恢复linux ext3文件系统误删的文件
今天群里有个哥们要恢复IPHONE4 里面的数据,听说IPHONE就是linux 系统,然后就想想能不能通过什么方法恢复误删的文件。查看了一下文档发现还真可以恢复,
首先模拟一个环境
挂载分区到/mnt/user
mount /dev/sdb1 /mnt/user
拷贝个文件进去,然后删掉。
# ls
aaa drbd-8.3.2.tar.gz lost+found memcached-1.4.4.tar.gz
然后删掉memcached-1.4.4.tar.gz 这文件 和 aaa这个文件夹
-----------------------------------------------------------------------------
好了,现在要恢复memcached-1.4.4.tar.gz 这文件和aaa目录下一个叫 http.zip的文件
首先安装个软件ext3grep 并编译安装
http://ext3grep.googlecode.com/files/ext3grep-0.10.1.tar.gz
./configure && make && make install
取消挂载 /mnt/user
umount /mnt/user
扫描这分区的数据
# ext3grep /dev/sdb1 --ls --inode 2
Running ext3grep version 0.10.1
Number of groups: 8
Loading group metadata... done
Minimum / maximum journal block: 583 / 4685
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1303233388 = Wed Apr 20 01:16:28 2011
Number of descriptors in journal: 197; min / max sequence numbers: 24 / 34
Inode is Allocated
Loading sdb1.ext3grep.stage2... done
The first block of the directory is 577.
Inode 2 is directory "".
Directory block 577:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 2 drwxr-xr-x .
1 2 d 2 drwxr-xr-x ..
2 3 d 11 drwx------ lost+found
3 4 d 81601 drwxr-xr-x aaa
4 5 r 13 rrw-r--r-- drbd-8.3.2.tar.gz
5 end r 12 rrw-r--r-- memcached-1.4.4.tar.gz
都能搜出删除的文件了
下面先恢复memcached-1.4.4.tar.gz
# ext3grep /dev/sdb1 --restore-file memcached-1.4.4.tar.gz
Running ext3grep version 0.10.1
Number of groups: 8
Minimum / maximum journal block: 583 / 4685
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1303233663 = Wed Apr 20 01:21:03 2011
Number of descriptors in journal: 57; min / max sequence numbers: 28 / 38
Loading sdb1.ext3grep.stage2... done
Restoring memcached-1.4.4.tar.gz
好了,这样就恢复了,
查看你运行ext3grep的目录下有个RESTORED_FILES文件夹,恢复的文件就在里面;
# cd RESTORED_FILES/
# ls
memcached-1.4.4.tar.gz
看,就这么简单
------------------------------------
下面恢复aaa里面的http.zip
留意上面第一次扫描硬盘aaa对应的号码81601
再扫一次那号码就能扫出aaa里面的文件了。
# ext3grep /home/sheng/file --ls --inode 81601
Directory block 172032:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 81601 D 1303233956 Wed Apr 20 01:25:56 2011 drwxr-xr-x .
1 2 d 2 drwxr-xr-x ..
2 3 r 81602 D 1303233956 Wed Apr 20 01:25:56 2011 rrwxr-xr-x a.sh
3 4 r 81603 D 1303233956 Wed Apr 20 01:25:56 2011 rrw-r--r-- iii5
4 5 r 81604 D 1303233956 Wed Apr 20 01:25:56 2011 rrw-r--r-- iii2
5 6 r 81605 D 1303233956 Wed Apr 20 01:25:56 2011 rrw-r--r-- iii3
6 7 r 81606 D 1303233956 Wed Apr 20 01:25:56 2011 rrw-r--r-- iii7
7 8 r 81607 D 1303233956 Wed Apr 20 01:25:56 2011 rrw-r--r-- iii4
8 9 r 81608 D 1303233956 Wed Apr 20 01:25:56 2011 rrw-r--r-- iii9
9 10 d 81609 D 1303233956 Wed Apr 20 01:25:56 2011 drwxr-xr-x bbb
10 11 r 82424 D 1303233956 Wed Apr 20 01:25:56 2011 rrw-r--r-- iii8
11 12 l 82425 D 1303233956 Wed Apr 20 01:25:56 2011 lrwxrwxrwx denyhosts -> /usr/share/denyhosts/daemon-control-dist
12 13 r 82426 D 1303233956 Wed Apr 20 01:25:56 2011 rrw-r--r-- iii6
13 14 r 82427 D 1303233956 Wed Apr 20 01:25:56 2011 rrw-r--r-- iii
14 15 r 82428 D 1303233956 Wed Apr 20 01:25:56 2011 rrw-r--r-- http.zip
15 16 r 82429 D 1303233956 Wed Apr 20 01:25:56 2011 rrw-r--r-- test
16 17 r 82430 D 1303233956 Wed Apr 20 01:25:56 2011 rrw-r--r-- se
17 18 r 82431 D 1303233956 Wed Apr 20 01:25:56 2011 rrw-r--r-- ccc1
18 19 d 97921 D 1303233956 Wed Apr 20 01:25:56 2011 drwxr-xr-x backup
19 end r 82432 D 1303233956 Wed Apr 20 01:25:56 2011 rrw-r--r-- hi
恢复http.zip
# ext3grep /dev/sdb1 --restore-file aaa/http.zip
这个是恢复所有扫描的文件
ext3grep /home/sheng/file --restore-all
大功告成!