As a multi-user, multi-tasking operating system, once files under Linux are deleted, they are difficult to recover. Although the delete command only marks the file node for deletion and does not actually clear the file content, other users and some processes that write to the disk will quickly overwrite the data.
1. A brief introduction to the structure of the Ext2 file system
In the Ext2 file system used by Linux, files are stored in blocks. By default, the size of each block is 1K, and different blocks are distinguished by block numbers. Each file also has a node, which contains the file owner, read and write permissions, file type and other information. For a file smaller than 12 blocks, the block number of the file data block is stored directly in the node. If the file is larger than 12 blocks, then the node stores the block number of an indirect block after 12 block numbers. In the block corresponding to this indirect block number, the block numbers of 256 file data blocks are stored (each block in Ext2fs The number occupies 4 bytes, so the block number that can be stored in a block is 1024/4=256). If there are larger files, then secondary indirect blocks and ** indirect blocks will also appear in the node.
2. Methods to recover accidentally deleted files
Most Linux distributions provide a debugfs tool that can be used to edit the Ext2 file system. But before using this tool, there is still some work to be done.
First, remount the partition where the accidentally deleted file is located in read-only mode. Use the following command: (assuming the file is in the /usr partition)
mount -r -n -o remount /usr -r indicates read-only mounting; -n indicates not writing to /etc/mtab. If you are restoring files on /etc, add this parameter. If the system says that xxx partition is busy, you can use the fuser command to check which processes use the files on this partition:
fuser –v –m /usr
If there are no important processes, stop them with the following command:
fuser -k –v –m /usr
These file systems can then be remounted.
If all files are installed in a large / partition, you can use linux single to enter single-user mode at the boot prompt to minimize the chance of the system process writing data to the hard disk, or simply hang the hard disk in another location. on the machine. In addition, do not write the recovered data to / above to avoid damaging those useful data. If there is dos/windows on the machine, you can write to these partitions:
mount –r –n /dev/hda1 /mnt/had
Then you can execute debugfs: (assuming Linux is in /dev/hda5)
#debugfs /dev/hda5
The debugfs prompt debugfs will appear:
Use the lsdel command to list information about many deleted files:
debugfs:lsdel debugfs: 2692 deleted inodes found. Inode Owner Mode Size Blocks Time deleted 164821 0 100600 8192 1/ 1 Sun May 13 19:22:46 2001 36137 0 100644 4 1/ 1 Tue Apr 24 10:11:15 2001 196829 0 100644 149500 38/ 38 Mon May 27 13:52:04 2001 |
There are many files listed (2692 found here). The first field is the file node number, the second field is the file owner, the third field is the read and write permissions, followed by the file size, number of occupied blocks, and deletion time.
Then we can determine which ones we need based on the file size and deletion date. For example, we want to restore the file with node 196829:
You can first look at the file data status:
debugfs:stat <196829> Inode: 196829 Type: regular Mode: 0644 Flags: 0x0 Version: 1 User: 0 Group: 0 Size: 149500 File ACL: 0 Directory ACL: 0 Links: 0 Blockcount: 38 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x31a9a574 -- Mon May 27 13:52:04 2001 atime: 0x31a21dd1 -- Tue May 21 20:47:29 2001 mtime: 0x313bf4d7 -- Tue Mar 5 08:01:27 2001 dtime: 0x31a9a574 -- Mon May 27 13:52:04 2001 BLOCKS: 594810 594811 594814 594815 594816 594817 TOTAL: 38 |
Then you can use the dump command to restore the file:
debugfs: dump <196829> /mnt/hda/01.sav
This will restore the file. Exit debugfs:
debugfs:quit
Another way is to edit the inode manually:
debugfs:mi <196829> Mode [0100644] User ID [0] Group ID [0] Size [149500] Creation time [0x31a9a574] Modification time [0x31a9a574] Access time [0x31a21dd1] Deletion time [0x31a9a574] 0 Link count [0] 1 Block count [38] File flags [0x0] Reserved1[0] File acl [0] Directory acl [0] Fragment address [0] Fragment number [0] Fragment size [0] Direct Block #0 [594810] Triple Indirect Block [0] |
After using the mi command, one line of information is displayed for editing at a time. For other lines, you can directly press Enter to confirm, change the deletion time to 0 (not deleted), and change the Link count to 1. After making the changes, exit debugfs:
debugfs:quit
Then check /dev/hda5 with fsck
fsck /dev/hda5
The program will say that it found the lost data block and put it in lost+found. The files in this directory are what we want.