ext3grep这个软件可以恢复linux ext3分区下rm -rf删除的文件,以下是部分存档操作记录(不全),仅供参考
1-step
Writing analysis so far to 'sda2.ext3grep.stage2'. Delete that file if you want to do this stage again.
The first block of the directory is 2051.
Inode 2 is directory "".
Directory block 2051:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 2 drwxr-xr-x .
1 2 d 2 drwxr-xr-x ..
2 3 d 11 drwx------ lost+found
3 4 d18055169 drwx------ luoxg
4 5 d 4718593 drwx------ ms55
5 6 d28442625 drwx------ wangwh
6 7 d 7503873 drwx------ liuhui
7 end r18055178 rrw-r--r-- As5.5-x64.iso
[root@node02 recover]# ll
total 360
-rw-r--r-- 1 root root 94191 Oct 25 16:12 sda2.ext3grep.stage1
-rw-r--r-- 1 root root 263260 Oct 25 16:13 sda2.ext3grep.stage2
[root@node02 recover]#
2-step# ext3grep /dev/sda2 --ls --inode 18055169
Loading sda2.ext3grep.stage2.......................................... done
The first block of the directory is 18056194.
Inode 18055169 is directory "luoxg".
Directory block 18056194:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d18055169 drwx------ .
1 2 d 2 drwxr-xr-x ..
2 3 r18055170 rrw-r--r-- .bash_profile
3 4 r18055181 rrw-r--r-- .bashrc
4 5 r18055172 rrw-r--r-- .emacs
5 6 r18055173 rrw-r--r-- .bash_logout
6 7 d18055174 drwxr-xr-x .mozilla
7 8 r18055177 rrw-r--r-- .zshrc
8 9 r18055183 rrw------- .viminfo
9 10 d18055207 drwxrwxr-x bin
10 11 d19562497 drwxrwxrwx MD
11 12 r18055179 rrw------- .bash_history
12 13 d19955921 drwxrwxr-x csrc
13 14 d19202049 drwxrwxr-x bench
14 15 r18055171 rrw-rw-r-- log
15 16 d18087937 drwx------ .ssh
16 17 d18087939 drwxrwxr-x software
17 18 d19071139 drwxrwxr-x backup
18 19 d18154773 drwxrwxr-x .local
19 20 d19955970 drwxrwxr-x testing
20 21 r18055184 rrw------- .dmrc
21 22 d19956007 drwx------ .gconf
22 23 d19956218 drwxrwxr-x yx
23 24 d18088849 drwxrwxr-x calypso-gulp
24 25 d19070981 drwxrwxr-x 2012
25 26 d19956008 drwx------ .gconfd
26 27 d19956010 drwx------ .gnome2
27 28 d19956011 drwx------ .gnome2_private
28 29 d19956027 drwxr-xr-x .nautilus
29 30 d19956028 drwxr-xr-x Desktop
30 31 d19431425 drwxrwxr-x tmp
31 32 r18055186 rrw------- .ICEauthority
32 33 r18055185 rrw-r--r-- .gtkrc-1.2-gnome2
33 34 d19956029 drwxrwxr-x .gnome
34 35 d19956034 drwxrwxr-x .redhat
35 36 d19956036 drwxr-x--- .eggcups
36 37 d19956037 drwx------ .metacity
37 38 d19956040 drwx------ .Trash
38 39 d19956042 drwxrwxr-x .gstreamer-0.10
39 end d19956304 drwxrwxr-x added-point
42 44 r18055188 D 1351039976 Wed Oct 24 08:52:56 2012 rrw-rw-r-- log
43 44 r18055189 D 1351039976 Wed Oct 24 08:52:56 2012 rrw-rw-r-- CHGCAR
44 46 r18055190 D 1351039976 Wed Oct 24 08:52:56 2012 rrw-rw-r-- vasprun.xml
45 46 r18055191 D 1351039976 Wed Oct 24 08:52:56 2012 rrw-rw-r-- OUTCAR
46 52 r18055192 D 1351039976 Wed Oct 24 08:52:56 2012 rrw-rw-r-- WAVECAR
47 50 r18055193 D 1351039976 Wed Oct 24 08:52:56 2012 rrw-rw-r-- EIGENVAL
48 49 r18055194 D 1351039976 Wed Oct 24 08:52:56 2012 rrw-rw-r-- CONTCAR
49 50 r18055195 D 1351039976 Wed Oct 24 08:52:56 2012 rrw-rw-r-- DOSCAR
50 51 r18055196 D 1351039976 Wed Oct 24 08:52:56 2012 rrw-rw-r-- OSZICAR
51 52 r18055197 D 1351039976 Wed Oct 24 08:52:56 2012 rrw-rw-r-- PCDAT
52 54 r18055198 D 1351039976 Wed Oct 24 08:52:56 2012 rrw-rw-r-- XDATCAR
53 54 r18055199 D 1351039976 Wed Oct 24 08:52:56 2012 rrw-rw-r-- CHG
54 end r18055200 D 1351039984 Wed Oct 24 08:53:04 2012 rrw-rw-r-- comment-cutoff
55 end r18055201 D 1351040527 Wed Oct 24 09:02:07 2012 rrw------- .viminfo.tmp
[root@node02 recover]#
3-step
[root@node02 recover]# ext3grep /dev/sda2 --ls --inode 19956218
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 1407
Minimum / maximum journal block: 2057 / 36910
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1350995011 = Tue Oct 23 20:23:31 2012
Journal transaction 959113 wraps around, some data blocks might have been lost of this transaction.
Number of descriptors in journal: 28918; min / max sequence numbers: 958686 / 963914
Inode is Allocated
Loading sda2.ext3grep.stage2.......................................... done
The first block of the directory is 19970056.
Inode 19956218 is directory "luoxg/yx".
Directory block 19970056:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d19956218 drwxrwxr-x .
1 2 d18055169 drwx------ ..
2 3 d19956219 drwxrwxr-x struc1
3 5 d19956220 drwxrwxr-x boron
4 5 d19956517 D 1351124073 Thu Oct 25 08:14:33 2012 drwxrwxr-x ribbon
5 6 d19956519 drwxrwxr-x alpha-POT2k05
6 end r19956518 rrw-rw-r-- ribbon.tar.gz
[root@node02 recover]#
4-step
[root@node02 recover]# ext3grep /dev/sda2 --ls --inode 19956517
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 1407
Minimum / maximum journal block: 2057 / 36910
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1350995011 = Tue Oct 23 20:23:31 2012
Journal transaction 959113 wraps around, some data blocks might have been lost of this transaction.
Number of descriptors in journal: 28918; min / max sequence numbers: 958686 / 963914
Inode is Unallocated
Loading sda2.ext3grep.stage2.......................................... done
The first block of the directory is 19980305.
Inode 19956517 is directory "luoxg/yx/ribbon".
Directory block 19980305:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d19956517 D 1351124073 Thu Oct 25 08:14:33 2012 drwxrwxr-x .
1 end d19956218 drwxrwxr-x ..
2 end d19956570 D 1351123914 Thu Oct 25 08:11:54 2012 drwxrwxr-x model
3 end d19988715 D 1351123914 Thu Oct 25 08:11:54 2012 drwxrwxr-x nano1-8
4 5 d19956884 D 1351124073 Thu Oct 25 08:14:33 2012 drwxrwxr-x alpha
5 end d19988637 D 1351123914 Thu Oct 25 08:11:54 2012 drwxrwxr-x gama-boron
6 end d19989162 D 1351123914 Thu Oct 25 08:11:54 2012 drwxrwxr-x nano2-15
[root@node02 recover]#
[root@node02 Calculation]# date -d "2012-10-25 08:10:00" +%s
1351123800
[root@node02 Calculation]# date -d "2012-10-25 08:15:00" +%s
1351124100
[root@node02 Calculation]#
ext3grep /dev/sda2 --histogram=dtime --after=1351123800 --before=1351124100 --restore-all
转载本文请联系原作者获取授权,同时请注明本文来自罗晓光科学网博客。
链接地址:http://blog.sciencenet.cn/blog-683919-660706.html
上一篇:2012 blog测试~