ext3grep恢复ext3文件系统下误删的文件
环境说明:
OS:Centos5.2 文件系统为ext3
1.首先模拟一个分区:
mkdir /home/store
cd /home/store
dd if=/dev/zero of=file count=102400
mkfs.ext3 file
mount -o loop /home/store/file /mnt/
可以看到已经挂上去了
df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
13G 4.7G 7.5G 39% /
/dev/hda1 99M 18M 77M 19% /boot
tmpfs 107M 0 107M 0% /dev/shm
/home/store/file 49M 4.9M 42M 11% /mnt
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
13G 4.7G 7.5G 39% /
/dev/hda1 99M 18M 77M 19% /boot
tmpfs 107M 0 107M 0% /dev/shm
/home/store/file 49M 4.9M 42M 11% /mnt
了实验我们把/boot整个copy到/mnt里面
cp -r /boot /mnt/
cd /mnt/boot
ls
System.map-2.6.18-92.1.17.el5 lost+found
System.map-2.6.18-92.el5 message
config-2.6.18-92.1.17.el5 symvers-2.6.18-92.1.17.el5.gz
config-2.6.18-92.el5 symvers-2.6.18-92.el5.gz
grub vmlinuz-2.6.18-92.1.17.el5
initrd-2.6.18-92.1.17.el5.img vmlinuz-2.6.18-92.el5
initrd-2.6.18-92.el5.img
System.map-2.6.18-92.1.17.el5 lost+found
System.map-2.6.18-92.el5 message
config-2.6.18-92.1.17.el5 symvers-2.6.18-92.1.17.el5.gz
config-2.6.18-92.el5 symvers-2.6.18-92.el5.gz
grub vmlinuz-2.6.18-92.1.17.el5
initrd-2.6.18-92.1.17.el5.img vmlinuz-2.6.18-92.el5
initrd-2.6.18-92.el5.img
以上是boot里面的内容
现在删除/mnt/boot
rm -rf /mnt/boot
rm -rf /mnt/boot
ls -al /mnt/
total 21
drwxr-xr-x 3 root root 1024 Feb 1 15:15 .
drwxr-xr-x 26 root root 4096 Feb 1 14:50 ..
drwx------ 2 root root 12288 Feb 1 15:09 lost+found
total 21
drwxr-xr-x 3 root root 1024 Feb 1 15:15 .
drwxr-xr-x 26 root root 4096 Feb 1 14:50 ..
drwx------ 2 root root 12288 Feb 1 15:09 lost+found
boot已经被删除
2.安装ext3grep
ext3grep的源码包在这里
http://code.google.com/p/ext3grep/downloads/list
http://code.google.com/p/ext3grep/downloads/list
tar -zxvf ext3grep-0.10.1.tar.gz
cd ext3grep-0.10.1
./configure
make&&make install
cd ext3grep-0.10.1
./configure
make&&make install
3.开始恢复
卸载文件所在的分区也就是/home/store/file
umount /home/store/file
df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
13G 4.7G 7.5G 39% /
/dev/hda1 99M 18M 77M 19% /boot
tmpfs 107M 0 107M 0% /dev/shm
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
13G 4.7G 7.5G 39% /
/dev/hda1 99M 18M 77M 19% /boot
tmpfs 107M 0 107M 0% /dev/shm
查看一下已经卸载
扫描分区
ext3grep /home/store/file --ls --inode 2
Running ext3grep version 0.10.1
Number of groups: 7
Loading group metadata... done
Minimum / maximum journal block: 447 / 4561
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1233472221 = Sun Feb 1 15:10:21 2009
Number of descriptors in journal: 100; min / max sequence numbers: 2 / 9
Inode is Allocated
Finding all blocks that might be directories.
D: block containing directory start, d: block containing more directory entries.
Each plus represents a directory start that references the same inode as a directory start that we found previously.
Running ext3grep version 0.10.1
Number of groups: 7
Loading group metadata... done
Minimum / maximum journal block: 447 / 4561
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1233472221 = Sun Feb 1 15:10:21 2009
Number of descriptors in journal: 100; min / max sequence numbers: 2 / 9
Inode is Allocated
Finding all blocks that might be directories.
D: block containing directory start, d: block containing more directory entries.
Each plus represents a directory start that references the same inode as a directory start that we found previously.
Searching group 0: DDD+DD+
Searching group 1: ++
Searching group 2: +
Searching group 3:
Searching group 4:
Searching group 5:
Searching group 6:
Writing analysis so far to 'file.ext3grep.stage1'. Delete that file if you want
to do this stage again.
Result of stage one:
5 inodes are referenced by one or more directory blocks, 2 of those inodes are still allocated.
4 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.
0 blocks contain an extended directory.
Result of stage two:
2 of those inodes could be resolved because they are still allocated.
3 inodes could be resolved because all refering blocks but one were journal blocks.
All directory inodes are accounted
Searching group 1: ++
Searching group 2: +
Searching group 3:
Searching group 4:
Searching group 5:
Searching group 6:
Writing analysis so far to 'file.ext3grep.stage1'. Delete that file if you want
to do this stage again.
Result of stage one:
5 inodes are referenced by one or more directory blocks, 2 of those inodes are still allocated.
4 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.
0 blocks contain an extended directory.
Result of stage two:
2 of those inodes could be resolved because they are still allocated.
3 inodes could be resolved because all refering blocks but one were journal blocks.
All directory inodes are accounted
Writing analysis so far to 'file.ext3grep.stage2'. Delete that file if you want
to do this stage again.
The first block of the directory is 433.
Inode 2 is directory "".
Directory block 433:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 2 drwxr-xr-x .
1 2 d 2 drwxr-xr-x ..
2 end d 11 drwx------ lost+found
3 end d 1833 D 1233472535 Sun Feb 1 15:15:35 2009 drwxr-xr-x boot
接下来我们来恢复boot下面的grub
ext3grep /home/store/file --restore-file boot/grub/grub.conf
Running ext3grep version 0.10.1
Number of groups: 7
Minimum / maximum journal block: 447 / 4561
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1233472221 = Sun Feb 1 15:10:21 2009
Number of descriptors in journal: 100; min / max sequence numbers: 2 / 9
Loading file.ext3grep.stage2... done
Restoring boot/grub/grub.conf
查看是否恢复成功,恢复的文件在RESTORED_FILES里面 cd RESTORED_FILES/boot/grub/
ls -l
total 4
-rw------- 1 root root 769 Feb 1 15:10 grub.conf
很显然成功了。
接下来我们恢复整个boot文件夹里面的内容
ext3grep /home/store/file --restore-all
Running ext3grep version 0.10.1
Number of groups: 7
Minimum / maximum journal block: 447 / 4561
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1233472221 = Sun Feb 1 15:10:21 2009
Number of descriptors in journal: 100; min / max sequence numbers: 2 / 9
Writing output to directory RESTORED_FILES/
Loading file.ext3grep.stage2... done
Restoring boot/System.map-2.6.18-92.1.17.el5
Restoring boot/System.map-2.6.18-92.el5
Restoring boot/config-2.6.18-92.1.17.el5
Restoring boot/config-2.6.18-92.el5
Restoring boot/grub/device.map
Restoring boot/grub/e2fs_stage1_5
Restoring boot/grub/fat_stage1_5
Restoring boot/grub/ffs_stage1_5
Restoring boot/grub/grub.conf
Restoring boot/grub/iso9660_stage1_5
Restoring boot/grub/jfs_stage1_5
WARNING: Failed to set access and modification time on RESTORED_FILES/boot/grub/menu.lst: Function not implemented
Restoring boot/grub/minix_stage1_5
Restoring boot/grub/reiserfs_stage1_5
Restoring boot/grub/splash.xpm.gz
Restoring boot/grub/stage1
Restoring boot/grub/stage2
Restoring boot/grub/ufs2_stage1_5
Restoring boot/grub/vstafs_stage1_5
Restoring boot/grub/xfs_stage1_5
Restoring boot/initrd-2.6.18-92.1.17.el5.img
Restoring boot/initrd-2.6.18-92.el5.img
Restoring boot/message
Restoring boot/symvers-2.6.18-92.1.17.el5.gz
Restoring boot/symvers-2.6.18-92.el5.gz
Restoring boot/vmlinuz-2.6.18-92.1.17.el5
Restoring boot/vmlinuz-2.6.18-92.el5
比较恢复前后两个boot文件的大小: du -sh RESTORED_FILES/boot
12M RESTORED_FILES/boot
du -sh /boot
12M /boot
结果很明显恢复成功。
