Background
Today I did stupid things that I went into the ~/Downloads/ and pressed [Alt] + [A] then [Shift] + [Delete]. Wtf... I didn't want to delete this folder but another sub-folder...... So no zuo no die : )
Theory
Generally, Linux filesystem mainly contains inode and blocks. inode is the index of file or directory; blocks stores the actual data.
Usually, our rm or [Shift] + [Delete] in GUI just modify the inode but do not rewrite the blocks in which your data has ever be (If you use some special professional softwares to delete file, good luck : ) ).
So if our file is just there as it was before if we take measures in time. We can't use filename or inode to fetch it, but there are other probably ways to make it.
EMPTY. I want to add more filesystem knowledge here later. Remind me of it, OK ?
P.S. The filesystem is very interesting. You can regard it as local Domain Name System to some extent. And the filename is something like the domain name, while inode is something like IP address.
Recovery
Environment: Linux (I tried on Ubuntu 14.04 & CentOS 6.0)
Filesystem: Ext4 [1]
Of course, you'd better be root and everything will be easier.
0x0 Forbid other users and processes to Modify the filesystem
~If no speical prompts, you'd better follow this part to protect your data.
~Now we test on /dev/sda8 mounting at /tmp. sth in /tmp may be erased after mounting or unmounting, but sth in /tmp/lost+found may not.
~I usecat /proc/meminfo > /tmp/lost+found/tet
to create a test file and delete it.
~fs means filesystem.
~sth means something.
For the test, I md5sum /tmp/lost+found/tet
before deleting it
Before unmounting, use ls -id /tmp
and take down the inode number
- use
df
orfdisk -l
to determine the fs to be unmounted unmount it:
umount /dev/sda8
mount the fs with read-only state:
mount -r -n /dev/sda8
And you can have a try to write sth and find failed.
P.S.
~When I man umount I foundumount /dev/sda8
is not recommended and it's better to useumount /tmp
(directory name). And after Imount -r -n /dev/sda8
, I failed to useumount /dev/sda8
to unmount it.
~If the fs is busy and you can't unmount it. You can usefuser -v -m /dev/sda8
to find the processes using it and kill them. What's more, you can usefuser -k -v -m /dev/sda8
to kill them automatically.
Here I will give some methods I have tried(the title is the main tool to be used).
0x1 extundelete
yum install e2fsprogs e2fsprogs-libs e2fsprogs-devel
-
wget http://tenet.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
If you didn't install g++ like me,yum install gcc-c++
./configure
make && make install
extundelete /dev/sda8 --inode 2
to check-
extundelete /dev/sda8 --restore-directory lost+found
here I use --restore-directory, you can also use --restore-file RELATIVE-PATH-OF-FILE md5sum ./RECOVERD_FILES/lost+found/tet
Bingo~
P.S.
You can also use extundelete /dev/sda8 --restore-all
simply.
0x02 debugfs & dd
...
0x03 testdisk
...
Finally
Some advice:
- Backup is very very important
- Disk should be parted into filesystems (/,/home,/boot,/var,/usr,swap,...)
alias rm="rm -i"
Quotations
I learnt knowledge from articles below. Thanks for the authors' sharing.
Appendix
[1] How to determine your filesystem?
-
fdisk -l # to get the name of disk. E.g. /dev/sda5
You can also usedf
and this tool can show the relationship between fs and your directories. However, this tool can only deal with fs being mounted. -
file -s /dev/sda5