初遇 Ext3grep
Ext3grep 是ext3文件系统下的一个开源数据恢复工具,官方下载地址Http://code.Google.com/p/ext3grep/downloads/detail?name=ext3grep-0.10.2.tar.gz 。
它的恢复原理很简单:ext2/ext3 文件系统是采用 block+inode 的方式存放文件的,其中 inode 存放文件的元数据,包含文件权限、更改时间、属性等。而在带有日志功能的 ext3 文件系统中,删除一个文件,就是将该文件的 inode节点中的指针清除,其实数据还在存在block当中的。所以如果没有新的数据来占用该 block,只要恢复了inode指向,该文件就恢复了。
接下来是安装过程和模拟误删演示:
1: cd ext3grep-0.10.2
2: ./configure
3: make && make install
1、 我现在是将 sdb5 挂载到分区 /mnt/data2 下:
1: mount /dev/sdb5 /mnt/data2/
分别在下面新建一个目录和一文件
1: [root@localhost src]# cd /mnt/data2/
2: [root@localhost data2]# ls
3: [root@localhost data2]# echo "I Love you" > nodelete.txt
4: [root@localhost data2]# ls
5: nodelete.txt
6: [root@localhost data2]# cat nodelete.txt
7: I Love you
8: [root@localhost data2]# mkdir nodelete
9: [root@localhost data2]# ls
10: nodelete nodelete.txt
11:
2、 接下来假设我误删2个数据了,
1: [root@localhost data2]# rm -fR no*
2: [root@localhost data2]# ls
3: [root@localhost data2]#
4:
3、恢复。误删之后千万注意整个硬盘不能有任何写入操作了,我们先卸载所在分区。
1: [root@localhost data2]# cd
2: [root@localhost ~]# umount /mnt/data2/
#查看要恢复的数据
1: [root@localhost ~]# ext3grep /dev/sdb5 --ls --inode 2
2: Running ext3grep version 0.10.1
3: WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
4: Number of groups: 8
5: Loading group metadata... done
6: Minimum / maximum journal block: 583 / 4685
7: Loading journal descriptors... sorting... done
8: The oldest inode block that is still in the journal, appears to be from 1350471162 = Wed Oct 17 18:52:42 2012
9: Number of descriptors in journal: 65; min / max sequence numbers: 9 / 35
10: Inode is Allocated
11:
#指定恢复nodelete.txt
1: [root@localhost ~]# ext3grep /dev/sdb5 --restore-file nodelete.txt
2: Running ext3grep version 0.10.1
3: WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
4: Number of groups: 8
5: Minimum / maximum journal block: 583 / 4685
6: Loading journal descriptors... sorting... done
7: The oldest inode block that is still in the journal, appears to be from 1350471162 = Wed Oct 17 18:52:42 2012
8:
#恢复所有数据 ext3grep /dev/sdb5 --restore-all
执行恢复后会在当前目录下生成一个 目录 “RESTORED_FILES”,你要的数据就在里面了。
1: [root@localhost ~]# ls |grep RE
2: RESTORED_FILES
3:
相关文章