extundelete包装说明

extundelete是可以从一个ext3或ext4的分区恢复删除的文件的工具。在ext3和ext4文件系统是最常见的默认文件系统的Linux发行版样薄荷，Mageia，或Ubuntu。 extundelete使用存储在该分区的日志信息来尝试恢复已删除的分区中的文件。谁也不能保证，任何特定的文件就可以被取消删除，所以最好有一个良好的备份系统到位，或恢复您的文件后至少放一到位。 资料来源：http://extundelete.sourceforge.net/

extundelete首页 | 卡利extundelete回购

• 作者：尼克案例
• 许可：GPL第二版

  0x01 包含在extundelete包工具

  extundelete - 实用程序从EXT3 / EXT4分区恢复删除的文件

  :~# extundelete --help
  Usage: extundelete [options] [--] device-file
  Options:
  --version, -[vV]       Print version and exit successfully.
  --help,                Print this help and exit successfully.
  --superblock           Print contents of superblock in addition to the rest.
                         If no action is specified then this option is implied.
  --journal              Show content of journal.
  --after dtime          Only process entries deleted on or after 'dtime'.
  --before dtime         Only process entries deleted before 'dtime'.
  Actions:
  --inode ino            Show info on inode 'ino'.
  --block blk            Show info on block 'blk'.
  --restore-inode ino[,ino,...]
                         Restore the file(s) with known inode number 'ino'.
                         The restored files are created in ./RESTORED_FILES
                         with their inode number as extension (ie, file.12345).
  --restore-file 'path'  Will restore file 'path'. 'path' is relative to root
                         of the partition and does not start with a '/' (it
                         must be one of the paths returned by --dump-names).
                         The restored file is created in the current
                         directory as 'RECOVERED_FILES/path'.
  --restore-files 'path' Will restore files which are listed in the file 'path'.
                         Each filename should be in the same format as an option
                         to --restore-file, and there should be one per line.
  --output-dir 'path'    Restore files in the output dir 'path'.
                         By default the restored files are created under current directory 'RECOVERED_FILES'.
  --restore-all          Attempts to restore everything.
  -j journal             Reads an external journal from the named file.
  -b blocknumber         Uses the backup superblock at blocknumber when opening
                         the file system.
  -B blocksize           Uses blocksize as the block size when opening the file
                         system.  The number should be the number of bytes.
  

  0x02 extundelete用法示例

  读取分区 （为/ dev / sda1的）和恢复 （ -还原文件） 指定的文件名 ​​（根/ importantfile）：

:~# extundelete /dev/sda1 --restore-file root/importantfile
WARNING: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates 
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible.  You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n) 
y
Loading filesystem metadata ... 192 groups loaded.
Loading journal descriptors ... 29495 descriptors loaded.
Writing output to directory RECOVERED_FILES/

原文来自:https://www.hackfun.org/kali-tools/extundelete_zh.html。转载请注明原出处，商用请联系原作者授权。