linux环境下rm -f 删除了/test/delete/data/下的文件file,一时无法找回,因为是ext3文件系统,尝试用ext3grep恢复。
实验环境
[root@master ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.7 (Tikanga)
下载软件
cd /usr/local/src
wget https://ext3grep.googlecode.com/files/ext3grep-0.10.2.tar.gz
tar zxf ext3grep-0.10.2.tar.gz
cd ext3grep-0.10.2
./configure
make
make install
卸载分区
umount /test/
用 ext3grep /dev/sda1 --ls --inode 2扫描文件系统分区
[root@master ~]# ext3grep /dev/sda1 --ls --inode 2
Running ext3grep version 0.10.2
Number of groups: 64
Loading group metadata... done
Minimum / maximum journal block: 1033 / 34862
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1386658143 = Tue Dec 10 14:49:03 2013
Number of descriptors in journal: 281; min / max sequence numbers: 12 / 40
Inode is Allocated
Finding all blocks that might be directories.
D: block containing directory start, d: block containing more directory entries.
Each plus represents a directory start that references the same inode as a directory start that we found previously.
Searching group 0: DDDD++++++++
Searching group 1:
Searching group 2:
......
Searching group 62:
Searching group 63:
Writing analysis so far to 'sda1.ext3grep.stage1'. Delete that file if you want to do this stage again.
Result of stage one:
4 inodes are referenced by one or more directory blocks, 4 of those inodes are still allocated.
3 inodes are referenced by more than one directory block, 3 of those inodes are still allocated.
0 blocks contain an extended directory.
Result of stage two:
4 of those inodes could be resolved because they are still allocated.
All directory inodes are accounted for!
Writing analysis so far to 'sda1.ext3grep.stage2'. Delete that file if you want to do this stage again.
The first block of the directory is 1027.
Inode 2 is directory "".
Directory block 1027:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 2 drwxr-xr-x .
1 2 d 2 drwxr-xr-x ..
2 4 d 11 drwx------ lost+found
3 4 r 49153 D 1386658360 Tue Dec 10 14:52:40 2013 rrw-r--r-- delete_for_test
4 end d 196609 drwxr-xr-x delete
逐级扫描inode,找到目标文件
[root@master ~]# ext3grep /dev/sda1 --ls --inode 196609
Running ext3grep version 0.10.2
Number of groups: 64
Minimum / maximum journal block: 1033 / 34862
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1386658143 = Tue Dec 10 14:49:03 2013
Number of descriptors in journal: 281; min / max sequence numbers: 12 / 40
Inode is Allocated
Loading sda1.ext3grep.stage2... done
The first block of the directory is 397312.
Inode 196609 is directory "delete".
Directory block 397312:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 196609 drwxr-xr-x .
1 2 d 2 drwxr-xr-x ..
2 end d 196610 drwxr-xr-x data
[root@master ~]# ext3grep /dev/sda1 --ls --inode 196610
Running ext3grep version 0.10.2
Number of groups: 64
Minimum / maximum journal block: 1033 / 34862
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1386658143 = Tue Dec 10 14:49:03 2013
Number of descriptors in journal: 281; min / max sequence numbers: 12 / 40
Inode is Allocated
Loading sda1.ext3grep.stage2... done
The first block of the directory is 399360.
Inode 196610 is directory "delete/data".
Directory block 399360:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 196610 drwxr-xr-x .
1 2 d 196609 drwxr-xr-x ..
2 end r 196611 rrw-r--r-- file
3 end r 196612 D 1386658375 Tue Dec 10 14:52:55 2013 rrw-r--r-- file
找到目标文件file,inode为196612
尝试恢复
[root@master ~]# ext3grep /dev/sda1 --restore-file delete/data/file
Running ext3grep version 0.10.2
Number of groups: 64
Minimum / maximum journal block: 1033 / 34862
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1386658143 = Tue Dec 10 14:49:03 2013
Number of descriptors in journal: 281; min / max sequence numbers: 12 / 40
Loading sda1.ext3grep.stage2... done
Restoring delete/data/file
提示Restoring delete/data/file,说明恢复成功。在执行命令的目录下会生成一个RESTORED_FILES目录,恢复的文件就存放在该目录下
[root@master ~]# cd RESTORED_FILES/
[root@master RESTORED_FILES]# ls
delete lost+found
[root@master RESTORED_FILES]# tree delete/
delete/
`-- data
`-- file
1 directory, 1 file
实验环境
[root@master ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.7 (Tikanga)
下载软件
cd /usr/local/src
wget https://ext3grep.googlecode.com/files/ext3grep-0.10.2.tar.gz
tar zxf ext3grep-0.10.2.tar.gz
cd ext3grep-0.10.2
./configure
make
make install
卸载分区
umount /test/
用 ext3grep /dev/sda1 --ls --inode 2扫描文件系统分区
[root@master ~]# ext3grep /dev/sda1 --ls --inode 2
Running ext3grep version 0.10.2
Number of groups: 64
Loading group metadata... done
Minimum / maximum journal block: 1033 / 34862
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1386658143 = Tue Dec 10 14:49:03 2013
Number of descriptors in journal: 281; min / max sequence numbers: 12 / 40
Inode is Allocated
Finding all blocks that might be directories.
D: block containing directory start, d: block containing more directory entries.
Each plus represents a directory start that references the same inode as a directory start that we found previously.
Searching group 0: DDDD++++++++
Searching group 1:
Searching group 2:
......
Searching group 62:
Searching group 63:
Writing analysis so far to 'sda1.ext3grep.stage1'. Delete that file if you want to do this stage again.
Result of stage one:
4 inodes are referenced by one or more directory blocks, 4 of those inodes are still allocated.
3 inodes are referenced by more than one directory block, 3 of those inodes are still allocated.
0 blocks contain an extended directory.
Result of stage two:
4 of those inodes could be resolved because they are still allocated.
All directory inodes are accounted for!
Writing analysis so far to 'sda1.ext3grep.stage2'. Delete that file if you want to do this stage again.
The first block of the directory is 1027.
Inode 2 is directory "".
Directory block 1027:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 2 drwxr-xr-x .
1 2 d 2 drwxr-xr-x ..
2 4 d 11 drwx------ lost+found
3 4 r 49153 D 1386658360 Tue Dec 10 14:52:40 2013 rrw-r--r-- delete_for_test
4 end d 196609 drwxr-xr-x delete
逐级扫描inode,找到目标文件
[root@master ~]# ext3grep /dev/sda1 --ls --inode 196609
Running ext3grep version 0.10.2
Number of groups: 64
Minimum / maximum journal block: 1033 / 34862
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1386658143 = Tue Dec 10 14:49:03 2013
Number of descriptors in journal: 281; min / max sequence numbers: 12 / 40
Inode is Allocated
Loading sda1.ext3grep.stage2... done
The first block of the directory is 397312.
Inode 196609 is directory "delete".
Directory block 397312:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 196609 drwxr-xr-x .
1 2 d 2 drwxr-xr-x ..
2 end d 196610 drwxr-xr-x data
[root@master ~]# ext3grep /dev/sda1 --ls --inode 196610
Running ext3grep version 0.10.2
Number of groups: 64
Minimum / maximum journal block: 1033 / 34862
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1386658143 = Tue Dec 10 14:49:03 2013
Number of descriptors in journal: 281; min / max sequence numbers: 12 / 40
Inode is Allocated
Loading sda1.ext3grep.stage2... done
The first block of the directory is 399360.
Inode 196610 is directory "delete/data".
Directory block 399360:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 196610 drwxr-xr-x .
1 2 d 196609 drwxr-xr-x ..
2 end r 196611 rrw-r--r-- file
3 end r 196612 D 1386658375 Tue Dec 10 14:52:55 2013 rrw-r--r-- file
找到目标文件file,inode为196612
尝试恢复
[root@master ~]# ext3grep /dev/sda1 --restore-file delete/data/file
Running ext3grep version 0.10.2
Number of groups: 64
Minimum / maximum journal block: 1033 / 34862
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1386658143 = Tue Dec 10 14:49:03 2013
Number of descriptors in journal: 281; min / max sequence numbers: 12 / 40
Loading sda1.ext3grep.stage2... done
Restoring delete/data/file
提示Restoring delete/data/file,说明恢复成功。在执行命令的目录下会生成一个RESTORED_FILES目录,恢复的文件就存放在该目录下
[root@master ~]# cd RESTORED_FILES/
[root@master RESTORED_FILES]# ls
delete lost+found
[root@master RESTORED_FILES]# tree delete/
delete/
`-- data
`-- file
1 directory, 1 file
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/27181165/viewspace-1062910/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/27181165/viewspace-1062910/
扫一扫
1391
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
