ext3grep ext3檔案系統下恢復檔案

wang_0720發表於2013-12-10
linux環境下rm -f 刪除了/test/delete/data/下的檔案file,一時無法找回,因為是ext3檔案系統,嘗試用ext3grep恢復。
實驗環境
[root@master ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.7 (Tikanga)
下載軟體
cd /usr/local/src
wget
tar zxf ext3grep-0.10.2.tar.gz
cd ext3grep-0.10.2
./configure
make
make install
解除安裝分割槽
umount /test/
用 ext3grep /dev/sda1 --ls --inode 2掃描檔案系統分割槽
[root@master ~]# ext3grep /dev/sda1 --ls --inode 2
Running ext3grep version 0.10.2
Number of groups: 64
Loading group metadata... done
Minimum / maximum journal block: 1033 / 34862
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1386658143 = Tue Dec 10 14:49:03 2013
Number of descriptors in journal: 281; min / max sequence numbers: 12 / 40
Inode is Allocated
Finding all blocks that might be directories.
D: block containing directory start, d: block containing more directory entries.
Each plus represents a directory start that references the same inode as a directory start that we found previously.

Searching group 0: DDDD++++++++
Searching group 1:
Searching group 2:
......
Searching group 62:
Searching group 63:
Writing analysis so far to 'sda1.ext3grep.stage1'. Delete that file if you want to do this stage again.
Result of stage one:
  4 inodes are referenced by one or more directory blocks, 4 of those inodes are still allocated.
  3 inodes are referenced by more than one directory block, 3 of those inodes are still allocated.
  0 blocks contain an extended directory.
Result of stage two:
  4 of those inodes could be resolved because they are still allocated.
All directory inodes are accounted for!


Writing analysis so far to 'sda1.ext3grep.stage2'. Delete that file if you want to do this stage again.
The first block of the directory is 1027.
Inode 2 is directory "".
Directory block 1027:
          .-- File type in dir_entry (r=regular file, d=directory, l=symlink)
          |          .-- D: Deleted ; R: Reallocated
Indx Next |  Inode   | Deletion time                        Mode        File name
==========+==========+----------------data-from-inode------+-----------+=========
   0    1 d       2                                         drwxr-xr-x  .
   1    2 d       2                                         drwxr-xr-x  ..
   2    4 d      11                                         drwx------  lost+found
   3    4 r   49153  D 1386658360 Tue Dec 10 14:52:40 2013  rrw-r--r--  delete_for_test
   4  end d  196609                                         drwxr-xr-x  delete
逐級掃描inode,找到目標檔案
[root@master ~]# ext3grep /dev/sda1 --ls --inode 196609
Running ext3grep version 0.10.2
Number of groups: 64
Minimum / maximum journal block: 1033 / 34862
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1386658143 = Tue Dec 10 14:49:03 2013
Number of descriptors in journal: 281; min / max sequence numbers: 12 / 40
Inode is Allocated
Loading sda1.ext3grep.stage2... done
The first block of the directory is 397312.
Inode 196609 is directory "delete".
Directory block 397312:
          .-- File type in dir_entry (r=regular file, d=directory, l=symlink)
          |          .-- D: Deleted ; R: Reallocated
Indx Next |  Inode   | Deletion time                        Mode        File name
==========+==========+----------------data-from-inode------+-----------+=========
   0    1 d  196609                                         drwxr-xr-x  .
   1    2 d       2                                         drwxr-xr-x  ..
   2  end d  196610                                         drwxr-xr-x  data
[root@master ~]# ext3grep /dev/sda1 --ls --inode 196610
Running ext3grep version 0.10.2
Number of groups: 64
Minimum / maximum journal block: 1033 / 34862
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1386658143 = Tue Dec 10 14:49:03 2013
Number of descriptors in journal: 281; min / max sequence numbers: 12 / 40
Inode is Allocated
Loading sda1.ext3grep.stage2... done
The first block of the directory is 399360.
Inode 196610 is directory "delete/data".
Directory block 399360:
          .-- File type in dir_entry (r=regular file, d=directory, l=symlink)
          |          .-- D: Deleted ; R: Reallocated
Indx Next |  Inode   | Deletion time                        Mode        File name
==========+==========+----------------data-from-inode------+-----------+=========
   0    1 d  196610                                         drwxr-xr-x  .
   1    2 d  196609                                         drwxr-xr-x  ..
   2  end r  196611                                         rrw-r--r--  file
   3  end r  196612  D 1386658375 Tue Dec 10 14:52:55 2013  rrw-r--r--  file
找到目標檔案file,inode為196612
嘗試恢復
[root@master ~]# ext3grep /dev/sda1 --restore-file delete/data/file
Running ext3grep version 0.10.2
Number of groups: 64
Minimum / maximum journal block: 1033 / 34862
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1386658143 = Tue Dec 10 14:49:03 2013
Number of descriptors in journal: 281; min / max sequence numbers: 12 / 40
Loading sda1.ext3grep.stage2... done
Restoring delete/data/file
提示Restoring delete/data/file,說明恢復成功。在執行命令的目錄下會生成一個RESTORED_FILES目錄,恢復的檔案就存放在該目錄下
[root@master ~]# cd RESTORED_FILES/
[root@master RESTORED_FILES]# ls
delete  lost+found
[root@master RESTORED_FILES]# tree delete/
delete/
`-- data
    `-- file

1 directory, 1 file

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/27181165/viewspace-1062910/,如需轉載,請註明出處,否則將追究法律責任。

相關文章