51工具盒子

依楼听风雨
笑看云卷云舒,淡观潮起潮落

Linux系统 运行rm -rf * 后文件恢复

首先,需立即将磁盘挂载为只读。 否则其他daemons 都来读写,神仙都恢复不了了。磁盘规划时一定要做功能分区。否则,误删了想恢复也很困难。比如linux安装时不分区整个装/下面,就很麻烦。 /data挂在/dev/sdb1上

[root@hs12 sh]# mount
/dev/sdb1 on /data type ext4 (rw)
[root@hs12 hadoop]# mount -r -n -o remount /data
mount: /data is busy

这需看看有哪些进程在用:

[root@hs12 hadoop]# fuser -v -m /data

可以看到有很多java和hadoop进程在使用,杀之。

[root@hs12 hadoop]# mount -r -n -o remount /data

成功。 再到/data里touch文件,报错。

[root@hs12 data]# touch a
touch: cannot touch `a’: Read-only file system

一下就放轻松了很多。因为改为只读挂载后,可以慢慢恢复,再也不用担心我的文件被覆盖。 使用debugfs 用debugfs查找被删文件的inode,再想法恢复。

[root@hs12 ~]# debugfs /dev/sdb1
debugfs 1.41.12 (17-May-2010)
debugfs:
debugfs: lsdel
Inode Owner Mode Size Blocks Time deleted
0 deleted inodes found.

神奇的debugfs 根本没找到有文件被删除的inodes,难道是我不会用? 失败! 使用grep恢复 grep 在磁盘二进制中查找文本,把前后的字符导出来,也许可以恢复部分。

[root@hs12 hadoop]# grep -a -B 100 -A 100 ‘active.sh’ /dev/sdb1 > results.txt

只有一些乱七八糟的二进制。失败!使用ext3grep 我的是ext4系统,根本不起作用。 只好寻找专业工具 用testdisk 6.14

使用介绍:

http://www.cgsecurity.org/wiki/TestDisk%3a_undelete_file_for_ext2

下载:

wget http://www.cgsecurity.org/testdisk-6.14.linux26-x86_64.tar.bz2
[root@hs12 hadoop]# cd testdisk-6.14
[root@hs12 testdisk-6.14]# ls
Android.mk ChangeLog documentation.html fidentify_static INFO l photorec.8 README testdisk.8 testdisk_static VERSION
AUTHORS COPYING fidentify.8 ico jni NEWS photorec_static readme.txt testdisk.log THANKS
[root@hs12 testdisk-6.14]# ./testdisk_static
TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
1 P MS Data 2048 7811889151 7811887104 [primary]
Directory /
>drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 .
drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 ..
drwxrwxrwx 500 500 16384 18-Jul-2013 15:42 lost+found
drwxrwxrwx 500 500 12288 12-Sep-2013 00:36 logs
drwxrwxrwx 500 500 4096 25-Jul-2013 16:54 test1
drwxrwxr-x 500 500 4096 12-Sep-2013 03:28 statis
drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 sh
drwxrwxr-x 500 500 12288 3-Sep-2013 15:28 hadoop
Next
Use Right to change directory, h to hide deleted files
q to quit, : to select the current file, a to select all files
C to copy the selected files, c to copy the current file
选到相应目录,enter,终于看到了删除的文件名,但是文件大小怎么都是0啊?
TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
1 P MS Data 2048 7811889151 7811887104 [primary]
Directory /sh
drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 .
drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 ..
>-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 active.awk
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 active.sh
lrwxrwxrwx 500 500 13 2-Aug-2013 17:17 statis
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 dateutil.sh
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hiveput.sh
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 multidate.sh
drwxrwxr-x 500 500 4096 3-Sep-2013 15:24 errlogs
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hiveactive.sh
drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 cps
drwxrwxr-x 500 500 4096 30-Aug-2013 15:21 TempStatsStore
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 bkactive.awk
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 test.awk
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 t.awk
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 print
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 a
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 a.txt
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 user.awk
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 luan
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 cps.sh
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hivenewdev.sh
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 hive2mysql.sh
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 py
lrwxrwxrwx 500 500 12 26-Aug-2013 09:34 userdata
lrwxrwxrwx 500 500 10 26-Aug-2013 09:34 bidata
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 bi.awk
-rw-r--r-- 500 500 0 12-Sep-2013 17:40 luandoutang_09_900037.csv
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 luan1
-rwxr-xr-x 500 500 0 12-Sep-2013 17:40 luan.awk
-rwxr-xr-x 500 500 0 12-Sep-2013 17:40 luan.sh
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 dvid_price.awk
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 cid_price.awk
lrwxrwxrwx 500 500 15 9-Sep-2013 13:33 adsdkdata
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 0908.txt
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 09081.txt
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 09.txt
drwxrwxr-x 500 500 4096 9-Sep-2013 16:22 pid
TestDisk 6.14, Data Recovery Utility, July 2013
Please select a destination where /sh/active.awk will be copied.
Keys: Arrow keys to select another directory
C when the destination is correct
Q to quit


1 2

赞(0)
未经允许不得转载:工具盒子 » Linux系统 运行rm -rf * 后文件恢复