初遇 Ext3grep

发布时间:2019-07-05 10:15:41编辑:auto阅读(1375)

     

             Ext3grep 是ext3文件系统下的一个开源数据恢复工具,官方下载地址http://code.google.com/p/ext3grep/downloads/detail?name=ext3grep-0.10.2.tar.gz

            它的恢复原理很简单:ext2/ext3 文件系统是采用 block+inode 的方式存放文件的,其中 inode 存放文件的元数据,包含文件权限、更改时间、属性等。而在带有日志功能的 ext3 文件系统中,删除一个文件,就是将该文件的 inode节点中的指针清除,其实数据还在存在block当中的。所以如果没有新的数据来占用该 block,只要恢复了inode指向,该文件就恢复了。

            接下来是安装过程和模拟误删演示:

      1: cd ext3grep-0.10.2

      2: ./configure

      3: make && make install

           1、 我现在是将 sdb5 挂载到分区 /mnt/data2 下:

      1: mount /dev/sdb5 /mnt/data2/

           分别在下面新建一个目录和一文件

      1: [root@localhost src]# cd /mnt/data2/

      2: [root@localhost data2]# ls

      3: [root@localhost data2]# echo "I Love you" > nodelete.txt

      4: [root@localhost data2]# ls

      5: nodelete.txt

      6: [root@localhost data2]# cat nodelete.txt

      7: I Love you

      8: [root@localhost data2]# mkdir nodelete

      9: [root@localhost data2]# ls

     10: nodelete  nodelete.txt

     11:

         2、  接下来假设我误删2个数据了,

      1: [root@localhost data2]# rm -fR no*

      2: [root@localhost data2]# ls

      3: [root@localhost data2]#

      4:

    3、恢复。误删之后千万注意整个硬盘不能有任何写入操作了,我们先卸载所在分区。

      1: [root@localhost data2]# cd

      2: [root@localhost ~]# umount /mnt/data2/

    #查看要恢复的数据

      1: [root@localhost ~]# ext3grep /dev/sdb5 --ls --inode 2

      2: Running ext3grep version 0.10.1

      3: WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.

      4: Number of groups: 8

      5: Loading group metadata... done

      6: Minimum / maximum journal block: 583 / 4685

      7: Loading journal descriptors... sorting... done

      8: The oldest inode block that is still in the journal, appears to be from 1350471162 = Wed Oct 17 18:52:42 2012

      9: Number of descriptors in journal: 65; min / max sequence numbers: 9 / 35

     10: Inode is Allocated

     11:

    #指定恢复nodelete.txt 

      1: [root@localhost ~]# ext3grep /dev/sdb5 --restore-file nodelete.txt

      2: Running ext3grep version 0.10.1

      3: WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.

      4: Number of groups: 8

      5: Minimum / maximum journal block: 583 / 4685

      6: Loading journal descriptors... sorting... done

      7: The oldest inode block that is still in the journal, appears to be from 1350471162 = Wed Oct 17 18:52:42 2012

      8:

    #恢复所有数据  ext3grep /dev/sdb5 --restore-all

    执行恢复后会在当前目录下生成一个 目录 “RESTORED_FILES”,你要的数据就在里面了。

      1: [root@localhost ~]# ls |grep RE

      2: RESTORED_FILES

      3:

关键字

上一篇: Linux基础自学记录四3

下一篇: spring mvc 3 最简单demo