Linux ext2/ext3 文件删除恢复工具ext3grep安装使用

2010-08-23 18:03:10|  分类: 默认分类|举报|字号 订阅

 
 

一.           安装前系统环境检查(我的实验环境:AS5.2 2.6.18-92.el5内核)< xmlnamespace prefix ="o" ns ="urn:schemas-microsoft-com:office:office" />

1.)查看所需要的依赖包

rpm -qa |grep e2fsprogs

e2fsprogs-devel-1.39-15.el5

e2fsprogs-libs-1.39-15.el5

e2fsprogs-1.39-15.el5

e2fsprogs-libs-1.39-15.el5

保证以上的包已经正确安装。

2.)下载安装运行ext3grep

mkdir –p /home/erico/test/

cd /home/erico/test/

wgethttp://ext3grep.googlecode.com/files/ext3grep-0.10.1.tar.gz

mkdir –p /soft/data_recover/

tar xzvf ext3grep-0.10.1.tar.gz

cd ext3grep-0.10.1

./configure --prefix=/soft/data_recover/

make && make install

运行ext3grep命令必须要加路径

/soft/data_recover/bin/ext3grep【参数】

3.)利用ext3grep测试恢复数据

1)我的硬盘分区情况

[root@erico-test erico]# fdisk -l

Disk /dev/sda: 80.0 GB, 80026361856 bytes

255 heads, 63 sectors/track, 9729 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot     Start        End     Blocks  Id System

/dev/sda1  *          1        127    1020096  83 Linux

/dev/sda2           2434       9729   58605120   f W95 Ext'd (LBA)

/dev/sda3            128       2039   15358140  83 Linux

/dev/sda4           2040       2166    1020127+ 82 Linux swap / Solaris

/dev/sda5           2434       9729   58605088+ 83 Linux

Partition table entries are not in disk order

2.)把/dev/sda5挂载到/data/下,用来做测试。

[root@erico-test erico]# mount /dev/sda5 /data/

3.)创建测试文件和文件目录,准备做测试

[root@erico-test data]# cp /home/erico/all_system_app_check_bak_test.log /data/

4.)删除/data/目录下的文件

[root@erico-test erico]# rm -rf /data/all_system_app_check_bak_test.log

5.)取消挂载需要恢复数据的区/dev/sda5

[root@erico-test /]# umount /dev/sda5

6.)恢复数据

测试一:文本文件(小文件)

1】扫描/dev/sda5被删除的数据情况

[root@erico-test erico]#/soft/data_recover/bin/ext3grep /dev/sda5 --ls --inode 2

Loading group metadata... done

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246478245 = Wed Jul 1 15:57:25 2009

Number of descriptors in journal: 19; min / max sequence numbers: 2 / 5

Inode is Allocated

Loading sda5.ext3grep.stage2... done

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

3 end r  48865 D 1246478282 Wed Jul 1 15:58:02 2009 rrw-r--r-- all_system_app_check_bak_test.log

根据上面的情况,可以知道我们删除了的文件。

2】恢复数据

[root@erico-testerico]#/soft/data_recover/bin/ext3grep /dev/sda5 --restore-file all_system_app_check_bak_test.log

[root@erico-test erico]# ls -al RESTORED_FILES/

total 12

drwxr-xr-x 2 root root 4096 Jul 1 15:59 .

drwxr-xr-x 7 root root 4096 Jul 1 15:56 ..

-rw-r--r-- 1 root root 1368 Jul 1 15:57 all_system_app_check_bak_test.log

在RESTORED_FILES/下我们看到了恢复出来的文件all_system_app_check_bak_test.log

测试二:大文件(220M)

1重新格式化测试盘,让盘变成空盘

[root@erico-test erico]# umount /dev/sda5

[root@erico-test erico]# mkfs.ext3 /dev/sda5

mke2fs 1.39 (29-May-2006)

Filesystem label=

OS type: Linux

Block size=4096 (log=2)

Fragment size=4096 (log=2)

2443200 inodes, 4885760 blocks

244288 blocks (5.00%) reserved for the super user

First data block=0

Maximum filesystem blocks=4294967296

150 block groups

32768 blocks per group, 32768 fragments per group

16288 inodes per group

Superblock backups stored on blocks:

32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,

4096000

Writing inode tables: done

Creating journal (32768 blocks): done

Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 30 mounts or

180 days, whichever comes first. Use tune2fs -c or -i to override.

确认格式后盘是空的!

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --ls --inode 2

Running ext3grep version 0.10.1

Number of groups: 150

Loading group metadata... done

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 0 = Wed Dec 31 19:00:00 1969

Number of descriptors in journal: 0; min / max sequence numbers: 4294967295 / 0

Inode is Allocated

Loading sda5.ext3grep.stage2... done

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

[root@erico-test erico]#

2】创建测试文件和文件目录,准备做测试

[root@erico-test erico]# mount /dev/sda5 /data/

[root@erico-test erico]# cp /home/erico/Level1.7z /data/

该文件大小是220M的压缩文件(里面包括几十万以上的png图片文件)

3.)删除/data/目录下的文件

[root@erico-test erico]# rm -rf /data/Level1.7z

4.)扫描/dev/sda5被删除的数据情况

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --ls --inode 2

Running ext3grep version 0.10.1

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.

Number of groups: 150

Loading group metadata... done

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246479046 = Wed Jul 1 16:10:46 2009

Number of descriptors in journal: 82; min / max sequence numbers: 2 / 8

Inode is Allocated

Loading sda5.ext3grep.stage2... done

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

 3 end r  48865 D 1246479377 Wed Jul 1 16:16:17 2009 rrw-r--r-- Level1.7z

[root@erico-test erico]#

同样找到了删除的文件Level1.7z

5.)恢复Level1.7z文件

 

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --restore-file Level1.7z

Running ext3grep version 0.10.1

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.

Number of groups: 150

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246479046 = Wed Jul 1 16:10:46 2009

Number of descriptors in journal: 82; min / max sequence numbers: 2 / 8

Loading sda5.ext3grep.stage2... done

Restoring Level1.7z

[root@erico-test erico]# du -hs RESTORED_FILES/

60K RESTORED_FILES/

[root@erico-test erico]#

恢复让人失望,文件是恢复了,但是内容只有几十K,打开文件打不开。说明恢复失败!

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --restore-file Level12.7z

Running ext3grep version 0.10.1

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.

Number of groups: 150

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246479046 = Wed Jul 1 16:10:46 2009

Number of descriptors in journal: 103; min / max sequence numbers: 2 / 12

Writing output to directory RESTORED_FILES/

Loading sda5.ext3grep.stage2... done

Restoring Level12.7z

WARNING: Failed to restore Level12.7z: encountered a reused or corrupted (double/triple) indirect block!

Running iterate_over_all_blocks_of again with diagnostic messages ON:

Processing direct blocks... 124928 124929 124930 124931 124932 124933 124934 124935 124936 124937 124938 124939

Processing indirect block 124940: entry 0 contains block number 2979148019, which is too large.

[root@erico-test erico]# ls RESTORED_FILES/Level12.7z

RESTORED_FILES/Level12.7z

[root@erico-test erico]# du -hs RESTORED_FILES/Level12.7z

48K RESTORED_FILES/Level12.7z

[root@erico-test erico]#

注意到了,由于我是在windows下拷贝Level12.7z文件到/data/目录下的,该BLOCK NUMBER

太大,导致恢复不了。

【尝试恢复1.8GB的数据】

Result of stage one:

5 inodes are referenced by one or more directory blocks, 1 of those inodes is still allocated.

1 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.

0 blocks contain an extended directory.

Result of stage two:

1 of those inodes could be resolved because it is still allocated.

All directory inodes are accounted for!

Writing analysis so far to 'sda5.ext3grep.stage2'. Delete that file if you want to do this stage again.

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1 end d      2                                        drwxr-xr-x ..

2 end d     11 D 1246482239 Wed Jul 1 17:03:59 2009 drwx------ lost+found

3   4 r  48865 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK

4   5 r  48866 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK.bak

5   6 r  48867 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port7001

6   7 r  48868 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port7001.bak

7   8 r  48869 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port80

8   9 r  48870 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port80.bak

9  10 r  48871 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port8008_16_port80

10  11 r  48872 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port8008_16_port80.bak

11  12 r  48873 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port8080

12  13 r  48874 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port8080.bak

13  14 r  48875 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_file_from_15

14  15 r  48876 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_file_from_15.bak

15  16 r  48877 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_file_from_16

16  17 r  48878 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_file_from_16.bak

17  18 r  48879 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_pro_and_send_message_15

18  19 r  48880 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_pro_and_send_message_15.bak

19  20 r  48881 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_pro_and_send_message_16

20  21 r  48882 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_pro_and_send_message_16.bak

 21 end r  48883 D 1246482239 Wed Jul 1 17:03:59 2009 rrw-r--r-- linux_11gR1_database_1013.zip

再次确认了,ext3grep只能恢复小文件,大于200M单文件的都无法恢复!

测试三:多文件和多目录恢复(文件目录多于100个,文件多于50万个,全部为png图片

1重新格式化测试盘,让盘变成空盘

2】创建测试文件和文件目录,准备做测试

[root@erico-test erico]# mount /dev/sda5 /data/

[root@erico-test erico]# ls –al /data/

total 124

drwxr-xr-x   6 root root 4096 Jul 2 10:01 .

drwxr-xr-x  28 root root 4096 Jul 2 10:03 ..

drwx------ 2225 root root 69632 Jul 2 11:45 Level1

drwxr-xr-x 656 root root 20480 Jul 2 05:45 Level6

drwxr-xr-x   3 root root 4096 Jul 2 05:24 Level9

drwx------   2 root root 16384 Jul 1 17:46 lost+found

[root@erico-test data]# ls /data/Level9/ |wc -l

4

[root@erico-test data]#ls /data/Level6/ |wc -l

654

[root@erico-test T00110011]# df -h

Filesystem           Size Used Avail Use% Mounted on

/dev/sda3             15G  13G 663M 96% /

/dev/sda1            965M  23M 893M  3% /boot

tmpfs                234M    0 234M  0% /dev/shm

/dev/sda5             56G 4.6G  48G  9% /data

[root@erico-test T00110011]#

其中:一级目录有4个,二级目录有Level1:4522*225=1017450  Level6:657个(总文件大约:657*225=147825)

Level9:4个(总文件大约:4*225=900)估计恢复文件大小为:4.6G,总文件数:1166175

3.)删除/data/目录下的文件

[root@erico-test erico]# rm -rf /data/*

[root@erico-test /]# umount /data/

4.)扫描/dev/sda5被删除的数据情况

Adding extended directory block(s) for directory "Level1".

WARNING: Rejecting a dir_entry (block 153811) because it contains legal but unlikely characters.

Use --ls --block 153811 to examine this possible directory block.

If it looks like a directory to you, and '\020'

looks like a filename that might belong in that directory, then add

--accept='\020' as commandline parameter AND remove both stage* files!

Adding extended directory block(s) for directory "Level6".

Writing analysis so far to 'sda5.ext3grep.stage2'. Delete that file if you want to do this stage again.

The first block of the directory is 1538.

Inode 2 is directory "".

Directory block 1538:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

3 end d 5428865 D 1246561941 Thu Jul 2 15:12:21 2009 drwxr-xr-x Level9

4 end d 5903073 D 1246561941 Thu Jul 2 15:12:21 2009 drwxr-xr-x Level6

5 end d 5379809 D 1246561926 Thu Jul 2 15:12:06 2009 drwx------ Level1

同样找到了删除的文件夹

5.)恢复所有文件

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --restore-all

查看恢复出来的文件和目录:

[root@erico-test Level9]# find ../../../RESTORED_FILES/ -name *.png -print |wc -l

33057

[root@erico-test Level9]#find ../../../RESTORED_FILES/ -type d -print |wc -l

5163

恢复出来的PNG文件只有33057个(只恢复了很少很少一部分文件),目录是5163个(全部恢复)

ext3grep 恢复删除的更多相关文章

  1. ext3grep 模拟恢复删除文件

    一,下载ext3grep-0.10.1.tar.gz 点此下载 二,安装 #tar zxvf ext3grep-0.10.1.tar.gz #cd ext3grep-0.10.1 #./configu ...

  2. ext3文件系统反删除利器-ext3grep

    导读 Linux作为企业级服务器,数据的安全性至关重要,任何数据德尔丢失和误删都是不可容忍的!最近我接触到一款软件-ext3grep,它可以恢复误删的数据,下面简单讲解一下这个软件. ext3grep ...

  3. Linux 利用lsof命令恢复删除的文件

    lsof命令 lsof命令用于查看你进程开打的文件,打开文件的进程,进程打开的端口(TCP.UDP).找回/恢复删除的文件.是十分方便的系统监视工具,因为lsof命令需要访问核心内存和各种文件,所以需 ...

  4. Linux lsof命令 以及 恢复删除的文件

    1.简介 lsof(list open files)是一个列出当前系统打开文件的工具.在linux环境下,任何事物都以文件的形式存在,通过文件不仅仅可以访问常规数据,还可以访问网络连接和硬件.所以如传 ...

  5. Eclipse 恢复删除的文件

    这件事发生在,两周以前,那时我正在写LLT,补充完代码覆盖率.突然,我的代码呢,我的代码去哪里了?由于对Eclipse还不太熟悉,代码就则样被我从磁盘删掉了.然后火速给同事打电话,同事说如果删除了,而 ...

  6. Linux下恢复删除的文件

    转自:http://github.tiankonguse.com/blog/2015/09/13/linux-remove-recovery/ 下午, DBA找我说有些SQL执行了两个小时了,导致主从 ...

  7. 高性能Linux服务器 第6章 ext3文件系统反删除利器ext3grep extundelete工具恢复rm -rf 误删除的文件

    高性能Linux服务器 第6章  ext3文件系统反删除利器ext3grep  extundelete工具恢复rm -rf 误删除的文件 只能用于ext3文件系统!!!!!!!高俊峰(高性能Linux ...

  8. 使用 ext3grep 恢复数据试验成功 笔记

    使用 ext3grep 恢复数据试验成功 笔记   来源:  Linux论坛 日期: 2009.07.07 10:03 (共有条评论)  我要评论   [Copy to clipboard] [ - ...

  9. ext3文件系统反删除利器ext3grep应用实战

    推荐:10年技术力作:<高性能Linuxserver构建实战Ⅱ>全网发行,附试读章节和全书实例源代码下载! 一."rm –rf"带来的困惑 国外一份非常著名的Linux ...

随机推荐

  1. get the runing time of C++ console program.

    // 获取程序运行时间.cpp : 定义控制台应用程序的入口点.// #include "stdafx.h"#include <time.h>#include < ...

  2. int * const 与 const int * 的区别

    type * const 与 const type * 是在C/C++编程中特别容易混淆的两个知识点,现在就以 int * const 和 const int * 为例来简略介绍一下这两者之间的区别. ...

  3. curl raise 信号出core

    在使用c++多线程使用libcurl抓取网页时,遇到程序随机core掉的情况,gdb 一下出错信息有这么一条:longjmp causes uninitialized stack frame. 在网上 ...

  4. windows phone 8 开发系列(二)Hello Wp8!

    上篇我们了解了WP8的环境搭建,从今天开始,我们就正式进入WP8的设计,开发阶段. 一. 项目模板介绍 打开vs,选择Windows Phone的项目模板,我们发现如下有很多模板,那么我们就从认识这些 ...

  5. (转)HTML5游戏如何挣钱?2条经验让你每款赚3万刀

    原文作者:Alexander Krug,是世界上最大的HTML5游戏平台的运营商SOFTGAMES的CEO. 现今苹果App Store当中的应用数量可以以海量来形容,最新发布的应用对排行榜的冲击力也 ...

  6. NSS_08 extjs表单验证

    Extjs做了非常好的表单验证功能, 使用起来非常方便. 系统内置了4种验证功能,分别是alpha, alphanumeric,url, email, 在程序中可以直接使用,(可以结合allowBla ...

  7. DevExpress navBarControl 和 xtraTabbedMdiManager实现浏览器标签页效果

    一:navBarControl 属性设置 工具箱中的Navigation & Layout选项卡下找到NavBarControl,拖到窗体中 工具箱中添加2个imageCollection.分 ...

  8. [大牛翻译系列]Hadoop(11)MapReduce 性能调优:诊断一般性能瓶颈

    6.2.4 任务一般性能问题 这部分将介绍那些对map和reduce任务都有影响的性能问题. 技术37 作业竞争和调度器限制 即便map任务和reduce任务都进行了调优,但整个作业仍然会因为环境原因 ...

  9. js中的数组Array定义与sort方法使用示例

    Array的定义及sort方法使用示例 Array数组相当于java中的ArrayList  定义方法:  1:使用new Array(5  )创建数组 var ary = new Array(5): ...

  10. JS获取图片实际宽高及根据图片大小进行自适应

    JS获取图片实际宽高,以及根据图片大小进行自适应  <img src="http://xxx.jpg" id="imgs" onload="ad ...