##################################################
AUTHOR:吖吖个呸
DATE:2011-09-14
EMAIL:gm100861@gmail.com
##################################################
其实这个工具我已经知道很久了,前一段时间做试验,老是出问题。自己也解决不了。很纠结,很郁闷,很蛋疼。。。。
或许今天运气比较好,装下软件包,然后使用一下,呵呵,竟然成功了,而且删除文件的时候,使用的命令是rm -rf哦!
首先下载这个软件,下载地址:
http://code.google.com/p/ext3grep/downloads/list
目前的最新版本是:ext3grep-0.10.2.tar.gz
我系统的环境是:虚拟机
[root@localhost bin]# uname -a
Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux
[root@localhost bin]# cat /etc/issue
Red Hat Enterprise Linux Server release 5.4 (Tikanga)
下面开始安装了哦。安装很简单
tar zxvf ext3grep-0.10.2.tar.gz
cd ext3grep-0.10.2
./configure --prefix=/usr/local/ext3grep
make
make install
顺利安装完成。
然后进入么安装目录看一下,只有一个bin
[root@localhost ext3grep]# pwd
/usr/local/ext3grep
[root@localhost ext3grep]# ls
bin
进到bin里面看一下
[root@localhost ext3grep]# cd bin
[root@localhost bin]# ls
ext3grep
我们可以看一下帮助,下面是部分
[root@localhost bin]# ./ext3grep -h
Running ext3grep version 0.10.2
./ext3grep: invalid option -- h
No action specified; implying --superblock.
Usage: ./ext3grep [options] [--] device-file
Options:
--version, -[vV] Print version and exit successfully.
--help, Print this help and exit successfully.
--superblock Print contents of superblock in addition to the rest.
If no action is specified then this option is implied.
--print Print content of block or inode, if any.
--ls Print directories with only one line per entry.
This option is often needed to turn on filtering.
--accept filen Accept 'filen' as a legal filename. Can be used multi-
ple times. If you change any --accept you must remove
BOTH stage* files!
--accept-all Simply accept everything as filename.
--journal Show content of journal.
--show-path-inodes Show the inode of each directory component in paths.
Filters:
--group grp Only process group 'grp'.
--directory Only process directory inodes.
--after dtime Only entries deleted on or after 'dtime'.
--before dtime Only entries deleted before 'dtime'.
--deleted Only show/process deleted entries.
--allocated Only show/process allocated inodes/blocks.
--unallocated Only show/process unallocated inodes/blocks.
--reallocated Do not suppress entries with reallocated inodes.
Inodes are considered 'reallocated' if the entry
is deleted but the inode is allocated, but also when
the file type in the dir entry and the inode are
different.
--zeroed-inodes Do not suppress entries with zeroed inodes. Linked
entries are always shown, regardless of this option.
--depth depth Process directories recursively up till a depth
of 'depth'.
Actions:
--inode-to-block ino Print the block that contains inode 'ino'.
--inode ino Show info on inode 'ino'.
If --ls is used and the inode is a directory, then
the filters apply to the entries of the directory.
If you do not use --ls then --print is implied.
--block blk Show info on block 'blk'.
If --ls is used and the block is the first block
of a directory, then the filters apply to entries
of the directory.
If you do not use --ls then --print is implied.
--histogram=[atime|ctime|mtime|dtime|group]
Generate a histogram based on the given specs.
Using atime, ctime or mtime will change the
meaning of --after and --before to those times.
--journal-block jblk Show info on journal block 'jblk'.
--journal-transaction seq
Show info on transaction with sequence number 'seq'.
--dump-names Write the path of files to stdout.
This implies --ls but suppresses it's output.
--search-start str Find blocks that start with the fixed string 'str'.
--search str Find blocks that contain the fixed string 'str'.
--search-inode blk Find inodes that refer to block 'blk'.
--search-zeroed-inodes Return allocated inode table entries that are zeroed.
--inode-dirblock-table dir
Print a table for directory path 'dir' of directory
block numbers found and the inodes used for each file.
开始工作之前,我们先来制作一个分区,然后来做试验
[root@localhost bin]# mkdir /tmp/test
[root@localhost bin]# dd if=/dev/zero of=file count=102400
[root@localhost bin]#mkfs.ext3 file
######按Y继续[root@localhost bin]#mount -o loop /tmp/test/file /mnt
看一下有没有挂上
[root@localhost bin]# df -HT
Filesystem Type Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
ext3 20G 4.3G 15G 23% /
/dev/sda1 ext3 104M 13M 86M 13% /boot
tmpfs tmpfs 185M 0 185M 0% /dev/shm
/tmp/test/file
ext3 51M 5.1M 44M 11% /mnt
然后写入数据到里面
[root@localhost bin]#cd /mnt
[root@localhost bin]#ls
lost+found
[root@localhost mnt]# mkdir del
[root@localhost mnt]# cd del
[root@localhost del]# touch 1 2 3
[root@localhost del]# ls
1 2 3 lost+found
[root@localhost del]# cd ..
[root@localhost mnt]#rf -rf del
[root@localhost bin]#ls
lost+found
下面开始恢复了
[root@localhost mnt]#cd /usr/local/ext3grep/bin
扫描一下分区
[root@localhost bin]# ./ext3grep /tmp/test/file --ls --inode 2
Running ext3grep version 0.10.2
Number of groups: 7
Loading group metadata... done
Minimum / maximum journal block: 447 / 4561
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1315980293 = Wed Sep 14 14:04:53 2011
Number of descriptors in journal: 36; min / max sequence numbers: 2 / 6
Inode is Allocated
Finding all blocks that might be directories.
D: block containing directory start, d: block containing more directory entries.
Each plus represents a directory start that references the same inode as a directory start that we found previously.
Searching group 0: DD++D++
Searching group 1:
Searching group 2:
Searching group 3:
Searching group 4:
Searching group 5:
Searching group 6:
Writing analysis so far to 'file.ext3grep.stage1'. Delete that file if you want to do this stage again.
Result of stage one:
3 inodes are referenced by one or more directory blocks, 2 of those inodes are still allocated.
1 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.
0 blocks contain an extended directory.
Result of stage two:
2 of those inodes could be resolved because they are still allocated.
All directory inodes are accounted for!
Writing analysis so far to 'file.ext3grep.stage2'. Delete that file if you want to do this stage again.
The first block of the directory is 433.
Inode 2 is directory "".
Directory block 433:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 2 drwxr-xr-x .
1 2 d 2 drwxr-xr-x ..
2 end d 11 drwx------ lost+found
3 4 r 12 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 1
4 5 r 13 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 2
5 6 r 14 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 3
6 end d 1833 D 1315980355 Wed Sep 14 14:05:55 2011 drwxr-xr-x del
[root@localhost bin]# ./ext3grep /tmp/test/file --restore-file del --depth del
Running ext3grep version 0.10.2
Number of groups: 7
Minimum / maximum journal block: 447 / 4561
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1315980293 = Wed Sep 14 14:04:53 2011
Number of descriptors in journal: 36; min / max sequence numbers: 2 / 6
Writing output to directory RESTORED_FILES/
Loading file.ext3grep.stage2... done
下面开始恢复文件
[root@localhost bin]# ./ext3grep /tmp/test/file --restore-all
Running ext3grep version 0.10.2
Number of groups: 7
Minimum / maximum journal block: 447 / 4561
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1315980313 = Wed Sep 14 14:05:13 2011
Number of descriptors in journal: 36; min / max sequence numbers: 3 / 9
Loading file.ext3grep.stage2... done
Restoring 1
Restoring 2
Restoring 3
Restoring del/1
Restoring del/2
Restoring del/3
这个命令是恢复所有的,当然也可以恢复指定文件的。
可以看到在当前目录下,多了一个目录
[root@localhost bin]# ls
RESTORED_FILES ext3grep
我们进去看一下
[root@localhost bin]# cd RESTORED_FILES/
[root@localhost RESTORED_FILES]# ls
1 2 3 del lost+found
OK,所有的文件都已经成功恢复了。这个工具的命令有很多,我只是写了一些简单的,希望对看到些文章的人有帮助。
本文件是本人原创的,不是从网上转载的,请转载的兄弟,注明下,感激不尽。
本文转自 gm100861 51CTO博客,原文链接:http://blog.51cto.com/gm100861/708002
