作者:Carlo Wood
时间:2008年4月
作者网站:http://code.google.com/p/ext3grep/
翻译者:www_xylove(网络ID)
时间:2013年1月27日
说明:翻译这个软件的功能主要是想证明一下自己的英文水平,顺便推广一下Carlo Wood写的这个ext3grep工具,当然,这个工具很可能很多人都已经知道了,因为毕竟是作者2008年写的,但是还可能有些读者不知道这个工具,所以,顺便推广一下罢了,其实这个工具实在是太重要了,在这个工具之前,rm -rf 删除了文件,是不可能恢复的,这个连ext3文件系统的开发者Andreas Diger都承认,但Carlo Wood不这么认为,作者认为rm文件后是可以恢复的,所以就有了ext3grep这个工具。自己翻译下来,自己的英文水平着实还有待有提高,该篇译文算是自己的练兵这作罢了.由于自己的翻译水平连自己都不屑一顾了,至于发在博客的原因,想比是自己喜欢写博客而已,没有任何原因了.强烈建议读者朋友还是读原作,请看上面的链接.
[@more@]恢复只有单个block的文件
依据原文,我在自己的环境恢复:
下面将仅仅恢复一个小的文件
我首先创建目录mkdir -p fandic/corebase,文件名为xiangyang.file
文件xiangyang.file内容
test a file with a block ,to recovery it ,alter delete file |
删除目录fangdic 子目录corebase,文件xiangyang.file
下面开始恢复:
使用ext3grep /dev/mapper/VolGroup02-LogVol00 --ls --inode找出我们想要恢复的文件
[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --ls --inode 552161 | grep corebase 2 end d 552162 D 1359337883 Sun Jan 27 20:51:23 2013 drwxr-xr-x corebase |
[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --ls --inode 552162 | grep xiangyang.file 2 end r 552165 D 1359337875 Sun Jan 27 20:51:15 2013 rrw-r--r-- xiangyang.file 3 end r 552164 D 1359337854 Sun Jan 27 20:50:54 2013 rrw-r--r-- .xiangyang.file.swp 4 end r 552163 D 1359337854 Sun Jan 27 20:50:54 2013 rrw-r--r-- xiangyang.file~ |
Inode为552165的文件已经被删除,并且在文件系统中已经没有对应数据块.
[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --print --inode 552165 Running ext3grep version 0.10.2 WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is. WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state. Number of groups: 40 Minimum / maximum journal block: 1341 / 35478 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 1338710654 = Sun Jun 3 04:04:14 2012 Number of descriptors in journal: 7706; min / max sequence numbers: 4853 / 7055 Hex dump of inode 552165: 0000 | a4 81 00 00 00 00 00 00 84 d9 05 51 93 d9 05 51 | ...........Q...Q 0010 | 93 d9 05 51 93 d9 05 51 00 00 00 00 00 00 00 00 | ...Q...Q........ 0020 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0060 | 00 00 00 00 67 04 dc c9 00 00 00 00 00 00 00 00 | ....g........... 0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ Inode is Unallocated Group: 17 Generation Id: 3386639463 uid / gid: 0 / 0 mode: rrw-r--r-- size: 0 num of links: 0 sectors: 0 (--> 0 indirect blocks). Inode Times: Accessed: 1359337860 = Sun Jan 27 20:51:00 2013 File Modified: 1359337875 = Sun Jan 27 20:51:15 2013 Inode Modified: 1359337875 = Sun Jan 27 20:51:15 2013 Deletion time: 1359337875 = Sun Jan 27 20:51:15 2013 Direct Blocks: 0 [root@primary /]# |
因此我们必须在日志里寻找该块的拷贝.首先,我们找包含这个inode的文件系统的块.
[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --inode-to-block 552165 | grep resides Inode 552165 resides in block 557058 at offset 0x200. |
日志块557058是该数据块的一个拷贝,它包含了该块的详细信息.
[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --journal --block 557058 Running ext3grep version 0.10.2 No --ls used; implying --print. WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is. WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state. Minimum / maximum journal block: 1341 / 35478 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 1338710654 = Sun Jun 3 04:04:14 2012 Number of descriptors in journal: 7706; min / max sequence numbers: 4853 / 7055 Journal descriptors referencing block 557058: 5848 7277 7045 1352 7046 1362 7047 1370 7049 1379 7050 1385 7051 1393 7052 1396 7053 1405 7055 1419 [root@primary /]# |
上面的显示中,最下的的数字,左边的表示事务编号,右边的表示数据块.最老的事务5848,对应的数据块为7277;最近的事务7055,对应的数据块为1419.
先从最近的事务开始查询,数据块的数据还在不在.
从事务7055,数据块1419查看有没有数据.
[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --print --block 1419 | grep -A15 'Inode 552165' --------------Inode 552165----------------------- Generation Id: 3386639463 uid / gid: 0 / 0 mode: rrw-r--r-- size: 0 num of links: 0 sectors: 0 (--> 0 indirect blocks). Inode Times: Accessed: 1359337860 = Sun Jan 27 20:51:00 2013 File Modified: 1359337875 = Sun Jan 27 20:51:15 2013 Inode Modified: 1359337875 = Sun Jan 27 20:51:15 2013 Deletion time: 1359337875 = Sun Jan 27 20:51:15 2013 Direct Blocks: 0 |
没有!
继续查找.
[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --print --block 1405 | grep -A15 'Inode 552165' --------------Inode 552165----------------------- Generation Id: 3386639463 uid / gid: 0 / 0 mode: rrw-r--r-- size: 0 num of links: 0 sectors: 0 (--> 0 indirect blocks). Inode Times: Accessed: 1359337860 = Sun Jan 27 20:51:00 2013 File Modified: 1359337875 = Sun Jan 27 20:51:15 2013 Inode Modified: 1359337875 = Sun Jan 27 20:51:15 2013 Deletion time: 1359337875 = Sun Jan 27 20:51:15 2013 Direct Blocks: 0 [root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --print --block 1396 | grep -A15 'Inode 552165' --------------Inode 552165----------------------- Generation Id: 3386639463 |
uid / gid: 0 / 0 mode: rrw-r--r-- size: 0 num of links: 0 sectors: 0 (--> 0 indirect blocks). Inode Times: Accessed: 1359337860 = Sun Jan 27 20:51:00 2013 File Modified: 1359337875 = Sun Jan 27 20:51:15 2013 Inode Modified: 1359337875 = Sun Jan 27 20:51:15 2013 Deletion time: 1359337875 = Sun Jan 27 20:51:15 2013 Direct Blocks: 0 [root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --print --block 1393 | grep -A15 'Inode 552165' --------------Inode 552165----------------------- Generation Id: 3386639463 uid / gid: 0 / 0 mode: rrw-r--r-- size: 61 num of links: 1 sectors: 8 (--> 0 indirect blocks). Inode Times: Accessed: 1359337860 = Sun Jan 27 20:51:00 2013 File Modified: 1359337854 = Sun Jan 27 20:50:54 2013 Inode Modified: 1359337854 = Sun Jan 27 20:50:54 2013 Deletion time: 0 Direct Blocks: 573448 |
终于从事务编号为7051,块为1393里找到了数据的拷贝.
该文件很小,就一个数据块.
使用dd命令恢复该文件.
[root@primary /]# dd if=/dev/mapper/VolGroup02-LogVol00 bs=4096 count=1 skip=573448 of=block.573448 1+0 records in 1+0 records out 4096 bytes (4.1 kB) copied, 0.022772 seconds, 180 kB/s [root@primary /]# pwd / [root@primary /]# dd if=block.573448 bs=1 count=100 of=xiangyang.file 40+0 records in 40+0 records out 100 bytes (100 B) copied, 0.00116774 seconds, 34.3 kB/s |
验证:文件已经恢复
[root@primary /]# more xiangyang.file test a file with a block ,to recovery it ,alter delete file. |
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/28227905/viewspace-1060172/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/28227905/viewspace-1060172/
1120
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
