ext3grep恢复ext3文件系统下误删的文件
环境说明: OS:Centos5.2 文件系统为ext3
1.首先模拟一个分区:
mkdir /home/store
cd /home/store
dd if=/dev/zero of=file count=102400
mkfs.ext3 file
mount -o loop /home/store/file /mnt/
可以看到已经挂上去了
df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 13G 4.7G 7.5G 39% / /dev/hda1 99M 18M 77M 19% /boot tmpfs 107M 0 107M 0% /dev/shm /home/store/file 49M 4.9M 42M 11% /mnt
了实验我们把/boot整个copy到/mnt里面
cp -r /boot /mnt/
cd /mnt/boot
ls System.map-2.6.18-92.1.17.el5 lost found System.map-2.6.18-92.el5 message config-2.6.18-92.1.17.el5 symvers-2.6.18-92.1.17.el5.gz config-2.6.18-92.el5 symvers-2.6.18-92.el5.gz grub vmlinuz-2.6.18-92.1.17.el5 initrd-2.6.18-92.1.17.el5.img vmlinuz-2.6.18-92.el5 initrd-2.6.18-92.el5.img
以上是boot里面的内容
现在删除/mnt/boot rm -rf /mnt/boot
ls -al /mnt/ total 21 drwxr-xr-x 3 root root 1024 Feb 1 15:15 . drwxr-xr-x 26 root root 4096 Feb 1 14:50 .. drwx------ 2 root root 12288 Feb 1 15:09 lost found
boot已经被删除
2.安装ext3grep
ext3grep的源码包在这里 http://code.google.com/p/ext3grep/downloads/list
tar -zxvf ext3grep-0.10.1.tar.gz cd ext3grep-0.10.1 ./configure make&&make install
3.开始恢复
卸载文件所在的分区也就是/home/store/file
umount /home/store/file
df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 13G 4.7G 7.5G 39% / /dev/hda1 99M 18M 77M 19% /boot tmpfs 107M 0 107M 0% /dev/shm
查看一下已经卸载
扫描分区
ext3grep /home/store/file --ls --inode 2 Running ext3grep version 0.10.1 Number of groups: 7 Loading group metadata... done Minimum / maximum journal block: 447 / 4561 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 1233472221 = Sun Feb 1 15:10:21 2009 Number of descriptors in journal: 100; min / max sequence numbers: 2 / 9 Inode is Allocated Finding all blocks that might be directories. D: block containing directory start, d: block containing more directory entries. Each plus represents a directory start that references the same inode as a directory start that we found previously.
Searching group 0: DDD DD Searching group 1: Searching group 2: Searching group 3: Searching group 4: Searching group 5: Searching group 6: Writing analysis so far to 'file.ext3grep.stage1'. Delete that file if you want to do this stage again. Result of stage one: 5 inodes are referenced by one or more directory blocks, 2 of those inodes are still allocated. 4 inodes are referenced by more than one directory block, 1 of those inodes is still allocated. 0 blocks contain an extended directory. Result of stage two: 2 of those inodes could be resolved because they are still allocated. 3 inodes could be resolved because all refering blocks but one were journal blocks. All directory inodes are accounted
Writing analysis so far to 'file.ext3grep.stage2'. Delete that file if you want to do this stage again. The first block of the directory is 433. Inode 2 is directory "". Directory block 433: .-- File type in dir_entry (r=regular file, d=directory, l=symlink) | .-- D: Deleted ; R: Reallocated Indx Next | Inode | Deletion time Mode File name ========== ========== ----------------data-from-inode------ ----------- ========= 0 1 d 2 drwxr-xr-x . 1 2 d 2 drwxr-xr-x .. 2 end d 11 drwx------ lost found 3 end d 1833 D 1233472535 Sun Feb 1 15:15:35 2009 drwxr-xr-x boot 接下来我们来恢复boot下面的grub ext3grep /home/store/file --restore-file boot/grub/grub.conf
Running ext3grep version 0.10.1 Number of groups: 7 Minimum / maximum journal block: 447 / 4561 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 1233472221 = Sun Feb 1 15:10:21 2009 Number of descriptors in journal: 100; min / max sequence numbers: 2 / 9 Loading file.ext3grep.stage2... done Restoring boot/grub/grub.conf
查看是否恢复成功,恢复的文件在RESTORED_FILES里面 cd RESTORED_FILES/boot/grub/ ls -l total 4 -rw------- 1 root root 769 Feb 1 15:10 grub.conf
很显然成功了。
接下来我们恢复整个boot文件夹里面的内容
ext3grep /home/store/file --restore-all
Running ext3grep version 0.10.1 Number of groups: 7 Minimum / maximum journal block: 447 / 4561 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 1233472221 = Sun Feb 1 15:10:21 2009 Number of descriptors in journal: 100; min / max sequence numbers: 2 / 9 Writing output to directory RESTORED_FILES/ Loading file.ext3grep.stage2... done Restoring boot/System.map-2.6.18-92.1.17.el5 Restoring boot/System.map-2.6.18-92.el5 Restoring boot/config-2.6.18-92.1.17.el5 Restoring boot/config-2.6.18-92.el5 Restoring boot/grub/device.map Restoring boot/grub/e2fs_stage1_5 Restoring boot/grub/fat_stage1_5 Restoring boot/grub/ffs_stage1_5 Restoring boot/grub/grub.conf Restoring boot/grub/iso9660_stage1_5 Restoring boot/grub/jfs_stage1_5 WARNING: Failed to set access and modification time on RESTORED_FILES/boot/grub/menu.lst: Function not implemented Restoring boot/grub/minix_stage1_5 Restoring boot/grub/reiserfs_stage1_5 Restoring boot/grub/splash.xpm.gz Restoring boot/grub/stage1 Restoring boot/grub/stage2 Restoring boot/grub/ufs2_stage1_5 Restoring boot/grub/vstafs_stage1_5 Restoring boot/grub/xfs_stage1_5 Restoring boot/initrd-2.6.18-92.1.17.el5.img Restoring boot/initrd-2.6.18-92.el5.img Restoring boot/message Restoring boot/symvers-2.6.18-92.1.17.el5.gz Restoring boot/symvers-2.6.18-92.el5.gz Restoring boot/vmlinuz-2.6.18-92.1.17.el5 Restoring boot/vmlinuz-2.6.18-92.el5 比较恢复前后两个boot文件的大小: du -sh RESTORED_FILES/boot
12M RESTORED_FILES/boot
du -sh /boot
12M /boot
结果很明显恢复成功。
