歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux基礎 >> 關於Linux

如何使用ext3grep恢復Linux中的誤刪除的文件

其實這個工具我已經知道很久了,前一段時間做試驗,老是出問題。自己也解決不了。很糾結,很郁悶,很蛋疼。。。。

或許今天運氣比較好,裝下軟件包,然後使用一下,呵呵,竟然成功了,而且刪除文件的時候,使用的命令是rm -rf哦!

首先下載這個軟件,下載地址:

http://code.google.com/p/ext3grep/downloads/list

目前的最新版本是:ext3grep-0.10.2.tar.gz

我系統的環境是:虛擬機

[root@localhost bin]# uname -a

Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux

[root@localhost bin]# cat /etc/issue

Red Hat Enterprise Linux Server release 5.4 (Tikanga)

下面開始安裝了哦。安裝很簡單

tar zxvf ext3grep-0.10.2.tar.gz

cd ext3grep-0.10.2

./configure --prefix=/usr/local/ext3grep

make

make install

順利安裝完成。

然後進入麼安裝目錄看一下,只有一個bin

[root@localhost ext3grep]# pwd

/usr/local/ext3grep

[root@localhost ext3grep]# ls

bin

進到bin裡面看一下

[root@localhost ext3grep]# cd bin

[root@localhost bin]# ls

ext3grep

我們可以看一下幫助,下面是部分

[root@localhost bin]# ./ext3grep -h

Running ext3grep version 0.10.2

./ext3grep: invalid option -- h

No action specified; implying --superblock.

Usage: ./ext3grep [options] [--] device-file

Options:

--version, -[vV] Print version and exit successfully.

--help, Print this help and exit successfully.

--superblock Print contents of superblock in addition to the rest.

If no action is specified then this option is implied.

--print Print content of block or inode, if any.

--ls Print directories with only one line per entry.

This option is often needed to turn on filtering.

--accept filen Accept 'filen' as a legal filename. Can be used multi-

ple times. If you change any --accept you must remove

BOTH stage* files!

--accept-all Simply accept everything as filename.

--journal Show content of journal.

--show-path-inodes Show the inode of each directory component in paths.

本文URL地址:http://www.bianceng.cn/OS/Linux/201410/45343.htm

Filters:

--group grp Only process group 'grp'.

--directory Only process directory inodes.

--after dtime Only entries deleted on or after 'dtime'.

--before dtime Only entries deleted before 'dtime'.

--deleted Only show/process deleted entries.

--allocated Only show/process allocated inodes/blocks.

--unallocated Only show/process unallocated inodes/blocks.

--reallocated Do not suppress entries with reallocated inodes.

Inodes are considered 'reallocated' if the entry

is deleted but the inode is allocated, but also when

the file type in the dir entry and the inode are

different.

--zeroed-inodes Do not suppress entries with zeroed inodes. Linked

entries are always shown, regardless of this option.

--depth depth Process directories recursively up till a depth

of 'depth'.

Actions:

--inode-to-block ino Print the block that contains inode 'ino'.

--inode ino Show info on inode 'ino'.

If --ls is used and the inode is a directory, then

the filters apply to the entries of the directory.

If you do not use --ls then --print is implied.

--block blk Show info on block 'blk'.

If --ls is used and the block is the first block

of a directory, then the filters apply to entries

of the directory.

If you do not use --ls then --print is implied.

--histogram=[atime|ctime|mtime|dtime|group]

Generate a histogram based on the given specs.

Using atime, ctime or mtime will change the

meaning of --after and --before to those times.

--journal-block jblk Show info on journal block 'jblk'.

--journal-transaction seq

Show info on transaction with sequence number 'seq'.

--dump-names Write the path of files to stdout.

This implies --ls but suppresses it's output.

--search-start str Find blocks that start with the fixed string 'str'.

--search str Find blocks that contain the fixed string 'str'.

--search-inode blk Find inodes that refer to block 'blk'.

--search-zeroed-inodes Return allocated inode table entries that are zeroed.

--inode-dirblock-table dir

Print a table for directory path 'dir' of directory

block numbers found and the inodes used for each file.

開始工作之前,我們先來制作一個分區,然後來做試驗

[root@localhost bin]# mkdir /tmp/test

[root@localhost bin]# dd if=/dev/zero of=file count=102400

[root@localhost bin]#mkfs.ext3 file

######按Y繼續

[root@localhost bin]#mount -o loop /tmp/test/file /mnt

本文URL地址:http://www.bianceng.cn/OS/Linux/201410/45343.htm

看一下有沒有掛上

[root@localhost bin]# df -HT

Filesystem Type Size Used Avail Use% Mounted on

/dev/mapper/VolGroup00-LogVol00

ext3 20G 4.3G 15G 23% /

/dev/sda1 ext3 104M 13M 86M 13% /boot

tmpfs tmpfs 185M 0 185M 0% /dev/shm

/tmp/test/file

ext3 51M 5.1M 44M 11% /mnt

然後寫入數據到裡面

[root@localhost bin]#cd /mnt

[root@localhost bin]#ls

lost+found

[root@localhost mnt]# mkdir del

[root@localhost mnt]# cd del

[root@localhost del]# touch 1 2 3

[root@localhost del]# ls

1 2 3 lost+found

[root@localhost del]# cd ..

[root@localhost mnt]#rf -rf del

[root@localhost bin]#ls

lost+found

下面開始恢復了

[root@localhost mnt]#cd /usr/local/ext3grep/bin

掃描一下分區

[root@localhost bin]# ./ext3grep /tmp/test/file --ls --inode 2

Running ext3grep version 0.10.2

Number of groups: 7

Loading group metadata... done

Minimum / maximum journal block: 447 / 4561

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1315980293 = Wed Sep 14 14:04:53 2011

Number of descriptors in journal: 36; min / max sequence numbers: 2 / 6

Inode is Allocated

Finding all blocks that might be directories.

D: block containing directory start, d: block containing more directory entries.

Each plus represents a directory start that references the same inode as a directory start that we found previously.

Searching group 0: DD++D++

Searching group 1:

Searching group 2:

Searching group 3:

Searching group 4:

Searching group 5:

Searching group 6:

Writing analysis so far to 'file.ext3grep.stage1'. Delete that file if you want to do this stage again.

Result of stage one:

3 inodes are referenced by one or more directory blocks, 2 of those inodes are still allocated.

1 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.

0 blocks contain an extended directory.

Result of stage two:

2 of those inodes could be resolved because they are still allocated.

All directory inodes are accounted for!

Writing analysis so far to 'file.ext3grep.stage2'. Delete that file if you want to do this stage again.

The first block of the directory is 433.

Inode 2 is directory "".

Directory block 433:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

| .-- D: Deleted ; R: Reallocated

Indx Next | Inode | Deletion time Mode File name

==========+==========+----------------data-from-inode------+-----------+=========

0 1 d 2 drwxr-xr-x .

1 2 d 2 drwxr-xr-x ..

2 end d 11 drwx------ lost+found

3 4 r 12 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 1

4 5 r 13 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 2

5 6 r 14 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 3

6 end d 1833 D 1315980355 Wed Sep 14 14:05:55 2011 drwxr-xr-x del

[root@localhost bin]# ./ext3grep /tmp/test/file --restore-file del --depth del

Running ext3grep version 0.10.2

Number of groups: 7

Minimum / maximum journal block: 447 / 4561

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1315980293 = Wed Sep 14 14:04:53 2011

Number of descriptors in journal: 36; min / max sequence numbers: 2 / 6

Writing output to directory RESTORED_FILES/

Loading file.ext3grep.stage2... done

本文URL地址:http://www.bianceng.cn/OS/Linux/201410/45343.htm

下面開始恢復文件

[root@localhost bin]# ./ext3grep /tmp/test/file --restore-all

Running ext3grep version 0.10.2

Number of groups: 7

Minimum / maximum journal block: 447 / 4561

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1315980313 = Wed Sep 14 14:05:13 2011

Number of descriptors in journal: 36; min / max sequence numbers: 3 / 9

Loading file.ext3grep.stage2... done

Restoring 1

Restoring 2

Restoring 3

Restoring del/1

Restoring del/2

Restoring del/3

這個命令是恢復所有的,當然也可以恢復指定文件的。

可以看到在當前目錄下,多了一個目錄

[root@localhost bin]# ls

RESTORED_FILES ext3grep

我們進去看一下

[root@localhost bin]# cd RESTORED_FILES/

[root@localhost RESTORED_FILES]# ls

1 2 3 del lost+found

OK,所有的文件都已經成功恢復了。這個工具的命令有很多,我只是寫了一些簡單的,希望對看到些文章的人有幫助。

本文件是本人原創的,不是從網上轉載的,請轉載的兄弟,注明下,感激不盡。

本文出自 “吖吖個呸” 博客,請務必保留此出處http://gm100861.blog.51cto.com/1930562/708002

Copyright © Linux教程網 All Rights Reserved