初遇 Ext3grep

2023-01-31 01:01:19 ext3grep 初遇

 

         Ext3grep 是ext3文件系统下的一个开源数据恢复工具,官方下载地址Http://code.Google.com/p/ext3grep/downloads/detail?name=ext3grep-0.10.2.tar.gz 。

        它的恢复原理很简单:ext2/ext3 文件系统是采用 block+inode 的方式存放文件的,其中 inode 存放文件的元数据,包含文件权限、更改时间、属性等。而在带有日志功能的 ext3 文件系统中,删除一个文件,就是将该文件的 inode节点中的指针清除,其实数据还在存在block当中的。所以如果没有新的数据来占用该 block,只要恢复了inode指向,该文件就恢复了。

        接下来是安装过程和模拟误删演示:

  1: cd ext3grep-0.10.2
  2: ./configure
  3: make && make install

       1、 我现在是将 sdb5 挂载到分区 /mnt/data2 下:

  1: mount /dev/sdb5 /mnt/data2/

       分别在下面新建一个目录和一文件

  1: [root@localhost src]# cd /mnt/data2/
  2: [root@localhost data2]# ls
  3: [root@localhost data2]# echo "I Love you" > nodelete.txt
  4: [root@localhost data2]# ls
  5: nodelete.txt
  6: [root@localhost data2]# cat nodelete.txt
  7: I Love you
  8: [root@localhost data2]# mkdir nodelete
  9: [root@localhost data2]# ls
 10: nodelete  nodelete.txt
 11: 

     2、  接下来假设我误删2个数据了,

  1: [root@localhost data2]# rm -fR no*
  2: [root@localhost data2]# ls
  3: [root@localhost data2]#
  4: 

3、恢复。误删之后千万注意整个硬盘不能有任何写入操作了,我们先卸载所在分区。

  1: [root@localhost data2]# cd
  2: [root@localhost ~]# umount /mnt/data2/

#查看要恢复的数据

  1: [root@localhost ~]# ext3grep /dev/sdb5 --ls --inode 2
  2: Running ext3grep version 0.10.1
  3: WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
  4: Number of groups: 8
  5: Loading group metadata... done
  6: Minimum / maximum journal block: 583 / 4685
  7: Loading journal descriptors... sorting... done
  8: The oldest inode block that is still in the journal, appears to be from 1350471162 = Wed Oct 17 18:52:42 2012
  9: Number of descriptors in journal: 65; min / max sequence numbers: 9 / 35
 10: Inode is Allocated
 11: 

#指定恢复nodelete.txt

  1: [root@localhost ~]# ext3grep /dev/sdb5 --restore-file nodelete.txt
  2: Running ext3grep version 0.10.1
  3: WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
  4: Number of groups: 8
  5: Minimum / maximum journal block: 583 / 4685
  6: Loading journal descriptors... sorting... done
  7: The oldest inode block that is still in the journal, appears to be from 1350471162 = Wed Oct 17 18:52:42 2012
  8: 

#恢复所有数据  ext3grep /dev/sdb5 --restore-all

执行恢复后会在当前目录下生成一个 目录 “RESTORED_FILES”,你要的数据就在里面了。

  1: [root@localhost ~]# ls |grep RE
  2: RESTORED_FILES
  3: 

相关文章