004 24 940980 1% /dev/shm tmpfs tmpfs 941004 508 940496 1% /run tmpfs tmpfs 941004 0 941004 0% /sys/fs/cgroup /dev/vda1 ext4 51473868 6465732 42685016 14% / /dev/loop0 iso9660 361650 361650 0 100% /mnt/iso tmpfs tmpfs 188204 0 188204 0% /run/user/0 [root@VM-0-3-centos examples]# cp ../extundelete-0.2.4.tar.bz2 . [root@VM-0-3-centos examples]# ls extundelete-0.2.4.tar.bz2
- Query the inode information of the file
We select the extundelete source package just downloaded as the "deleted by mistake" file. First, check the information, -li you can view the inode information of the file in the first column. The inode value of the examples folder is 1311798:
[root@VM-0-3-centos ~]# ls examples/ extundelete-0.2.4.tar.bz2 [root@VM-0-3-centos ~]# ls -li total 361676 1311798 drwxr-xr-x 2 root root 4096 Nov 28 20:28 examples 1310761 drwxr-xr-x 3 1000 1000 4096 Nov 28 18:45 extundelete-0.2.4 918157 drwxr-xr-x 2 root root 4096 Feb 28 2021 tarlist 396057 -rw-r--r-- 1 root root 370329600 Feb 27 2021 test.iso
- Delete the test file and query the information with the
[root@VM-0-3-centos ~]# cd examples/ [root@VM-0-3-centos examples]# ls extundelete-0.2.4.tar.bz2 [root@VM-0-3-centos examples]# rm extundelete-0.2.4.tar.bz2 -f [root@VM-0-3-centos examples]# ls [root@VM-0-3-centos examples]# /usr/local/extundelete/bin/extundelete /dev/vda1 --inode 1311798 NOTICE: Extended attributes are not restored. WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. The partition should be unmounted to undelete any files without further data loss. If the partition is not currently mounted, this message indicates it was improperly unmounted, and you should run fsck before continuing. If you decide to continue, extundelete may overwrite some of the deleted files and make recovering those files impossible. You should unmount the file system and check it with fsck before using extundelete. Would you like to continue? (y/n) y Loading filesystem metadata ... 400 groups loaded. Group: 160 Contents of inode 1311798: 0000 | ed 41 00 00 00 10 00 00 7a 62 a3 61 1b 7a a3 61 | .A......zb.a.z.a 0010 | 1b 7a a3 61 00 00 00 00 00 00 02 00 08 00 00 00 | .z.a............ 0020 | 00 00 08 00 0b 00 00 00 0a f3 01 00 04 00 00 00 | ................ 0030 | 00 00 00 00 00 00 00 00 01 00 00 00 79 20 50 00 | ............y P. 0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0060 | 00 00 00 00 7c 63 ab ad 00 00 00 00 00 00 00 00 | ....|c.......... 0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0080 | 1c 00 00 00 80 da 0d a3 80 da 0d a3 94 24 04 08 | .............$.. 0090 | 7a 62 a3 61 94 24 04 08 00 00 00 00 00 00 00 00 | zb.a.$.......... 00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ Inode is Allocated File mode: 16877 Low 16 bits of Owner Uid: 0 Size in bytes: 4096 Access time: 1638097530 Creation time: 1638103579 Modification time: 1638103579 Deletion Time: 0 Low 16 bits of Group Id: 0 Links count: 2 Blocks count: 8 File flags: 524288 File version (for NFS): 2913690492 File ACL: 0 Directory ACL: 0 Fragment address: 0 Direct blocks: 127754, 4, 0, 0, 1, 5251193, 0, 0, 0, 0, 0, 0 Indirect block: 0 Double indirect block: 0 Triple indirect block: 0 File name | Inode number | Deleted status . 1311798 .. 393219 extundelete-0.2.4.tar.bz2 396764 Deleted conftest.err 1311833 Deleted [root@VM-0-3-centos examples]#
We found that the status of the extundelete-0.2.4.tar.bz2 file is Deleted
- Recovering files using extundelete
[root@VM-0-3-centos ~]# /usr/local/extundelete/bin/extundelete /dev/vda1 --restore-directory /tmp NOTICE: Extended attributes are not restored. WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. The partition should be unmounted to undelete any files without further data loss. If the partition is not currently mounted, this message indicates it was improperly unmounted, and you should run fsck before continuing. If you decide to continue, extundelete may overwrite some of the deleted files and make recovering those files impossible. You should unmount the file system and check it with fsck before using extundelete. Would you like to continue? (y/n) y Loading filesystem metadata ... 400 groups loaded. Loading journal descriptors ... 31842 descriptors loaded. *** Error in `/usr/local/extundelete/bin/extundelete': double free or corruption (!prev): 0x00000000014d6020 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x81299)[0x7f5c08190299] /usr/local/extundelete/bin/extundelete[0x40cdcb] /usr/local/extundelete/bin/extundelete[0x40fee6] /usr/local/extundelete/bin/extundelete[0x4045b4] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f5c08131555] /usr/local/extundelete/bin/extundelete[0x404aef] ======= Memory map: ======== 00400000-0041c000 r-xp 00000000 fd:01 1311942 /usr/local/extundelete/bin/extundelete 0061c000-0061d000 r--p 0001c000 fd:01 1311942 /usr/local/extundelete/bin/extundelete 0061d000-0061e000 rw-p 0001d000 fd:01 1311942 /usr/local/extundelete/bin/extundelete 0061e000-0061f000 rw-p 00000000 00:00 0 014c6000-0176e000 rw-p 00000000 00:00 0 [heap] 7f5c00000000-7f5c00021000 rw-p 00000000 00:00 0 7f5c00021000-7f5c04000000 ---p 00000000 00:00 0 7f5c07ca1000-7f5c07ef3000 rw-p 00000000 00:00 0 7f5c07ef3000-7f5c07f0a000 r-xp 00000000 fd:01 265649 /usr/lib64/libpthread-2.17.so 7f5c07f0a000-7f5c08109000 ---p 00017000 fd:01 265649 /usr/lib64/libpthread-2.17.so 7f5c08109000-7f5c0810a000 r--p 00016000 fd:01 265649 /usr/lib64/libpthread-2.17.so 7f5c0810a000-7f5c0810b000 rw-p 00017000 fd:01 265649 /usr/lib64/libpthread-2.17.so 7f5c0810b000-7f5c0810f000 rw-p 00000000 00:00 0 7f5c0810f000-7f5c082d2000 r-xp 00000000 fd:01 265623 /usr/lib64/libc-2.17.so 7f5c082d2000-7f5c084d2000 ---p 001c3000 fd:01 265623 /usr/lib64/libc-2.17.so 7f5c084d2000-7f5c084d6000 r--p 001c3000 fd:01 265623 /usr/lib64/libc-2.17.so 7f5c084d6000-7f5c084d8000 rw-p 001c7000 fd:01 265623 /usr/lib64/libc-2.17.so 7f5c084d8000-7f5c084dd000 rw-p 00000000 00:00 0 7f5c084dd000-7f5c084f2000 r-xp 00000000 fd:01 291206 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7f5c084f2000-7f5c086f1000 ---p 00015000 fd:01 291206 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7f5c086f1000-7f5c086f2000 r--p 00014000 fd:01 291206 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7f5c086f2000-7f5c086f3000 rw-p 00015000 fd:01 291206 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7f5c086f3000-7f5c087f4000 r-xp 00000000 fd:01 287349 /usr/lib64/libm-2.17.so 7f5c087f4000-7f5c089f3000 ---p 00101000 fd:01 287349 /usr/lib64/libm-2.17.so 7f5c089f3000-7f5c089f4000 r--p 00100000 fd:01 287349 /usr/lib64/libm-2.17.so 7f5c089f4000-7f5c089f5000 rw-p 00101000 fd:01 287349 /usr/lib64/libm-2.17.so 7f5c089f5000-7f5c08ade000 r-xp 00000000 fd:01 266798 /usr/lib64/libstdc++.so.6.0.19 7f5c08ade000-7f5c08cde000 ---p 000e9000 fd:01 266798 /usr/lib64/libstdc++.so.6.0.19 7f5c08cde000-7f5c08ce6000 r--p 000e9000 fd:01 266798 /usr/lib64/libstdc++.so.6.0.19 7f5c08ce6000-7f5c08ce8000 rw-p 000f1000 fd:01 266798 /usr/lib64/libstdc++.so.6.0.19 7f5c08ce8000-7f5c08cfd000 rw-p 00000000 00:00 0 7f5c08cfd000-7f5c08d3f000 r-xp 00000000 fd:01 267873 /usr/lib64/libext2fs.so.2.4 7f5c08d3f000-7f5c08f3f000 ---p 00042000 fd:01 267873 /usr/lib64/libext2fs.so.2.4 7f5c08f3f000-7f5c08f40000 r--p 00042000 fd:01 267873 /usr/lib64/libext2fs.so.2.4 7f5c08f40000-7f5c08f42000 rw-p 00043000 fd:01 267873 /usr/lib64/libext2fs.so.2.4 7f5c08f42000-7f5c08f45000 r-xp 00000000 fd:01 265948 /usr/lib64/libcom_err.so.2.1 7f5c08f45000-7f5c09144000 ---p 00003000 fd:01 265948 /usr/lib64/libcom_err.so.2.1 7f5c09144000-7f5c09145000 r--p 00002000 fd:01 265948 /usr/lib64/libcom_err.so.2.1 7f5c09145000-7f5c09146000 rw-p 00003000 fd:01 265948 /usr/lib64/libcom_err.so.2.1 7f5c09146000-7f5c09168000 r-xp 00000000 fd:01 265614 /usr/lib64/ld-2.17.so 7f5c092b1000-7f5c0935d000 rw-p 00000000 00:00 0 7f5c09363000-7f5c09367000 rw-p 00000000 00:00 0 7f5c09367000-7f5c09368000 r--p 00021000 fd:01 265614 /usr/lib64/ld-2.17.so 7f5c09368000-7f5c09369000 rw-p 00022000 fd:01 265614 /usr/lib64/ld-2.17.so 7f5c09369000-7f5c0936a000 rw-p 00000000 00:00 0 7ffe581db000-7ffe581fc000 rw-p 00000000 00:00 0 [stack] 7ffe581fc000-7ffe581fe000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted [root@VM-0-3-centos ~]#
-
Recovery failed, this road is blocked!!!
Others succeeded, but my test failed, released memory and crashed. Is there a God to tell me how to change the source code? If there is any doubt here, test it later. First record the common parameters.
- Query inode file status: / usr/local/extundelete/bin/extundelete /dev/vda1 --inode 1311798
- Recover the specified node data: / usr / local / extundelete / bin / extundelete / dev / vda1 -- restore inode 1311798
- Recover a single file: / usr / local / extundelete / bin / extundelete / dev / vda1 -- restore file root / examples / extundelete-0.2.4.tar.bz2
- Restore a directory: / usr / local / extundelete / bin / extundelete / dev / vda1 -- restore files root / examples
- Recover all files: / usr / local / extundelete / bin / extundelete / dev / vda1 -- restore all
Prevent accidents caused by accidental deletion
-
Define alias and prompt for deletion
Define alias alias rm='rm -i '. A prompt will appear before deleting the file. Use the - i option to confirm the files to be deleted one by one. The file will be deleted only when the user enters y, but this method will become invalid after adding the - f option. -
Disable rm and use mv instead
The rm command is not allowed to delete files directly in the system. You need to mv files to the specified recycling directory /. Delete, and then empty the files under /. Delete every week with a scheduled task, which is equivalent to manually creating a recycle bin.
summary
- The target directory for foremost recovery is preferably a directory on another disk. Restoring files to the disk where the deleted files are located is likely to overwrite the wrongly deleted files before recovery
- The full name of sodu currently has two versions: substitute user do and super user do. sudo is usually the permission of driving super user, but sometimes other ordinary users can also be used, so it is more accurate to translate it into substitute user do instead of other users
- foremost supports many file systems, including ext2, ext3, vfat, NTFS, ufs, jfs, etc., but can only recover files of specific formats, while extundelete only supports ext3 and ext4 file systems, but there are many recoverable file types.
- In addition to the two difficult recovery software summarized in this article, testdisk and photorec can be used for recovery. You can try it later
- The data is priceless. Please delete it carefully. You can refer to the alias method or disable rm -rf to reduce the occurrence of accidents
Adults, result oriented! Hard work without credit is so weak~