1、安装ext4magic
[root@xyc ~]# tar zxvf ext4magic-0.3.x86_64.rpm.tar.gz
ext4magic-0.3.1-1.2.x86_64.rpm
[root@xyc ~]# rpm -ivh ext4magic-0.3.x86_64.rpm.tar.gz
warning: ext4magic-0.3.1-1.2.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID fa6034b1: NOKEY
Preparing... ########################################### [100%]
1:ext4magic ########################################### [100%]
2、恢复设置
需要另一个ext3/4文件系统ins中有足够的可用磁盘空间(例如:/mnt/FREE_SPACE)来写入恢复的文件(建议是已删除文件的150%)
对于已删除的ext3文件系统,请使用ext4magic-0.2.4。对于已删除的ext4文件系统,请使用ext4magic-0.3.0
3、建议在恢复之前,请先将日志的副本创建到其他文件系统,
debugfs -R "dump <8> /tmp/JOURNAL.copy" /dev/test/testlv
4、查看version
ext4magic -V -x
ext4magic version : 0.3.1
libext2fs version : 1.41.12
CPU is little endian.
Expert Mode is activ
5、防止在下次重新引导时自动挂载,并且为了安全起见不要再次自行挂载,如果有足够的可用磁盘空间,请创建/dev/test/testlv的副本作为映像。
dd if=/dev/test/testlv of=/tmp/PartitionCOPY_sdb1.imag
6、打印删除的目录的 Inode
ext4magic /dev/test/testlv -f /
ext4magic /dev/test/testlv -I 2
7、打印详细的信息
ext4magic /dev/test/testlv -f / -T -x
Dump Inode 2 from journal transaction 22 --这里为t
Inode: 2 Type: directory Mode: 0755 Flags: 0x0
Generation: 0 Version: 0x00000000:00000008
User: 0 Group: 0 Size: 4096
File ACL: 0 Directory ACL: 0
Links: 3 Blockcount: 8
Fragment: Address: 0 Number: 0 Size: 0
ctime: 1584583830:0679989936 -- Thu Mar 19 02:10:30 2020
atime: 1584583649:0087999704 -- Thu Mar 19 02:07:29 2020
mtime: 1584583830:0679989936 -- Thu Mar 19 02:10:30 2020
crtime: 1584510707:0000000000 -- Wed Mar 18 05:51:47 2020
Size of extra inode fields: 28
BLOCKS:
(0):8481
TOTAL: 1
2 d 755 (2) 0 0 4096 19-Mar-2020 02:10 .
2 d 755 (2) 0 0 4096 19-Mar-2020 02:10 ..
131073 d 755 (2) 0 0 4096 19-Mar-2020 02:10 mysql --131073 为inode
< 131073> d 755 (2) 0 0 4096 19-Mar-2020 02:10 20200319
8、根据-I -t恢复,测试发现更加准确,没有丢文件而且目录没有乱(推荐)
ext4magic /dev/test/testlv -j /tmp/JOURNAL.copy -I 131074 -t 22 -r -d /tmp
9、根据时间点恢复全量恢复
ext4magic /dev/test/testlv -a 1584581798 -d /tmp -m
10、如果要使用文件系统的映像
ext4magic /tmp/PartitionCOPY_sdb1.image -M -d /tmp
11、尝试恢复:所有从目录结构mysql查找myisamlog的文件,并根据temp.txt恢复文件
ext4magic /dev/test/testlv -Lx -f mysql | grep "myisamlog" >temp.txt
cat temp.txt
--- 131106 "mysql/bin/myisamlog"
--- 131244 "mysql/man/man1/myisamlog.1"
ext4magic /dev/test/testlv -i temp.txt -r -d /tmp
12、查看24小时的直方图
[root@xyc tmp]# ext4magic /dev/test/testlv -H -a $(date -d "-1 day" +%s)
Filesystem in use: /dev/test/testlv
|-----------c_time Histogram----------------- after -------------------- Wed Mar 18 04:00:38 2020
1584512678 : 3 |*************** | Wed Mar 18 06:24:38 2020
1584521318 : 0 | | Wed Mar 18 08:48:38 2020
1584529958 : 0 | | Wed Mar 18 11:12:38 2020
1584538598 : 0 | | Wed Mar 18 13:36:38 2020
1584547238 : 0 | | Wed Mar 18 16:00:38 2020
1584555878 : 0 | | Wed Mar 18 18:24:38 2020
1584564518 : 0 | | Wed Mar 18 20:48:38 2020
1584573158 : 0 | | Wed Mar 18 23:12:38 2020
1584581798 : 0 | | Thu Mar 19 01:36:38 2020
1584590438 : 1 |***** | Thu Mar 19 04:00:38 2020
|-----------d_time Histogram----------------- after -------------------- Wed Mar 18 04:00:38 2020
1584512678 : 1 |* | Wed Mar 18 06:24:38 2020
1584521318 : 0 | | Wed Mar 18 08:48:38 2020
1584529958 : 0 | | Wed Mar 18 11:12:38 2020
1584538598 : 0 | | Wed Mar 18 13:36:38 2020
1584547238 : 0 | | Wed Mar 18 16:00:38 2020
1584555878 : 0 | | Wed Mar 18 18:24:38 2020
1584564518 : 0 | | Wed Mar 18 20:48:38 2020
1584573158 : 0 | | Wed Mar 18 23:12:38 2020
1584581798 : 0 | | Thu Mar 19 01:36:38 2020 --从这个时间点恢复
1584590438 : 429 |**************************************************| Thu Mar 19 04:00:38 2020
13、根据时间点恢复全量恢复
ext4magic /dev/test/testlv -a 1584581798 -d /tmp -m
14、使用ext4magic恢复被覆盖的文件
[root@xyc tmp]# ext4magic /dev/sda6 -a 1332606716 -f rob/Bilder -l
Filesystem in use: /dev/sda6
Using external Journal at File /tmp/sda6.journal
Activ Time after : Sat Mar 24 17:31:56 2012
Activ Time before: Sat Mar 24 17:50:20 2012
Inode found "rob/Bilder" 1143236
Inode 1143236 is allocated
98% rob/Bilder/cimg1435.jpg --这里已经被覆盖
100% rob/Bilder/cimg1436.jpg
100% rob/Bilder/cimg1439.jpg
100% rob/Bilder/cimg1442.jpg
100% rob/Bilder/cimg1443.jpg
100% rob/Bilder/cimg1444.jpg
100% rob/Bilder/cimg1445.jpg
100% rob/Bilder/cimg1446.jpg
100% rob/Bilder/cimg1456.jpg
100% rob/Bilder/cimg1457.jpg
100% rob/Bilder/cimg1458.jpg
100% rob/Bilder/cimg1541.jpg
99% rob/Bilder/cimg1442.jpg_ --这里已经被覆盖
100% rob/Bilder/cimg1443.jpg_
100% rob/Bilder/cimg1444.jpg_
100% rob/Bilder/cimg1445.jpg_
100% rob/Bilder/cimg1446.jpg_
ext4magic: EXIT_SUCCESS
如果 (percentage < 100%) 说明已经覆盖/重用了数据块,因此无法用原始内容恢复它们
15、重定向覆盖文件后的恢复
[root@xyc test]# zip -r-base scan.sh > ext4magic-0.3.1-1.2.x86_64.rpm
[root@xyc test]# ls -lrt
total 24
drwx------ 2 root root 16384 Mar 19 09:38 lost+found
-rw-r--r-- 1 root root 825 Mar 19 09:39 scan.sh
-rw-r--r-- 1 root root 93 Mar 19 09:55 ext4magic-0.3.1-1.2.x86_64.rpm
[root@xyc test]# ls -il ext4magic-0.3.1-1.2.x86_64.rpm
12 -rw-r--r-- 1 root root 93 Mar 19 09:55 ext4magic-0.3.1-1.2.x86_64.rpm --inode 12
[root@xyc test]# ext4magic /dev/test/testlv -f / -T -x -I 12
Warning: only input of one inodeNR or filename allowed
Filesystem in use: /dev/test/testlv
Using internal Journal at Inode 8
Inode found "" 2
Inode 2 is at group 0, block 289, offset 256
Transactions of Filesystemblock 289 in Journal
FS-Block Journal Transact Time in sec Time of Transaction
289 4 2 1584610760 Thu Mar 19 09:39:20 2020
289 10 3 1584610781 Thu Mar 19 09:39:41 2020
289 16 4 1584610781 Thu Mar 19 09:39:41 2020
289 21 5 1584610781 Thu Mar 19 09:39:41 2020
289 24 6 1584611572 Thu Mar 19 09:52:52 2020 --倒数第二个就是
289 28 7 0 Thu Jan 1 00:00:00 1970
--恢复
ext4magic /dev/test/testlv -I 12 -t 7 -r -d /tmp
"/tmp" accept for recoverdir
Filesystem in use: /dev/test/testlv
Using internal Journal at Inode 8
Dump Inode 12 from journal transaction 6
Inode: 12 Type: regular Mode: 0644 Flags: 0x80000
Generation: 2195143536 Version: 0x00000000:00000001
User: 0 Group: 0 Size: 97256
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 192
Fragment: Address: 0 Number: 0 Size: 0
ctime: 1584610760:3520050712 -- Thu Mar 19 09:39:20 2020
atime: 1584610760:3516051528 -- Thu Mar 19 09:39:20 2020
mtime: 1584610760:3520050712 -- Thu Mar 19 09:39:20 2020
crtime: 1584610760:3516051528 -- Thu Mar 19 09:39:20 2020
Size of extra inode fields: 28
-------- /tmp/<12>
ext4magic : EXIT_SUCCESS
ext4magic对于ext4数据恢复支持还是非常强大的。相比extundelete,可以做到基于时间点、inode、指定文件恢复,全量恢复,恢复覆盖的文件。还可以恢复硬盘的第一个扇区被意外覆盖的故障,比如使用dd前100MB覆盖了磁盘,MBR 和包含的分区表也已被破坏,我们也可以通过ext4magic恢复。
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
