系统小窝欢迎您

电脑公司 深度技术
当前位置:系统小窝 > 系统教程 > Linux教程 >

在Linux上如何使用ext3grep恢复文件

时间:2021-04-09 来源:来了老弟 人气:

Linux系统操作中,有时会不小心删除重要文件,而能够恢复删除文件的软件有很多,ext3grep就是其中的一种,ext3grep在使用中需要用到不少命令,下面小编就给大家介绍下Linux使用ext3grep的方法。

步骤:

目前的最新版本是:ext3grep-0.10.2.tar.gz

我系统的环境是:虚拟机

[root@localhost bin]# uname -a

Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux

[root@localhost bin]# cat /etc/issue

Red Hat Enterprise Linux Server release 5.4 (Tikanga)

  安装很简单

tar zxvf ext3grep-0.10.2.tar.gz

cd ext3grep-0.10.2

。/configure --prefix=/usr/local/ext3grep

make

make install

顺利安装完成。

然后进入么安装目录看一下,只有一个bin

[root@localhost ext3grep]# pwd

/usr/local/ext3grep

[root@localhost ext3grep]# ls

bin

进到bin里面看一下

[root@localhost ext3grep]# cd bin

[root@localhost bin]# ls

ext3grep

我们可以看一下帮助,下面是部分

[root@localhost bin]# 。/ext3grep -h

Running ext3grep version 0.10.2

。/ext3grep: invalid option -- h

No action specified; implying --superblock.

Usage: 。/ext3grep [options] [--] device-file

Options:

--version, -[vV] Print version and exit successfully.

--help, Print this help and exit successfully.

--superblock Print contents of superblock in addition to the rest.

If no action is specified then this option is implied.

--print Print content of block or inode, if any.

--ls Print directories with only one line per entry.

This option is often needed to turn on filtering.

--accept filen Accept lsquo;filenrsquo; as a legal filename. Can be used multi-

ple times. If you change any --accept you must remove

BOTH stage* files!

--accept-all Simply accept everything as filename.

--journal Show content of journal.

--show-path-inodes Show the inode of each directory component in paths.

Filters:

--group grp Only process group lsquo;grprsquo;。

--directory Only process directory inodes.

--after dtime Only entries deleted on or after lsquo;dtimersquo;。

--before dtime Only entries deleted before lsquo;dtimersquo;。

--deleted Only show/process deleted entries.

--allocated Only show/process allocated inodes/blocks.

--unallocated Only show/process unallocated inodes/blocks.

--reallocated Do not suppress entries with reallocated inodes.

Inodes are considered lsquo;reallocatedrsquo; if the entry

is deleted but the inode is allocated, but also when

the file type in the dir entry and the inode are

different.

--zeroed-inodes Do not suppress entries with zeroed inodes. Linked

entries are always shown, regardless of this option.

--depth depth Process directories recursively up till a depth

of lsquo;depthrsquo;。

Actions:

--inode-to-block ino Print the block that contains inode lsquo;inorsquo;。

--inode ino Show info on inode lsquo;inorsquo;。

If --ls is used and the inode is a directory, then

the filters apply to the entries of the directory.

If you do not use --ls then --print is implied.

--block blk Show info on block lsquo;blkrsquo;。

If --ls is used and the block is the first block

of a directory, then the filters apply to entries

of the directory.

If you do not use --ls then --print is implied.

--histogram=[atime|ctime|mtime|dtime|group]

Generate a histogram based on the given specs.

Using atime, ctime or mtime will change the

meaning of --after and --before to those times.

--journal-block jblk Show info on journal block lsquo;jblkrsquo;。

--journal-transaction seq

Show info on transaction with sequence number lsquo;seqrsquo;。

--dump-names Write the path of files to stdout.

This implies --ls but suppresses itlsquo;s output.

--search-start str Find blocks that start with the fixed string rsquo;strlsquo;。

--search str Find blocks that contain the fixed string rsquo;strlsquo;。

--search-inode blk Find inodes that refer to block rsquo;blklsquo;。

--search-zeroed-inodes Return allocated inode table entries that are zeroed.

--inode-dirblock-table dir

Print a table for directory path rsquo;dirlsquo; of directory

block numbers found and the inodes used for each file.

 

开始工作之前,我们先来制作一个分区,然后来做试验

[root@localhost bin]# mkdir /tmp/test

[root@localhost bin]# dd if=/dev/zero of=file count=102400

[root@localhost bin]#mkfs.ext3 file

######按Y继续

[root@localhost bin]#mount -o loop /tmp/test/file /mnt

看一下有没有挂上

[root@localhost bin]# df -HT

Filesystem Type Size Used Avail Use% Mounted on

/dev/mapper/VolGroup00-LogVol00

ext3 20G 4.3G 15G 23% /

/dev/sda1 ext3 104M 13M 86M 13% /boot

tmpfs tmpfs 185M 0 185M 0% /dev/shm

/tmp/test/file

ext3 51M 5.1M 44M 11% /mnt

然后写入数据到里面

[root@localhost bin]#cd /mnt

[root@localhost bin]#ls

lost+found

[root@localhost mnt]# mkdir del

[root@localhost mnt]# cd del

[root@localhost del]# touch 1 2 3

[root@localhost del]# ls

1 2 3 lost+found

[root@localhost del]# cd 。。

[root@localhost mnt]#rf -rf del

[root@localhost bin]#ls

lost+found

下面开始恢复了

[root@localhost mnt]#cd /usr/local/ext3grep/bin

扫描一下分区

[root@localhost bin]# 。/ext3grep /tmp/test/file --ls --inode 2

Running ext3grep version 0.10.2

Number of groups: 7

Loading group metadata.。。 done

Minimum / maximum journal block: 447 / 4561

Loading journal descriptors.。。 sorting.。。 done

The oldest inode block that is still in the journal, appears to be from 1315980293 = Wed Sep 14 14:04:53 2011

Number of descriptors in journal: 36; min / max sequence numbers: 2 / 6

Inode is Allocated

Finding all blocks that might be directories.

D: block containing directory start, d: block containing more directory entries.

Each plus represents a directory start that references the same inode as a directory start that we found previously.

Searching group 0: DD++D++

Searching group 1:

Searching group 2:

Searching group 3:

Searching group 4:

Searching group 5:

Searching group 6:

Writing analysis so far to rsquo;file.ext3grep.stage1lsquo;。 Delete that file if you want to do this stage again.

Result of stage one:

3 inodes are referenced by one or more directory blocks, 2 of those inodes are still allocated.

1 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.

0 blocks contain an extended directory.

Result of stage two:

2 of those inodes could be resolved because they are still allocated.

All directory inodes are accounted for!

Writing analysis so far to rsquo;file.ext3grep.stage2lsquo;。 Delete that file if you want to do this stage again.

The first block of the directory is 433.

Inode 2 is directory ;;。

Directory block 433:

。-- File type in dir_entry (r=regular file, d=directory, l=symlink)

| 。-- D: Deleted ; R: Reallocated

Indx Next | Inode | Deletion time Mode File name

==========+==========+----------------data-from-inode------+-----------+=========

0 1 d 2 drwxr-xr-x 。

1 2 d 2 drwxr-xr-x 。。

2 end d 11 drwx------ lost+found

3 4 r 12 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 1

4 5 r 13 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 2

5 6 r 14 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 3

6 end d 1833 D 1315980355 Wed Sep 14 14:05:55 2011 drwxr-xr-x del

[root@localhost bin]# 。/ext3grep /tmp/test/file --restore-file del --depth del

Running ext3grep version 0.10.2

Number of groups: 7

Minimum / maximum journal block: 447 / 4561

Loading journal descriptors.。。 sorting.。。 done

The oldest inode block that is still in the journal, appears to be from 1315980293 = Wed Sep 14 14:04:53 2011

Number of descriptors in journal: 36; min / max sequence numbers: 2 / 6

Writing output to directory RESTORED_FILES/

Loading file.ext3grep.stage2.。。 done

下面开始恢复文件

[root@localhost bin]# 。/ext3grep /tmp/test/file --restore-all

Running ext3grep version 0.10.2

Number of groups: 7

Minimum / maximum journal block: 447 / 4561

Loading journal descriptors.。。 sorting.。。 done

The oldest inode block that is still in the journal, appears to be from 1315980313 = Wed Sep 14 14:05:13 2011

Number of descriptors in journal: 36; min / max sequence numbers: 3 / 9

Loading file.ext3grep.stage2.。。 done

Restoring 1

Restoring 2

Restoring 3

Restoring del/1

Restoring del/2

Restoring del/3

这个命令是恢复所有的,当然也可以恢复指定文件的。

可以看到在当前目录下,多了一个目录

[root@localhost bin]# ls

RESTORED_FILES ext3grep

我们进去看一下

[root@localhost bin]# cd RESTORED_FILES/

[root@localhost RESTORED_FILES]# ls

1 2 3 del lost+found

上面就是Linux使用ext3grep恢复文件的方法介绍了,通过本文的介绍可以看出,ext3grep不仅能够恢复所有被删除的文件,还能恢复指定的文件。

相关文章

发表评论

验证码: 看不清?点击更换

注:网友评论仅供其表达个人看法,并不代表本站立场。