Linux ext2/ext3 文件删除恢复工具ext3grep安装使用

2010-08-23 18:03:10|  分类: 默认分类|举报|字号 订阅

 
 

一.           安装前系统环境检查(我的实验环境:AS5.2 2.6.18-92.el5内核)< xmlnamespace prefix ="o" ns ="urn:schemas-microsoft-com:office:office" />

1.)查看所需要的依赖包

rpm -qa |grep e2fsprogs

e2fsprogs-devel-1.39-15.el5

e2fsprogs-libs-1.39-15.el5

e2fsprogs-1.39-15.el5

e2fsprogs-libs-1.39-15.el5

保证以上的包已经正确安装。

2.)下载安装运行ext3grep

mkdir –p /home/erico/test/

cd /home/erico/test/

wgethttp://ext3grep.googlecode.com/files/ext3grep-0.10.1.tar.gz

mkdir –p /soft/data_recover/

tar xzvf ext3grep-0.10.1.tar.gz

cd ext3grep-0.10.1

./configure --prefix=/soft/data_recover/

make && make install

运行ext3grep命令必须要加路径

/soft/data_recover/bin/ext3grep【参数】

3.)利用ext3grep测试恢复数据

1)我的硬盘分区情况

[root@erico-test erico]# fdisk -l

Disk /dev/sda: 80.0 GB, 80026361856 bytes

255 heads, 63 sectors/track, 9729 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot     Start        End     Blocks  Id System

/dev/sda1  *          1        127    1020096  83 Linux

/dev/sda2           2434       9729   58605120   f W95 Ext'd (LBA)

/dev/sda3            128       2039   15358140  83 Linux

/dev/sda4           2040       2166    1020127+ 82 Linux swap / Solaris

/dev/sda5           2434       9729   58605088+ 83 Linux

Partition table entries are not in disk order

2.)把/dev/sda5挂载到/data/下,用来做测试。

[root@erico-test erico]# mount /dev/sda5 /data/

3.)创建测试文件和文件目录,准备做测试

[root@erico-test data]# cp /home/erico/all_system_app_check_bak_test.log /data/

4.)删除/data/目录下的文件

[root@erico-test erico]# rm -rf /data/all_system_app_check_bak_test.log

5.)取消挂载需要恢复数据的区/dev/sda5

[root@erico-test /]# umount /dev/sda5

6.)恢复数据

测试一:文本文件(小文件)

1】扫描/dev/sda5被删除的数据情况

[root@erico-test erico]#/soft/data_recover/bin/ext3grep /dev/sda5 --ls --inode 2

Loading group metadata... done

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246478245 = Wed Jul 1 15:57:25 2009

Number of descriptors in journal: 19; min / max sequence numbers: 2 / 5

Inode is Allocated

Loading sda5.ext3grep.stage2... done

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

3 end r  48865 D 1246478282 Wed Jul 1 15:58:02 2009 rrw-r--r-- all_system_app_check_bak_test.log

根据上面的情况,可以知道我们删除了的文件。

2】恢复数据

[root@erico-testerico]#/soft/data_recover/bin/ext3grep /dev/sda5 --restore-file all_system_app_check_bak_test.log

[root@erico-test erico]# ls -al RESTORED_FILES/

total 12

drwxr-xr-x 2 root root 4096 Jul 1 15:59 .

drwxr-xr-x 7 root root 4096 Jul 1 15:56 ..

-rw-r--r-- 1 root root 1368 Jul 1 15:57 all_system_app_check_bak_test.log

在RESTORED_FILES/下我们看到了恢复出来的文件all_system_app_check_bak_test.log

测试二:大文件(220M)

1重新格式化测试盘,让盘变成空盘

[root@erico-test erico]# umount /dev/sda5

[root@erico-test erico]# mkfs.ext3 /dev/sda5

mke2fs 1.39 (29-May-2006)

Filesystem label=

OS type: Linux

Block size=4096 (log=2)

Fragment size=4096 (log=2)

2443200 inodes, 4885760 blocks

244288 blocks (5.00%) reserved for the super user

First data block=0

Maximum filesystem blocks=4294967296

150 block groups

32768 blocks per group, 32768 fragments per group

16288 inodes per group

Superblock backups stored on blocks:

32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,

4096000

Writing inode tables: done

Creating journal (32768 blocks): done

Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 30 mounts or

180 days, whichever comes first. Use tune2fs -c or -i to override.

确认格式后盘是空的!

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --ls --inode 2

Running ext3grep version 0.10.1

Number of groups: 150

Loading group metadata... done

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 0 = Wed Dec 31 19:00:00 1969

Number of descriptors in journal: 0; min / max sequence numbers: 4294967295 / 0

Inode is Allocated

Loading sda5.ext3grep.stage2... done

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

[root@erico-test erico]#

2】创建测试文件和文件目录,准备做测试

[root@erico-test erico]# mount /dev/sda5 /data/

[root@erico-test erico]# cp /home/erico/Level1.7z /data/

该文件大小是220M的压缩文件(里面包括几十万以上的png图片文件)

3.)删除/data/目录下的文件

[root@erico-test erico]# rm -rf /data/Level1.7z

4.)扫描/dev/sda5被删除的数据情况

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --ls --inode 2

Running ext3grep version 0.10.1

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.

Number of groups: 150

Loading group metadata... done

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246479046 = Wed Jul 1 16:10:46 2009

Number of descriptors in journal: 82; min / max sequence numbers: 2 / 8

Inode is Allocated

Loading sda5.ext3grep.stage2... done

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

 3 end r  48865 D 1246479377 Wed Jul 1 16:16:17 2009 rrw-r--r-- Level1.7z

[root@erico-test erico]#

同样找到了删除的文件Level1.7z

5.)恢复Level1.7z文件

 

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --restore-file Level1.7z

Running ext3grep version 0.10.1

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.

Number of groups: 150

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246479046 = Wed Jul 1 16:10:46 2009

Number of descriptors in journal: 82; min / max sequence numbers: 2 / 8

Loading sda5.ext3grep.stage2... done

Restoring Level1.7z

[root@erico-test erico]# du -hs RESTORED_FILES/

60K RESTORED_FILES/

[root@erico-test erico]#

恢复让人失望,文件是恢复了,但是内容只有几十K,打开文件打不开。说明恢复失败!

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --restore-file Level12.7z

Running ext3grep version 0.10.1

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.

Number of groups: 150

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246479046 = Wed Jul 1 16:10:46 2009

Number of descriptors in journal: 103; min / max sequence numbers: 2 / 12

Writing output to directory RESTORED_FILES/

Loading sda5.ext3grep.stage2... done

Restoring Level12.7z

WARNING: Failed to restore Level12.7z: encountered a reused or corrupted (double/triple) indirect block!

Running iterate_over_all_blocks_of again with diagnostic messages ON:

Processing direct blocks... 124928 124929 124930 124931 124932 124933 124934 124935 124936 124937 124938 124939

Processing indirect block 124940: entry 0 contains block number 2979148019, which is too large.

[root@erico-test erico]# ls RESTORED_FILES/Level12.7z

RESTORED_FILES/Level12.7z

[root@erico-test erico]# du -hs RESTORED_FILES/Level12.7z

48K RESTORED_FILES/Level12.7z

[root@erico-test erico]#

注意到了,由于我是在windows下拷贝Level12.7z文件到/data/目录下的,该BLOCK NUMBER

太大,导致恢复不了。

【尝试恢复1.8GB的数据】

Result of stage one:

5 inodes are referenced by one or more directory blocks, 1 of those inodes is still allocated.

1 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.

0 blocks contain an extended directory.

Result of stage two:

1 of those inodes could be resolved because it is still allocated.

All directory inodes are accounted for!

Writing analysis so far to 'sda5.ext3grep.stage2'. Delete that file if you want to do this stage again.

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1 end d      2                                        drwxr-xr-x ..

2 end d     11 D 1246482239 Wed Jul 1 17:03:59 2009 drwx------ lost+found

3   4 r  48865 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK

4   5 r  48866 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK.bak

5   6 r  48867 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port7001

6   7 r  48868 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port7001.bak

7   8 r  48869 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port80

8   9 r  48870 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port80.bak

9  10 r  48871 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port8008_16_port80

10  11 r  48872 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port8008_16_port80.bak

11  12 r  48873 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port8080

12  13 r  48874 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port8080.bak

13  14 r  48875 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_file_from_15

14  15 r  48876 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_file_from_15.bak

15  16 r  48877 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_file_from_16

16  17 r  48878 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_file_from_16.bak

17  18 r  48879 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_pro_and_send_message_15

18  19 r  48880 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_pro_and_send_message_15.bak

19  20 r  48881 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_pro_and_send_message_16

20  21 r  48882 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_pro_and_send_message_16.bak

 21 end r  48883 D 1246482239 Wed Jul 1 17:03:59 2009 rrw-r--r-- linux_11gR1_database_1013.zip

再次确认了,ext3grep只能恢复小文件,大于200M单文件的都无法恢复!

测试三:多文件和多目录恢复(文件目录多于100个,文件多于50万个,全部为png图片

1重新格式化测试盘,让盘变成空盘

2】创建测试文件和文件目录,准备做测试

[root@erico-test erico]# mount /dev/sda5 /data/

[root@erico-test erico]# ls –al /data/

total 124

drwxr-xr-x   6 root root 4096 Jul 2 10:01 .

drwxr-xr-x  28 root root 4096 Jul 2 10:03 ..

drwx------ 2225 root root 69632 Jul 2 11:45 Level1

drwxr-xr-x 656 root root 20480 Jul 2 05:45 Level6

drwxr-xr-x   3 root root 4096 Jul 2 05:24 Level9

drwx------   2 root root 16384 Jul 1 17:46 lost+found

[root@erico-test data]# ls /data/Level9/ |wc -l

4

[root@erico-test data]#ls /data/Level6/ |wc -l

654

[root@erico-test T00110011]# df -h

Filesystem           Size Used Avail Use% Mounted on

/dev/sda3             15G  13G 663M 96% /

/dev/sda1            965M  23M 893M  3% /boot

tmpfs                234M    0 234M  0% /dev/shm

/dev/sda5             56G 4.6G  48G  9% /data

[root@erico-test T00110011]#

其中:一级目录有4个,二级目录有Level1:4522*225=1017450  Level6:657个(总文件大约:657*225=147825)

Level9:4个(总文件大约:4*225=900)估计恢复文件大小为:4.6G,总文件数:1166175

3.)删除/data/目录下的文件

[root@erico-test erico]# rm -rf /data/*

[root@erico-test /]# umount /data/

4.)扫描/dev/sda5被删除的数据情况

Adding extended directory block(s) for directory "Level1".

WARNING: Rejecting a dir_entry (block 153811) because it contains legal but unlikely characters.

Use --ls --block 153811 to examine this possible directory block.

If it looks like a directory to you, and '\020'

looks like a filename that might belong in that directory, then add

--accept='\020' as commandline parameter AND remove both stage* files!

Adding extended directory block(s) for directory "Level6".

Writing analysis so far to 'sda5.ext3grep.stage2'. Delete that file if you want to do this stage again.

The first block of the directory is 1538.

Inode 2 is directory "".

Directory block 1538:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

3 end d 5428865 D 1246561941 Thu Jul 2 15:12:21 2009 drwxr-xr-x Level9

4 end d 5903073 D 1246561941 Thu Jul 2 15:12:21 2009 drwxr-xr-x Level6

5 end d 5379809 D 1246561926 Thu Jul 2 15:12:06 2009 drwx------ Level1

同样找到了删除的文件夹

5.)恢复所有文件

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --restore-all

查看恢复出来的文件和目录:

[root@erico-test Level9]# find ../../../RESTORED_FILES/ -name *.png -print |wc -l

33057

[root@erico-test Level9]#find ../../../RESTORED_FILES/ -type d -print |wc -l

5163

恢复出来的PNG文件只有33057个(只恢复了很少很少一部分文件),目录是5163个(全部恢复)

ext3grep 恢复删除的更多相关文章

  1. ext3grep 模拟恢复删除文件

    一,下载ext3grep-0.10.1.tar.gz 点此下载 二,安装 #tar zxvf ext3grep-0.10.1.tar.gz #cd ext3grep-0.10.1 #./configu ...

  2. ext3文件系统反删除利器-ext3grep

    导读 Linux作为企业级服务器,数据的安全性至关重要,任何数据德尔丢失和误删都是不可容忍的!最近我接触到一款软件-ext3grep,它可以恢复误删的数据,下面简单讲解一下这个软件. ext3grep ...

  3. Linux 利用lsof命令恢复删除的文件

    lsof命令 lsof命令用于查看你进程开打的文件,打开文件的进程,进程打开的端口(TCP.UDP).找回/恢复删除的文件.是十分方便的系统监视工具,因为lsof命令需要访问核心内存和各种文件,所以需 ...

  4. Linux lsof命令 以及 恢复删除的文件

    1.简介 lsof(list open files)是一个列出当前系统打开文件的工具.在linux环境下,任何事物都以文件的形式存在,通过文件不仅仅可以访问常规数据,还可以访问网络连接和硬件.所以如传 ...

  5. Eclipse 恢复删除的文件

    这件事发生在,两周以前,那时我正在写LLT,补充完代码覆盖率.突然,我的代码呢,我的代码去哪里了?由于对Eclipse还不太熟悉,代码就则样被我从磁盘删掉了.然后火速给同事打电话,同事说如果删除了,而 ...

  6. Linux下恢复删除的文件

    转自:http://github.tiankonguse.com/blog/2015/09/13/linux-remove-recovery/ 下午, DBA找我说有些SQL执行了两个小时了,导致主从 ...

  7. 高性能Linux服务器 第6章 ext3文件系统反删除利器ext3grep extundelete工具恢复rm -rf 误删除的文件

    高性能Linux服务器 第6章  ext3文件系统反删除利器ext3grep  extundelete工具恢复rm -rf 误删除的文件 只能用于ext3文件系统!!!!!!!高俊峰(高性能Linux ...

  8. 使用 ext3grep 恢复数据试验成功 笔记

    使用 ext3grep 恢复数据试验成功 笔记   来源:  Linux论坛 日期: 2009.07.07 10:03 (共有条评论)  我要评论   [Copy to clipboard] [ - ...

  9. ext3文件系统反删除利器ext3grep应用实战

    推荐:10年技术力作:<高性能Linuxserver构建实战Ⅱ>全网发行,附试读章节和全书实例源代码下载! 一."rm –rf"带来的困惑 国外一份非常著名的Linux ...

随机推荐

  1. [javascript|基本概念|Number]学习笔记

    Number类型的值:整数/浮点数值 整数 十进制  e.g.: var intNum = 50; 八进制  (严格模式下无效,解析错误)字面值首位必须是0,之后的数字序列为0-7  e.g.: va ...

  2. 三款精美的html5及css3的源码插件

    1.HTML5 3D爱心动画 晚来的七夕礼物 七夕情人节刚过,今天小编却在国外的网站上看到一个利用HTML5和CSS3制作的3D爱心动画,莫非老外也过七夕?当然小编还是将这款HTML5 3D爱心动画收 ...

  3. hibernate get VS load

    1.  执行get方法:会立即加载对象      而执行load方法,若不适用该对象,则不会立即执行查询操作,而返回一个代理对象      get立即检索,load延迟检索  2.  load方法可能 ...

  4. java mail jar冲突

    开发环境:jdk1.6.0_25     MyEclipse-8.6     J2EE5   程序编译通过,J2EE5的库里面已经含有javaee.jar文件.里面的javax.mail包下面是jav ...

  5. 《linux源代码包的编译安装》RHEL6

    linux下源代码包的编译安装其实没那么复杂. 我是win7系统装的虚拟机,就简单说下: 举个简单的例子: http://www.openssl.org/ 这是openssl的官网,下载openssl ...

  6. 《用户和组的管理》Redhat6.3

    linux下有三类用户:  1.超级用户 :root 具有操作系通的一切权限 uid 0 2.普通用户:普通用户具有操作系统有限的权限 uid 500-6000 3.伪用户 :是为了方便系统管理,满足 ...

  7. linq 日常关键字使用

    1.from var scoreQuery = from student in students from score in student.Scores where score > 90 se ...

  8. 三种找回 linux root密码的方法

    找回 linux root密码的三种方法 第1种方法: 1.在系统进入单用户状态,直接用passwd root去更改2.用安装光盘引导系统,进行linux rescue状态,将原来/分区挂接上来,作法 ...

  9. js实现雪花飘落效果的代码

    使用js实现雪花飘落的效果,用html5绘布加js写的雪花飘效果 . 代码: <html> <head> <script> /** * js与html5实现的雪花飘 ...

  10. Sorl之java操作

    参考教程: http://www.cnblogs.com/xia520pi/p/3625232.html http://www.cnblogs.com/hujunzheng/p/5647896.htm ...