ext3grep恢复Linux下误删除的文件
2013-09-24 15:05
561 查看
ext3grep恢复Linux下误删除的文件
首先下载这个软件,下载地址:http://code.google.com/p/ext3grep/downloads/list目前的最新版本是:ext3grep-0.10.2.tar.gz我系统的环境是:虚拟机[root@localhost bin]# uname -aLinux localhost.localdomain 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux[root@localhost bin]# cat /etc/issueRed Hat Enterprise Linux Server release 5.4 (Tikanga)下面开始安装了哦。安装很简单tar zxvf ext3grep-0.10.2.tar.gzcd ext3grep-0.10.2./configure --prefix=/usr/local/ext3grepmakemake install顺利安装完成。然后进入么安装目录看一下,只有一个bin[root@localhost ext3grep]# pwd/usr/local/ext3grep[root@localhost ext3grep]# lsbin进到bin里面看一下[root@localhost ext3grep]# cd bin[root@localhost bin]# lsext3grep我们可以看一下帮助,下面是部分[root@localhost bin]# ./ext3grep -hRunning ext3grep version 0.10.2./ext3grep: invalid option -- hNo action specified; implying --superblock.
Usage: ./ext3grep [options] [--] device-fileOptions:--version, -[vV] Print version and exit successfully.--help, Print this help and exit successfully.--superblock Print contents of superblock in addition to the rest.If no action is specified then this option is implied.--print Print content of block or inode, if any.--ls Print directories with only one line per entry.This option is often needed to turn on filtering.--accept filen Accept 'filen' as a legal filename. Can be used multi-ple times. If you change any --accept you must removeBOTH stage* files!--accept-all Simply accept everything as filename.--journal Show content of journal.--show-path-inodes Show the inode of each directory component in paths.Filters:--group grp Only process group 'grp'.--directory Only process directory inodes.--after dtime Only entries deleted on or after 'dtime'.--before dtime Only entries deleted before 'dtime'.--deleted Only show/process deleted entries.--allocated Only show/process allocated inodes/blocks.--unallocated Only show/process unallocated inodes/blocks.--reallocated Do not suppress entries with reallocated inodes.Inodes are considered 'reallocated' if the entryis deleted but the inode is allocated, but also whenthe file type in the dir entry and the inode aredifferent.--zeroed-inodes Do not suppress entries with zeroed inodes. Linkedentries are always shown, regardless of this option.--depth depth Process directories recursively up till a depthof 'depth'.Actions:--inode-to-block ino Print the block that contains inode 'ino'.--inode ino Show info on inode 'ino'.If --ls is used and the inode is a directory, thenthe filters apply to the entries of the directory.If you do not use --ls then --print is implied.--block blk Show info on block 'blk'.If --ls is used and the block is the first blockof a directory, then the filters apply to entriesof the directory.If you do not use --ls then --print is implied.--histogram=[atime|ctime|mtime|dtime|group]Generate a histogram based on the given specs.Using atime, ctime or mtime will change themeaning of --after and --before to those times.--journal-block jblk Show info on journal block 'jblk'.--journal-transaction seqShow info on transaction with sequence number 'seq'.--dump-names Write the path of files to stdout.This implies --ls but suppresses it's output.--search-start str Find blocks that start with the fixed string 'str'.--search str Find blocks that contain the fixed string 'str'.--search-inode blk Find inodes that refer to block 'blk'.--search-zeroed-inodes Return allocated inode table entries that are zeroed.--inode-dirblock-table dirPrint a table for directory path 'dir' of directoryblock numbers found and the inodes used for each file.开始工作之前,我们先来制作一个分区,然后来做试验
[root@localhost bin]# mkdir /tmp/test
[root@localhost bin]# dd if=/dev/zero of=file count=102400[root@localhost bin]#mkfs.ext3 file######按Y继续
[root@localhost bin]#mount -o loop /tmp/test/file /mnt看一下有没有挂上[root@localhost bin]# df -HTFilesystem Type Size Used Avail Use% Mounted on/dev/mapper/VolGroup00-LogVol00ext3 20G 4.3G 15G 23% //dev/sda1 ext3 104M 13M 86M 13% /boottmpfs tmpfs 185M 0 185M 0% /dev/shm/tmp/test/fileext3 51M 5.1M 44M 11% /mnt然后写入数据到里面[root@localhost bin]#cd /mnt[root@localhost bin]#lslost+found[root@localhost mnt]# mkdir del[root@localhost mnt]# cd del[root@localhost del]# touch 1 2 3[root@localhost del]# ls1 2 3 lost+found[root@localhost del]# cd ..[root@localhost mnt]#rf -rf del[root@localhost bin]#lslost+found下面开始恢复了[root@localhost mnt]#cd /usr/local/ext3grep/bin扫描一下分区[root@localhost bin]# ./ext3grep /tmp/test/file --ls --inode 2Running ext3grep version 0.10.2Number of groups: 7Loading group metadata... doneMinimum / maximum journal block: 447 / 4561Loading journal descriptors... sorting... doneThe oldest inode block that is still in the journal, appears to be from 1315980293 = Wed Sep 14 14:04:53 2011Number of descriptors in journal: 36; min / max sequence numbers: 2 / 6Inode is AllocatedFinding all blocks that might be directories.D: block containing directory start, d: block containing more directory entries.Each plus represents a directory start that references the same inode as a directory start that we found previously.
Searching group 0: DD++D++Searching group 1:Searching group 2:Searching group 3:Searching group 4:Searching group 5:Searching group 6:Writing analysis so far to 'file.ext3grep.stage1'. Delete that file if you want to do this stage again.Result of stage one:3 inodes are referenced by one or more directory blocks, 2 of those inodes are still allocated.1 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.0 blocks contain an extended directory.Result of stage two:2 of those inodes could be resolved because they are still allocated.All directory inodes are accounted for!
Writing analysis so far to 'file.ext3grep.stage2'. Delete that file if you want to do this stage again.The first block of the directory is 433.Inode 2 is directory "".Directory block 433:.-- File type in dir_entry (r=regular file, d=directory, l=symlink)| .-- D: Deleted ; R: ReallocatedIndx Next | Inode | Deletion time Mode File name==========+==========+----------------data-from-inode------+-----------+=========0 1 d 2 drwxr-xr-x .1 2 d 2 drwxr-xr-x ..2 end d 11 drwx------ lost+found3 4 r 12 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 14 5 r 13 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 25 6 r 14 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 36 end d 1833 D 1315980355 Wed Sep 14 14:05:55 2011 drwxr-xr-x del[root@localhost bin]# ./ext3grep /tmp/test/file --restore-file del --depth delRunning ext3grep version 0.10.2Number of groups: 7Minimum / maximum journal block: 447 / 4561Loading journal descriptors... sorting... doneThe oldest inode block that is still in the journal, appears to be from 1315980293 = Wed Sep 14 14:04:53 2011Number of descriptors in journal: 36; min / max sequence numbers: 2 / 6Writing output to directory RESTORED_FILES/Loading file.ext3grep.stage2... done下面开始恢复文件[root@localhost bin]# ./ext3grep /tmp/test/file --restore-allRunning ext3grep version 0.10.2Number of groups: 7Minimum / maximum journal block: 447 / 4561Loading journal descriptors... sorting... doneThe oldest inode block that is still in the journal, appears to be from 1315980313 = Wed Sep 14 14:05:13 2011Number of descriptors in journal: 36; min / max sequence numbers: 3 / 9Loading file.ext3grep.stage2... doneRestoring 1Restoring 2Restoring 3Restoring del/1Restoring del/2Restoring del/3这个命令是恢复所有的,当然也可以恢复指定文件的。可以看到在当前目录下,多了一个目录[root@localhost bin]# lsRESTORED_FILES ext3grep我们进去看一下[root@localhost bin]# cd RESTORED_FILES/[root@localhost RESTORED_FILES]# ls1 2 3 del lost+foundOK,所有的文件都已经成功恢复了。这个工具的命令有很多,我只是写了一些简单的,希望对看到些文章的人有帮助。
本文出自 “茬田野上” 博客,请务必保留此出处http://darkyin.blog.51cto.com/6260426/1301095
首先下载这个软件,下载地址:http://code.google.com/p/ext3grep/downloads/list目前的最新版本是:ext3grep-0.10.2.tar.gz我系统的环境是:虚拟机[root@localhost bin]# uname -aLinux localhost.localdomain 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux[root@localhost bin]# cat /etc/issueRed Hat Enterprise Linux Server release 5.4 (Tikanga)下面开始安装了哦。安装很简单tar zxvf ext3grep-0.10.2.tar.gzcd ext3grep-0.10.2./configure --prefix=/usr/local/ext3grepmakemake install顺利安装完成。然后进入么安装目录看一下,只有一个bin[root@localhost ext3grep]# pwd/usr/local/ext3grep[root@localhost ext3grep]# lsbin进到bin里面看一下[root@localhost ext3grep]# cd bin[root@localhost bin]# lsext3grep我们可以看一下帮助,下面是部分[root@localhost bin]# ./ext3grep -hRunning ext3grep version 0.10.2./ext3grep: invalid option -- hNo action specified; implying --superblock.
Usage: ./ext3grep [options] [--] device-fileOptions:--version, -[vV] Print version and exit successfully.--help, Print this help and exit successfully.--superblock Print contents of superblock in addition to the rest.If no action is specified then this option is implied.--print Print content of block or inode, if any.--ls Print directories with only one line per entry.This option is often needed to turn on filtering.--accept filen Accept 'filen' as a legal filename. Can be used multi-ple times. If you change any --accept you must removeBOTH stage* files!--accept-all Simply accept everything as filename.--journal Show content of journal.--show-path-inodes Show the inode of each directory component in paths.Filters:--group grp Only process group 'grp'.--directory Only process directory inodes.--after dtime Only entries deleted on or after 'dtime'.--before dtime Only entries deleted before 'dtime'.--deleted Only show/process deleted entries.--allocated Only show/process allocated inodes/blocks.--unallocated Only show/process unallocated inodes/blocks.--reallocated Do not suppress entries with reallocated inodes.Inodes are considered 'reallocated' if the entryis deleted but the inode is allocated, but also whenthe file type in the dir entry and the inode aredifferent.--zeroed-inodes Do not suppress entries with zeroed inodes. Linkedentries are always shown, regardless of this option.--depth depth Process directories recursively up till a depthof 'depth'.Actions:--inode-to-block ino Print the block that contains inode 'ino'.--inode ino Show info on inode 'ino'.If --ls is used and the inode is a directory, thenthe filters apply to the entries of the directory.If you do not use --ls then --print is implied.--block blk Show info on block 'blk'.If --ls is used and the block is the first blockof a directory, then the filters apply to entriesof the directory.If you do not use --ls then --print is implied.--histogram=[atime|ctime|mtime|dtime|group]Generate a histogram based on the given specs.Using atime, ctime or mtime will change themeaning of --after and --before to those times.--journal-block jblk Show info on journal block 'jblk'.--journal-transaction seqShow info on transaction with sequence number 'seq'.--dump-names Write the path of files to stdout.This implies --ls but suppresses it's output.--search-start str Find blocks that start with the fixed string 'str'.--search str Find blocks that contain the fixed string 'str'.--search-inode blk Find inodes that refer to block 'blk'.--search-zeroed-inodes Return allocated inode table entries that are zeroed.--inode-dirblock-table dirPrint a table for directory path 'dir' of directoryblock numbers found and the inodes used for each file.开始工作之前,我们先来制作一个分区,然后来做试验
[root@localhost bin]# mkdir /tmp/test
[root@localhost bin]# dd if=/dev/zero of=file count=102400[root@localhost bin]#mkfs.ext3 file######按Y继续
[root@localhost bin]#mount -o loop /tmp/test/file /mnt看一下有没有挂上[root@localhost bin]# df -HTFilesystem Type Size Used Avail Use% Mounted on/dev/mapper/VolGroup00-LogVol00ext3 20G 4.3G 15G 23% //dev/sda1 ext3 104M 13M 86M 13% /boottmpfs tmpfs 185M 0 185M 0% /dev/shm/tmp/test/fileext3 51M 5.1M 44M 11% /mnt然后写入数据到里面[root@localhost bin]#cd /mnt[root@localhost bin]#lslost+found[root@localhost mnt]# mkdir del[root@localhost mnt]# cd del[root@localhost del]# touch 1 2 3[root@localhost del]# ls1 2 3 lost+found[root@localhost del]# cd ..[root@localhost mnt]#rf -rf del[root@localhost bin]#lslost+found下面开始恢复了[root@localhost mnt]#cd /usr/local/ext3grep/bin扫描一下分区[root@localhost bin]# ./ext3grep /tmp/test/file --ls --inode 2Running ext3grep version 0.10.2Number of groups: 7Loading group metadata... doneMinimum / maximum journal block: 447 / 4561Loading journal descriptors... sorting... doneThe oldest inode block that is still in the journal, appears to be from 1315980293 = Wed Sep 14 14:04:53 2011Number of descriptors in journal: 36; min / max sequence numbers: 2 / 6Inode is AllocatedFinding all blocks that might be directories.D: block containing directory start, d: block containing more directory entries.Each plus represents a directory start that references the same inode as a directory start that we found previously.
Searching group 0: DD++D++Searching group 1:Searching group 2:Searching group 3:Searching group 4:Searching group 5:Searching group 6:Writing analysis so far to 'file.ext3grep.stage1'. Delete that file if you want to do this stage again.Result of stage one:3 inodes are referenced by one or more directory blocks, 2 of those inodes are still allocated.1 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.0 blocks contain an extended directory.Result of stage two:2 of those inodes could be resolved because they are still allocated.All directory inodes are accounted for!
Writing analysis so far to 'file.ext3grep.stage2'. Delete that file if you want to do this stage again.The first block of the directory is 433.Inode 2 is directory "".Directory block 433:.-- File type in dir_entry (r=regular file, d=directory, l=symlink)| .-- D: Deleted ; R: ReallocatedIndx Next | Inode | Deletion time Mode File name==========+==========+----------------data-from-inode------+-----------+=========0 1 d 2 drwxr-xr-x .1 2 d 2 drwxr-xr-x ..2 end d 11 drwx------ lost+found3 4 r 12 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 14 5 r 13 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 25 6 r 14 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 36 end d 1833 D 1315980355 Wed Sep 14 14:05:55 2011 drwxr-xr-x del[root@localhost bin]# ./ext3grep /tmp/test/file --restore-file del --depth delRunning ext3grep version 0.10.2Number of groups: 7Minimum / maximum journal block: 447 / 4561Loading journal descriptors... sorting... doneThe oldest inode block that is still in the journal, appears to be from 1315980293 = Wed Sep 14 14:04:53 2011Number of descriptors in journal: 36; min / max sequence numbers: 2 / 6Writing output to directory RESTORED_FILES/Loading file.ext3grep.stage2... done下面开始恢复文件[root@localhost bin]# ./ext3grep /tmp/test/file --restore-allRunning ext3grep version 0.10.2Number of groups: 7Minimum / maximum journal block: 447 / 4561Loading journal descriptors... sorting... doneThe oldest inode block that is still in the journal, appears to be from 1315980313 = Wed Sep 14 14:05:13 2011Number of descriptors in journal: 36; min / max sequence numbers: 3 / 9Loading file.ext3grep.stage2... doneRestoring 1Restoring 2Restoring 3Restoring del/1Restoring del/2Restoring del/3这个命令是恢复所有的,当然也可以恢复指定文件的。可以看到在当前目录下,多了一个目录[root@localhost bin]# lsRESTORED_FILES ext3grep我们进去看一下[root@localhost bin]# cd RESTORED_FILES/[root@localhost RESTORED_FILES]# ls1 2 3 del lost+foundOK,所有的文件都已经成功恢复了。这个工具的命令有很多,我只是写了一些简单的,希望对看到些文章的人有帮助。
本文出自 “茬田野上” 博客,请务必保留此出处http://darkyin.blog.51cto.com/6260426/1301095
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- ext3grep恢复linux下误删除的文件
- 使用ext3grep恢复linux系统被误删除的文件
- 使用ext3grep恢复linux下ext3文磁盘格式下误删除文件
- ext3grep恢复linux下误删除的文件
- linux恢复误删除文件-ext3grep
- 使用ext3grep恢复Linux下误删除的文件[原创]
- 通过ext3grep恢复误删除的文件和表
- ext3grep 恢复rm删除文件利器
- ext3grep 模拟恢复删除文件
- 用ext3grep恢复删除的文件
- 用ext3grep恢复删除的文件
- linux下恢复误删除的文件方法(ext2及ext3)
- 使用ext3grep恢复ext3上删除的文件
- Linux学习之CentOS(十八)-----恢复Ext3下被删除的文件与 使用grep恢复被删文件内容(转)
- 利用ext3grep工具恢复误删除文件
- Linux下EXT3误删除文件数据恢复之绝处逢生
- 利用ext3grep恢复误删除文件
- Linux文件恢复利器 ext3grep与extundelete
- 使用ext3grep恢复ext3文件系统中误删除文件(使用rm命令误删的)
- ext3grep恢复rm -rf删除的文件