How to recover files accidentally deleted by rm in Linux environment

How to recover files accidentally deleted by rm in Linux environment

Preface

When it comes to deleting files in Linux, sudo rm -rf /* command is a must. Every time I see this command, I think of a funny picture:

rm

This explanation of "cleaning up garbage" is really "just right". It is said that a newbie asked a question on the forum, and someone jokingly replied with the command sudo rm -rf /* , and the problem was solved, and the newbie was killed~

From deleting the database to running away, one little trick to go to jail every day, so we must be cautious when using the rm -rf command, which is equivalent to using Shift+Delete combination on Windows. The file will not be placed in the Recycle Bin, but will be directly deleted permanently. Executing the rm command in Linux is equivalent to permanent deletion.

Although sudo rm -rf /* is extremely dangerous, we rarely write it directly. However, the rm command is still frequently used. Just a few days ago, the Shell script I worked so hard to write was deleted by me directly using rm -rf . Fortunately, I printed the content to the console before, otherwise the whole script would have been written in vain.

Is there any hope after RM?

Although the rm command means permanent deletion, it does not mean that the files cannot be recovered. It’s just that the chances of recovery vary. In fact, the delete command only marks the file node for deletion and does not actually clear the file content. If the file is restored immediately after deletion, the probability of success is still very high. However, if other users have been using this machine, or some disk writing processes have been executed, then this part of the data may be overwritten soon. At this point, it is basically impossible to recover the file.

Retrieve files using foremost

foremost is a command line tool that recovers files based on the file header and footer information and the file's built-in data structure. The following are the steps to install and recover:

Install foremost

CentOS system can be completed by running sudo yum install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm -y command

If it is Ubuntu system, please try the command: sudo apt install foremost

[root@VM-0-3-centos ~]# sudo yum install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm -y
Loaded plugins: fastestmirror, langpacks
Repository epel is listed more than once in the configuration
foremost-1.5.7-13.1.el7.x86_64.rpm | 46 kB 00:00:01
Examining /var/tmp/yum-root-XJIfxM/foremost-1.5.7-13.1.el7.x86_64.rpm: foremost-1.5.7-13.1.el7.x86_64
Marking /var/tmp/yum-root-XJIfxM/foremost-1.5.7-13.1.el7.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package foremost.x86_64 0:1.5.7-13.1.el7 will be installed
--> Finished Dependency Resolution
epel/7/x86_64 | 4.7 kB 00:00:00
epel/7/x86_64/group_gz | 96 kB 00:00:00
epel/7/x86_64/updateinfo | 1.0 MB 00:00:00
epel/7/x86_64/primary_db | 7.0 MB 00:00:01
extras/7/x86_64 | 2.9 kB 00:00:00
extras/7/x86_64/primary_db | 243 kB 00:00:00
os/7/x86_64 | 3.6 kB 00:00:00
updates/7/x86_64 | 2.9 kB 00:00:00
updates/7/x86_64/primary_db | 12 MB 00:00:01

Dependencies Resolved

=====================================================================================================================
 Package Arch Version Repository Size
=====================================================================================================================
Installing:
 foremost x86_64 1.5.7-13.1.el7 /foremost-1.5.7-13.1.el7.x86_64 85k

Transaction Summary
=====================================================================================================================
Install 1 Package

Total size: 85k
Installed size: 85 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing: foremost-1.5.7-13.1.el7.x86_64 1/1
  Verifying : foremost-1.5.7-13.1.el7.x86_64 1/1

Installed:
  foremost.x86_64 0:1.5.7-13.1.el7

Complete!
[root@VM-0-3-centos ~]#

Create a test file

[root@VM-0-3-centos ~]# echo "this is an important file">important.txt
[root@VM-0-3-centos ~]# pwd
/root
[root@VM-0-3-centos ~]# ls
connecttendis.sh important.txt restore tarlist tendis test.iso
[root@VM-0-3-centos ~]# mkdir -p /tmp/restore

Try to restore the file after deleting it

[root@VM-0-3-centos ~]# rm important.txt
[root@VM-0-3-centos ~]# foremost -i /dev/vda1 -o /tmp/restore/
Processing: /dev/vda1
|***********Segmentation fault

After a few minutes of execution, it crashed and failed to recover. I opened the directory and found:

[root@VM-0-3-centos ~]# ls /tmp/restore/
audit.txt bmp doc exe htm jpg mov mpg pdf ppt rar sdw sxc sxw wav xls zip
avi dll docx gif jar mbd mp4 ole png pptx rif sx sxi vis wmv xlsx

It seems to be related to the file type that needs to be restored. Try another machine and another png file. First find a showball.png test file, and then confirm the partition /dev/vda1

[root@VM-0-3-centos ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
devtmpfs 930496 0 930496 0% /dev
tmpfs 941004 24 940980 1% /dev/shm
tmpfs 941004 508 940496 1% /run
tmpfs 941004 0 941004 0% /sys/fs/cgroup
/dev/vda1 51473868 6458344 42692404 14% /
/dev/loop0 361650 361650 0 100% /mnt/iso
tmpfs 188204 0 188204 0% /run/user/0
[root@VM-0-3-centos ~]# pwd
/root
[root@VM-0-3-centos ~]# ls
restore showball.png

After deleting the png file, try to restore it. After the progress bar ends, you can enter the specified directory /root/restore/ to view it.

[root@VM-0-3-centos ~]# rm showball.png
rm: remove regular file 'showball.png'? y
[root@VM-0-3-centos ~]# pwd
/root
[root@VM-0-3-centos ~]# foremost -t png -i /dev/vda1 -o /root/restore/
Processing: /dev/vda1
|*************************************************************************************************|

In the specified directory there will be an audit.txt statistics file and a type folder png

[root@VM-0-3-centos ~]# ll restore/
total 40
-rw-r--r-- 1 root root 24548 Nov 27 22:57 audit.txt
drwxr-xr-- 2 root root 16384 Nov 27 22:56 png
[root@VM-0-3-centos ~]# cd restore/
[root@VM-0-3-centos restore]# ll png
total 43764
-rw-r--r-- 1 root root 3500 Nov 27 22:53 00367400.png
-rw-r--r-- 1 root root 3578 Nov 27 22:53 00367408.png
-rw-r--r-- 1 root root 3445 Nov 27 22:53 00367416.png
-rw-r--r-- 1 root root 368 Nov 27 22:53 00367432.png
-rw-r--r-- 1 root root 363 Nov 27 22:53 00367456.png
-rw-r--r-- 1 root root 392 Nov 27 22:53 00367464.png
-rw-r--r-- 1 root root 199 Nov 27 22:53 00367616.png
...

The file names in the png directory are all numbers, which are completely different from the originally deleted files. You need to confirm it based on the audit.txt file. Open the file to confirm:

[root@VM-0-3-centos restore]# head audit.txt
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Sat Nov 27 22:53:48 2021
Invocation: foremost -t png -i /dev/vda1 -o /root/restore/
Output directory: /root/restore
Configuration file: /etc/foremost.conf
------------------------------------------------------------------
File: /dev/vda1
Start: Sat Nov 27 22:53:48 2021
[root@VM-0-3-centos restore]# head -n 20 audit.txt
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Sat Nov 27 22:53:48 2021
Invocation: foremost -t png -i /dev/vda1 -o /root/restore/
Output directory: /root/restore
Configuration file: /etc/foremost.conf
------------------------------------------------------------------
File: /dev/vda1
Start: Sat Nov 27 22:53:48 2021
Length: 49 GB (53686025728 bytes)

Num Name (bs=512) Size File Offset Comment

0: 00367400.png 3 KB 188108800 (16 x 16)
1: 00367408.png 3 KB 188112896 (16 x 16)
2: 00367416.png 3 KB 188116992 (16 x 16)
3: 00367432.png 368 B 188125184 (16 x 16)
4: 00367456.png 363 B 188137472 (16 x 16)
5: 00367464.png 392 B 188141568 (16 x 16)
...

The audit.txt file records brief information about the recovered files. This requires you to know the relevant information of the original deleted files, otherwise you can only open them one by one. I searched by resolution

[root@VM-0-3-centos restore]# grep "1217" audit.txt
116: 12888200.png 40 KB 6598758400 (1217 x 690)
360: 38088960.png 40 KB 19501547520 (1217 x 690)

According to the filtered information, I opened 12888200.png and found that it was the file I "accidentally deleted". Now I can restore it.

Recover files using extundelete

extundelete supports file recovery under ext3 and ext4 file systems. Use cat /etc/fstab to view the file system type in Linux environment.

[root@VM-0-3-centos ~]# cat /etc/fstab
UUID=21dbe030-aa71-4b3a-8610-3b942dd447fa / ext4 noatime,acl,user_xattr 1 1
proc /proc proc defaults 0 0
sysfs /sys sysfs noauto 0 0
debugfs /sys/kernel/debug debugfs noauto 0 0
devpts /dev/pts devpts mode=0620,gid=5 0 0
[root@VM-0-3-centos ~]#

Install dependency files

[root@VM-0-3-centos ~]# yum install e2fsprogs-devel
Loaded plugins: fastestmirror, langpacks
Repository epel is listed more than once in the configuration
Determining fastest mirrors
epel | 4.7 kB 00:00:00
extras | 2.9 kB 00:00:00
os | 3.6 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/2): epel/7/x86_64/updateinfo | 1.0 MB 00:00:00
(2/2): epel/7/x86_64/primary_db | 7.0 MB 00:00:01
Resolving Dependencies
--> Running transaction check
---> Package e2fsprogs-devel.x86_64 0:1.42.9-19.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================================
 Package Arch Version Repository Size
===============================================================================================================
Installing:
 e2fsprogs-devel x86_64 1.42.9-19.el7 os 73k

Transaction Summary
===============================================================================================================
Install 1 Package

Total download size: 73 k
Installed size: 162 k
Is this ok [y/d/N]: y
Downloading packages:
e2fsprogs-devel-1.42.9-19.el7.x86_64.rpm | 73 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing: e2fsprogs-devel-1.42.9-19.el7.x86_64 1/1
  Verifying : e2fsprogs-devel-1.42.9-19.el7.x86_64 1/1

Installed:
  e2fsprogs-devel.x86_64 0:1.42.9-19.el7

Complete!
[root@VM-0-3-centos ~]#

Download extundelete source code

[root@VM-0-3-centos ~]# wget https://src.fedoraproject.org/repo/pkgs/extundelete/extundelete-0.2.4.tar.bz2/77e626ad31433680c0a222069295d2ca/extundelete-0.2.4.tar.bz2
--2021-11-28 18:36:15-- https://src.fedoraproject.org/repo/pkgs/extundelete/extundelete-0.2.4.tar.bz2/77e626ad31433680c0a222069295d2ca/extundelete-0.2.4.tar.bz2
Resolving src.fedoraproject.org (src.fedoraproject.org)... 38.145.60.20, 38.145.60.21
Connecting to src.fedoraproject.org (src.fedoraproject.org)|38.145.60.20|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 108472 (106K) [application/x-bzip2]
Saving to: 'extundelete-0.2.4.tar.bz2'

100%[==============================================================================>] 108,472 33.5KB/s in 3.2s

2021-11-28 18:36:20 (33.5 KB/s) - 'extundelete-0.2.4.tar.bz2' saved [108472/108472]

[root@VM-0-3-centos ~]# ls
extundelete-0.2.4.tar.bz2

Unzip extundelete source code

[root@VM-0-3-centos ~]# tar -jxvf extundelete-0.2.4.tar.bz2
extundelete-0.2.4/
extundelete-0.2.4/acinclude.m4
extundelete-0.2.4/missing
extundelete-0.2.4/autogen.sh
extundelete-0.2.4/aclocal.m4
extundelete-0.2.4/configure
extundelete-0.2.4/LICENSE
extundelete-0.2.4/README
extundelete-0.2.4/install-sh
extundelete-0.2.4/config.h.in
extundelete-0.2.4/src/
extundelete-0.2.4/src/extundelete.cc
extundelete-0.2.4/src/block.h
extundelete-0.2.4/src/kernel-jbd.h
extundelete-0.2.4/src/insertionops.cc
extundelete-0.2.4/src/block.c
extundelete-0.2.4/src/cli.cc
extundelete-0.2.4/src/extundelete-priv.h
extundelete-0.2.4/src/extundelete.h
extundelete-0.2.4/src/jfs_compat.h
extundelete-0.2.4/src/Makefile.in
extundelete-0.2.4/src/Makefile.am
extundelete-0.2.4/configure.ac
extundelete-0.2.4/depcomp
extundelete-0.2.4/Makefile.in
extundelete-0.2.4/Makefile.am
[root@VM-0-3-centos ~]# cd extundelete-0.2.4/
[root@VM-0-3-centos extundelete-0.2.4]# ls
acinclude.m4 aclocal.m4 autogen.sh config.h.in configure configure.ac depcomp
install-sh LICENSE Makefile.am Makefile.in missing README src
[root@VM-0-3-centos extundelete-0.2.4]#

Compile xtundelete source code installation

[root@VM-0-3-centos extundelete-0.2.4]# ./configure --prefix=/usr/local/extundelete && make && make install
Configuring extundelete 0.2.4
Writing generated files to disk
make -s all-recursive
Making all in src
extundelete.cc: In function 'ext2_ino_t find_inode(ext2_filsys, ext2_filsys, ext2_inode*, std::string, int)':
extundelete.cc:1272:29: warning: narrowing conversion of 'search_flags' from 'int' to 'ext2_ino_t {aka unsigned int}' inside { } [-Wnarrowing]
    buf, match_name2, priv, 0};
                             ^
Making install in src
  /usr/bin/install -c extundelete '/usr/local/extundelete/bin'
[root@VM-0-3-centos extundelete-0.2.4]# which extundelete
/usr/bin/which: no extundelete in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
[root@VM-0-3-centos extundelete-0.2.4]# ll /usr/local/extundelete/bin/
total 1296
-rwxr-xr-x 1 root root 1323360 Nov 28 18:45 extundelete

If configure: error: C++ compiler cannot create executables is reported at this step, you can run the yum -y install gcc-c++ command to install the compilation environment

Preparing test files

[root@VM-0-3-centos examples]# df -T
Filesystem Type 1K-blocks Used Available Use% Mounted on
devtmpfs devtmpfs 930496 0 930496 0% /dev
tmpfs tmpfs 941004 24 940980 1% /dev/shm
tmpfs tmpfs 941004 508 940496 1% /run
tmpfs tmpfs 941004 0 941004 0% /sys/fs/cgroup
/dev/vda1 ext4 51473868 6465732 42685016 14% /
/dev/loop0 iso9660 361650 361650 0 100% /mnt/iso
tmpfs tmpfs 188204 0 188204 0% /run/user/0
[root@VM-0-3-centos examples]# cp ../extundelete-0.2.4.tar.bz2 .
[root@VM-0-3-centos examples]# ls
extundelete-0.2.4.tar.bz2

Query the inode information of the file

We select the extundelete source package we just downloaded as the "accidentally deleted" file and check the information first. -li can view the inode information of the file in the first column. The inode value of the examples folder is 1311798:

[root@VM-0-3-centos ~]# ls examples/
extundelete-0.2.4.tar.bz2
[root@VM-0-3-centos ~]# ls -li
total 361676
1311798 drwxr-xr-x 2 root root 4096 Nov 28 20:28 examples
1310761 drwxr-xr-x 3 1000 1000 4096 Nov 28 18:45 extundelete-0.2.4
 918157 drwxr-xr-x 2 root root 4096 Feb 28 2021 tarlist
 396057 -rw-r--r-- 1 root root 370329600 Feb 27 2021 test.iso

Delete the test file and use the query information

[root@VM-0-3-centos ~]# cd examples/
[root@VM-0-3-centos examples]# ls
extundelete-0.2.4.tar.bz2
[root@VM-0-3-centos examples]# rm extundelete-0.2.4.tar.bz2 -f
[root@VM-0-3-centos examples]# ls
[root@VM-0-3-centos examples]# /usr/local/extundelete/bin/extundelete /dev/vda1 --inode 1311798
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 400 groups loaded.
Group: 160
Contents of inode 1311798:
0000 | ed 41 00 00 00 10 00 00 7a 62 a3 61 1b 7a a3 61 | .A......zb.aza
0010 | 1b 7a a3 61 00 00 00 00 00 00 02 00 08 00 00 00 | .za...........
0020 | 00 00 08 00 0b 00 00 00 0a f3 01 00 04 00 00 00 | ................
0030 | 00 00 00 00 00 00 00 00 01 00 00 00 79 20 50 00 | ............y P.
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 7c 63 ab ad 00 00 00 00 00 00 00 00 | ....|c..........
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 80 da 0d a3 80 da 0d a3 94 24 04 08 | .............$..
0090 | 7a 62 a3 61 94 24 04 08 00 00 00 00 00 00 00 00 | zb.a.$..........
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1638097530
Creation time: 1638103579
Modification time: 1638103579
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 2
Blocks count: 8
File flags: 524288
File version (for NFS): 2913690492
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 127754, 4, 0, 0, 1, 5251193, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0

File name | Inode number | Deleted status
.1311798
..393219
extundelete-0.2.4.tar.bz2 396764 Deleted
conftest.err 1311833 Deleted
[root@VM-0-3-centos examples]#

We found that the status of the extundelete-0.2.4.tar.bz2 file is Deleted

Recover files using extundelete

[root@VM-0-3-centos ~]# /usr/local/extundelete/bin/extundelete /dev/vda1 --restore-directory /tmp
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 400 groups loaded.
Loading journal descriptors ... 31842 descriptors loaded.
*** Error in `/usr/local/extundelete/bin/extundelete': double free or corruption (!prev): 0x00000000014d6020 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x81299)[0x7f5c08190299]
/usr/local/extundelete/bin/extundelete[0x40cdcb]
/usr/local/extundelete/bin/extundelete[0x40fee6]
/usr/local/extundelete/bin/extundelete[0x4045b4]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f5c08131555]
/usr/local/extundelete/bin/extundelete[0x404aef]
======= Memory map: ========
00400000-0041c000 r-xp 00000000 fd:01 1311942 /usr/local/extundelete/bin/extundelete
0061c000-0061d000 r--p 0001c000 fd:01 1311942 /usr/local/extundelete/bin/extundelete
0061d000-0061e000 rw-p 0001d000 fd:01 1311942 /usr/local/extundelete/bin/extundelete
0061e000-0061f000 rw-p 00000000 00:00 0
014c6000-0176e000 rw-p 00000000 00:00 0 [heap]
7f5c00000000-7f5c00021000 rw-p 00000000 00:00 0
7f5c00021000-7f5c04000000 ---p 00000000 00:00 0
7f5c07ca1000-7f5c07ef3000 rw-p 00000000 00:00 0
7f5c07ef3000-7f5c07f0a000 r-xp 00000000 fd:01 265649 /usr/lib64/libpthread-2.17.so
7f5c07f0a000-7f5c08109000 ---p 00017000 fd:01 265649 /usr/lib64/libpthread-2.17.so
7f5c08109000-7f5c0810a000 r--p 00016000 fd:01 265649 /usr/lib64/libpthread-2.17.so
7f5c0810a000-7f5c0810b000 rw-p 00017000 fd:01 265649 /usr/lib64/libpthread-2.17.so
7f5c0810b000-7f5c0810f000 rw-p 00000000 00:00 0
7f5c0810f000-7f5c082d2000 r-xp 00000000 fd:01 265623 /usr/lib64/libc-2.17.so
7f5c082d2000-7f5c084d2000 ---p 001c3000 fd:01 265623 /usr/lib64/libc-2.17.so
7f5c084d2000-7f5c084d6000 r--p 001c3000 fd:01 265623 /usr/lib64/libc-2.17.so
7f5c084d6000-7f5c084d8000 rw-p 001c7000 fd:01 265623 /usr/lib64/libc-2.17.so
7f5c084d8000-7f5c084dd000 rw-p 00000000 00:00 0
7f5c084dd000-7f5c084f2000 r-xp 00000000 fd:01 291206 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f5c084f2000-7f5c086f1000 ---p 00015000 fd:01 291206 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f5c086f1000-7f5c086f2000 r--p 00014000 fd:01 291206 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f5c086f2000-7f5c086f3000 rw-p 00015000 fd:01 291206 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f5c086f3000-7f5c087f4000 r-xp 00000000 fd:01 287349 /usr/lib64/libm-2.17.so
7f5c087f4000-7f5c089f3000 ---p 00101000 fd:01 287349 /usr/lib64/libm-2.17.so
7f5c089f3000-7f5c089f4000 r--p 00100000 fd:01 287349 /usr/lib64/libm-2.17.so
7f5c089f4000-7f5c089f5000 rw-p 00101000 fd:01 287349 /usr/lib64/libm-2.17.so
7f5c089f5000-7f5c08ade000 r-xp 00000000 fd:01 266798 /usr/lib64/libstdc++.so.6.0.19
7f5c08ade000-7f5c08cde000 ---p 000e9000 fd:01 266798 /usr/lib64/libstdc++.so.6.0.19
7f5c08cde000-7f5c08ce6000 r--p 000e9000 fd:01 266798 /usr/lib64/libstdc++.so.6.0.19
7f5c08ce6000-7f5c08ce8000 rw-p 000f1000 fd:01 266798 /usr/lib64/libstdc++.so.6.0.19
7f5c08ce8000-7f5c08cfd000 rw-p 00000000 00:00 0
7f5c08cfd000-7f5c08d3f000 r-xp 00000000 fd:01 267873 /usr/lib64/libext2fs.so.2.4
7f5c08d3f000-7f5c08f3f000 ---p 00042000 fd:01 267873 /usr/lib64/libext2fs.so.2.4
7f5c08f3f000-7f5c08f40000 r--p 00042000 fd:01 267873 /usr/lib64/libext2fs.so.2.4
7f5c08f40000-7f5c08f42000 rw-p 00043000 fd:01 267873 /usr/lib64/libext2fs.so.2.4
7f5c08f42000-7f5c08f45000 r-xp 00000000 fd:01 265948 /usr/lib64/libcom_err.so.2.1
7f5c08f45000-7f5c09144000 ---p 00003000 fd:01 265948 /usr/lib64/libcom_err.so.2.1
7f5c09144000-7f5c09145000 r--p 00002000 fd:01 265948 /usr/lib64/libcom_err.so.2.1
7f5c09145000-7f5c09146000 rw-p 00003000 fd:01 265948 /usr/lib64/libcom_err.so.2.1
7f5c09146000-7f5c09168000 r-xp 00000000 fd:01 265614 /usr/lib64/ld-2.17.so
7f5c092b1000-7f5c0935d000 rw-p 00000000 00:00 0
7f5c09363000-7f5c09367000 rw-p 00000000 00:00 0
7f5c09367000-7f5c09368000 r--p 00021000 fd:01 265614 /usr/lib64/ld-2.17.so
7f5c09368000-7f5c09369000 rw-p 00022000 fd:01 265614 /usr/lib64/ld-2.17.so
7f5c09369000-7f5c0936a000 rw-p 00000000 00:00 0
7ffe581db000-7ffe581fc000 rw-p 00000000 00:00 0 [stack]
7ffe581fc000-7ffe581fe000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted
[root@VM-0-3-centos ~]#

Recovery failed, this path is blocked! ! !

Other people succeeded, but my test failed and the memory was released and crashed. Can anyone tell me how to change the source code? I have some doubts here, I will test it later, and record the common parameters first.

Query the inode file status: /usr/local/extundelete/bin/extundelete /dev/vda1 --inode 1311798

Restore the specified node data: /usr/local/extundelete/bin/extundelete /dev/vda1 --restore-inode 1311798

Restore a single file: /usr/local/extundelete/bin/extundelete /dev/vda1 --restore-file root/examples/extundelete-0.2.4.tar.bz2

Restore a directory: /usr/local/extundelete/bin/extundelete /dev/vda1 --restore-files root/examples

Restore all files: /usr/local/extundelete/bin/extundelete /dev/vda1 --restore-all

Prevent accidents caused by accidental deletion

Define alias, prompt to delete

Define an alias alias rm='rm -i' . A prompt will appear before deleting files. Use the -i option to confirm the files to be deleted one by one. The files will be deleted only if the user enters y . However, this method will become invalid after adding the -f option.

Disable rm and use mv instead

The system does not allow the direct use of the rm command to delete files. You need to mv the files to the specified recycling directory /.delete, and then use a scheduled task to clear the files in /.delete every week, which is equivalent to manually creating a recycle bin.

Summarize

When using foremost to restore, the target directory should preferably be a directory on another disk. Restoring files to the disk where the deleted files are located is likely to overwrite the accidentally deleted files before the restore.

The full name of sodu currently has two expressions: substitute user do and super user do Sudo is usually used to exercise the privileges of a super user, but sometimes it can also be used by other ordinary users. Therefore, it is more accurate to translate it as substitute user do to replace other users.

foremost supports many file systems, including ext2, ext3, vfat, NTFS, ufs, jfs, etc., but it can only recover files in specific formats. Extundelete only supports ext3 and ext4 file systems, but it can recover many file types.

In addition to the two recovery software summarized in this article, there are also testdisk and photorec that can be used for recovery. You can try data priceless later. Please delete with caution. You can refer to the alias method or disable rm -rf to reduce the occurrence of accidents.

This is the end of this article about how to recover files accidentally deleted by rm in Linux environment. For more information about how to recover files accidentally deleted by rm in Linux, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in:
  • Linux uses lsof/extundelete tools to restore accidentally deleted files or directories
  • Detailed explanation of lsof command to recover deleted files in Linux
  • An example of accidentally deleting a package in Linux
  • Linux grub startup encryption and deletion recovery method

<<:  mysql subquery and join table details

>>:  CSS to change the size (width, height) of the image when the mouse passes over the image hyperlink

Recommend

Use Visual Studio Code to connect to the MySql database and query

Visual Studio Code is a powerful text editor prod...

Solve the problem of Docker starting Elasticsearch7.x and reporting an error

Using the Docker run command docker run -d -p 920...

Vue implements local storage add, delete and modify functions

This article example shares the specific code of ...

Vue implements nested routing method example

1. Nested routing is also called sub-routing. In ...

Linux dual network card binding script method example

In Linux operation and configuration work, dual n...

How to use video.js in vue to play m3u8 format videos

Table of contents 1. Installation 2. Introducing ...

Getting started with JavaScript basics

Table of contents 1. Where to write JavaScript 2....

Install mysql5.7 on Ubuntu 18.04

Ubuntu 18.04 installs mysql 5.7 for your referenc...

Introduction to MySQL triggers, creation of triggers and analysis of usage restrictions

This article uses examples to describe the introd...

CSS3 realizes the mask barrage function

Recently I saw a barrage effect on B station call...

A method of hiding processes under Linux and the pitfalls encountered

Preface 1. The tools used in this article can be ...

An example of how to query data in MySQL and update it to another table based on conditions

This article uses an example to describe how MySQ...

Realize super cool water light effect based on canvas

This article example shares with you the specific...

Implementation of deploying war package project using Docker

To deploy war with Docker, you must use a contain...

Analysis of Difficulties in Hot Standby of MySQL Database

I have previously introduced to you the configura...