Linux系统 运行rm -rf * 后文件恢复

首先，需立即将磁盘挂载为只读。 否则其他daemons 都来读写，神仙都恢复不了了。磁盘规划时一定要做功能分区。否则，误删了想恢复也很困难。比如linux安装时不分区整个装/下面，就很麻烦。 /data挂在/dev/sdb1上  

[root@hs12 sh]# mount

/dev/sdb1 on /data type ext4 (rw)

[root@hs12 hadoop]# mount -r -n -o remount /data

mount: /data is busy

这需看看有哪些进程在用：  
 

[root@hs12 hadoop]# fuser -v -m /data

可以看到有很多java和hadoop进程在使用，杀之。  
 

[root@hs12 hadoop]# mount -r -n -o remount /data

成功。 再到/data里touch文件，报错。  

[root@hs12 data]# touch a

touch: cannot touch `a’: Read-only file system

一下就放轻松了很多。因为改为只读挂载后，可以慢慢恢复，再也不用担心我的文件被覆盖。 使用debugfs 用debugfs查找被删文件的inode，再想法恢复。

[root@hs12 ~]# debugfs /dev/sdb1

debugfs 1.41.12 (17-May-2010)

debugfs:

debugfs: lsdel

Inode Owner Mode Size Blocks Time deleted

0 deleted inodes found.

神奇的debugfs 根本没找到有文件被删除的inodes，难道是我不会用？ 失败！ 使用grep恢复 grep 在磁盘二进制中查找文本，把前后的字符导出来，也许可以恢复部分。

[root@hs12 hadoop]# grep -a -B 100 -A 100 ‘active.sh’ /dev/sdb1 results.txt

只有一些乱七八糟的二进制。失败！使用ext3grep 我的是ext4系统，根本不起作用。 只好寻找专业工具 用testdisk 6.14

使用介绍：

http://www.cgsecurity.org/wiki/TestDisk%3a_undelete_file_for_ext2

下载：

wget http://www.cgsecurity.org/testdisk-6.14.linux26-x86_64.tar.bz2

[root@hs12 hadoop]# cd testdisk-6.14

[root@hs12 testdisk-6.14]# ls

Android.mk ChangeLog documentation.html fidentify_static INFO l photorec.8 README testdisk.8 testdisk_static VERSION

AUTHORS COPYING fidentify.8 ico jni NEWS photorec_static readme.txt testdisk.log THANKS

[root@hs12 testdisk-6.14]# ./testdisk_static

TestDisk 6.14, Data Recovery Utility, July 2013

Christophe GRENIER grenier@cgsecurity.org 

http://www.cgsecurity.org

1 P MS Data 2048 7811889151 7811887104 [primary]

Directory /

 drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 .

drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 ..

drwxrwxrwx 500 500 16384 18-Jul-2013 15:42 lost+found

drwxrwxrwx 500 500 12288 12-Sep-2013 00:36 logs

drwxrwxrwx 500 500 4096 25-Jul-2013 16:54 test1

drwxrwxr-x 500 500 4096 12-Sep-2013 03:28 statis

drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 sh

drwxrwxr-x 500 500 12288 3-Sep-2013 15:28 hadoop

Use Right to change directory, h to hide deleted files

q to quit, : to select the current file, a to select all files

C to copy the selected files, c to copy the current file

选到相应目录，enter，终于看到了删除的文件名，但是文件大小怎么都是0啊？

TestDisk 6.14, Data Recovery Utility, July 2013

Christophe GRENIER grenier@cgsecurity.org 

http://www.cgsecurity.org

1 P MS Data 2048 7811889151 7811887104 [primary]

Directory /sh

drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 .

drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 ..

 -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 active.awk

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 active.sh

lrwxrwxrwx 500 500 13 2-Aug-2013 17:17 statis

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 dateutil.sh

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hiveput.sh

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 multidate.sh

drwxrwxr-x 500 500 4096 3-Sep-2013 15:24 errlogs

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hiveactive.sh

drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 cps

drwxrwxr-x 500 500 4096 30-Aug-2013 15:21 TempStatsStore

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 bkactive.awk

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 test.awk

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 t.awk

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 print

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 a

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 a.txt

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 user.awk

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 luan

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 cps.sh

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hivenewdev.sh

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 hive2mysql.sh

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 py

lrwxrwxrwx 500 500 12 26-Aug-2013 09:34 userdata

lrwxrwxrwx 500 500 10 26-Aug-2013 09:34 bidata

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 bi.awk

-rw-r–r– 500 500 0 12-Sep-2013 17:40 luandoutang_09_900037.csv

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 luan1

-rwxr-xr-x 500 500 0 12-Sep-2013 17:40 luan.awk

-rwxr-xr-x 500 500 0 12-Sep-2013 17:40 luan.sh

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 dvid_price.awk

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 cid_price.awk

lrwxrwxrwx 500 500 15 9-Sep-2013 13:33 adsdkdata

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 0908.txt

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 09081.txt

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 09.txt

drwxrwxr-x 500 500 4096 9-Sep-2013 16:22 pid

TestDisk 6.14, Data Recovery Utility, July 2013

Please select a destination where /sh/active.awk will be copied.

Keys: Arrow keys to select another directory

C when the destination is correct

Q to quit

原创文章，作者：ItWorker，如若转载，请注明出处：https://blog.ytso.com/57819.html