Linux ext2/ext3 文件删除恢复工具ext3grep安装使用

2010-08-23 18:03:10|  分类: 默认分类|举报|字号 订阅

 
 

一.           安装前系统环境检查(我的实验环境:AS5.2 2.6.18-92.el5内核)< xmlnamespace prefix ="o" ns ="urn:schemas-microsoft-com:office:office" />

1.)查看所需要的依赖包

rpm -qa |grep e2fsprogs

e2fsprogs-devel-1.39-15.el5

e2fsprogs-libs-1.39-15.el5

e2fsprogs-1.39-15.el5

e2fsprogs-libs-1.39-15.el5

保证以上的包已经正确安装。

2.)下载安装运行ext3grep

mkdir –p /home/erico/test/

cd /home/erico/test/

wgethttp://ext3grep.googlecode.com/files/ext3grep-0.10.1.tar.gz

mkdir –p /soft/data_recover/

tar xzvf ext3grep-0.10.1.tar.gz

cd ext3grep-0.10.1

./configure --prefix=/soft/data_recover/

make && make install

运行ext3grep命令必须要加路径

/soft/data_recover/bin/ext3grep【参数】

3.)利用ext3grep测试恢复数据

1)我的硬盘分区情况

[root@erico-test erico]# fdisk -l

Disk /dev/sda: 80.0 GB, 80026361856 bytes

255 heads, 63 sectors/track, 9729 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot     Start        End     Blocks  Id System

/dev/sda1  *          1        127    1020096  83 Linux

/dev/sda2           2434       9729   58605120   f W95 Ext'd (LBA)

/dev/sda3            128       2039   15358140  83 Linux

/dev/sda4           2040       2166    1020127+ 82 Linux swap / Solaris

/dev/sda5           2434       9729   58605088+ 83 Linux

Partition table entries are not in disk order

2.)把/dev/sda5挂载到/data/下,用来做测试。

[root@erico-test erico]# mount /dev/sda5 /data/

3.)创建测试文件和文件目录,准备做测试

[root@erico-test data]# cp /home/erico/all_system_app_check_bak_test.log /data/

4.)删除/data/目录下的文件

[root@erico-test erico]# rm -rf /data/all_system_app_check_bak_test.log

5.)取消挂载需要恢复数据的区/dev/sda5

[root@erico-test /]# umount /dev/sda5

6.)恢复数据

测试一:文本文件(小文件)

1】扫描/dev/sda5被删除的数据情况

[root@erico-test erico]#/soft/data_recover/bin/ext3grep /dev/sda5 --ls --inode 2

Loading group metadata... done

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246478245 = Wed Jul 1 15:57:25 2009

Number of descriptors in journal: 19; min / max sequence numbers: 2 / 5

Inode is Allocated

Loading sda5.ext3grep.stage2... done

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

3 end r  48865 D 1246478282 Wed Jul 1 15:58:02 2009 rrw-r--r-- all_system_app_check_bak_test.log

根据上面的情况,可以知道我们删除了的文件。

2】恢复数据

[root@erico-testerico]#/soft/data_recover/bin/ext3grep /dev/sda5 --restore-file all_system_app_check_bak_test.log

[root@erico-test erico]# ls -al RESTORED_FILES/

total 12

drwxr-xr-x 2 root root 4096 Jul 1 15:59 .

drwxr-xr-x 7 root root 4096 Jul 1 15:56 ..

-rw-r--r-- 1 root root 1368 Jul 1 15:57 all_system_app_check_bak_test.log

在RESTORED_FILES/下我们看到了恢复出来的文件all_system_app_check_bak_test.log

测试二:大文件(220M)

1重新格式化测试盘,让盘变成空盘

[root@erico-test erico]# umount /dev/sda5

[root@erico-test erico]# mkfs.ext3 /dev/sda5

mke2fs 1.39 (29-May-2006)

Filesystem label=

OS type: Linux

Block size=4096 (log=2)

Fragment size=4096 (log=2)

2443200 inodes, 4885760 blocks

244288 blocks (5.00%) reserved for the super user

First data block=0

Maximum filesystem blocks=4294967296

150 block groups

32768 blocks per group, 32768 fragments per group

16288 inodes per group

Superblock backups stored on blocks:

32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,

4096000

Writing inode tables: done

Creating journal (32768 blocks): done

Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 30 mounts or

180 days, whichever comes first. Use tune2fs -c or -i to override.

确认格式后盘是空的!

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --ls --inode 2

Running ext3grep version 0.10.1

Number of groups: 150

Loading group metadata... done

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 0 = Wed Dec 31 19:00:00 1969

Number of descriptors in journal: 0; min / max sequence numbers: 4294967295 / 0

Inode is Allocated

Loading sda5.ext3grep.stage2... done

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

[root@erico-test erico]#

2】创建测试文件和文件目录,准备做测试

[root@erico-test erico]# mount /dev/sda5 /data/

[root@erico-test erico]# cp /home/erico/Level1.7z /data/

该文件大小是220M的压缩文件(里面包括几十万以上的png图片文件)

3.)删除/data/目录下的文件

[root@erico-test erico]# rm -rf /data/Level1.7z

4.)扫描/dev/sda5被删除的数据情况

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --ls --inode 2

Running ext3grep version 0.10.1

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.

Number of groups: 150

Loading group metadata... done

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246479046 = Wed Jul 1 16:10:46 2009

Number of descriptors in journal: 82; min / max sequence numbers: 2 / 8

Inode is Allocated

Loading sda5.ext3grep.stage2... done

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

 3 end r  48865 D 1246479377 Wed Jul 1 16:16:17 2009 rrw-r--r-- Level1.7z

[root@erico-test erico]#

同样找到了删除的文件Level1.7z

5.)恢复Level1.7z文件

 

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --restore-file Level1.7z

Running ext3grep version 0.10.1

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.

Number of groups: 150

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246479046 = Wed Jul 1 16:10:46 2009

Number of descriptors in journal: 82; min / max sequence numbers: 2 / 8

Loading sda5.ext3grep.stage2... done

Restoring Level1.7z

[root@erico-test erico]# du -hs RESTORED_FILES/

60K RESTORED_FILES/

[root@erico-test erico]#

恢复让人失望,文件是恢复了,但是内容只有几十K,打开文件打不开。说明恢复失败!

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --restore-file Level12.7z

Running ext3grep version 0.10.1

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.

Number of groups: 150

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246479046 = Wed Jul 1 16:10:46 2009

Number of descriptors in journal: 103; min / max sequence numbers: 2 / 12

Writing output to directory RESTORED_FILES/

Loading sda5.ext3grep.stage2... done

Restoring Level12.7z

WARNING: Failed to restore Level12.7z: encountered a reused or corrupted (double/triple) indirect block!

Running iterate_over_all_blocks_of again with diagnostic messages ON:

Processing direct blocks... 124928 124929 124930 124931 124932 124933 124934 124935 124936 124937 124938 124939

Processing indirect block 124940: entry 0 contains block number 2979148019, which is too large.

[root@erico-test erico]# ls RESTORED_FILES/Level12.7z

RESTORED_FILES/Level12.7z

[root@erico-test erico]# du -hs RESTORED_FILES/Level12.7z

48K RESTORED_FILES/Level12.7z

[root@erico-test erico]#

注意到了,由于我是在windows下拷贝Level12.7z文件到/data/目录下的,该BLOCK NUMBER

太大,导致恢复不了。

【尝试恢复1.8GB的数据】

Result of stage one:

5 inodes are referenced by one or more directory blocks, 1 of those inodes is still allocated.

1 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.

0 blocks contain an extended directory.

Result of stage two:

1 of those inodes could be resolved because it is still allocated.

All directory inodes are accounted for!

Writing analysis so far to 'sda5.ext3grep.stage2'. Delete that file if you want to do this stage again.

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1 end d      2                                        drwxr-xr-x ..

2 end d     11 D 1246482239 Wed Jul 1 17:03:59 2009 drwx------ lost+found

3   4 r  48865 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK

4   5 r  48866 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK.bak

5   6 r  48867 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port7001

6   7 r  48868 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port7001.bak

7   8 r  48869 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port80

8   9 r  48870 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port80.bak

9  10 r  48871 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port8008_16_port80

10  11 r  48872 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port8008_16_port80.bak

11  12 r  48873 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port8080

12  13 r  48874 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port8080.bak

13  14 r  48875 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_file_from_15

14  15 r  48876 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_file_from_15.bak

15  16 r  48877 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_file_from_16

16  17 r  48878 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_file_from_16.bak

17  18 r  48879 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_pro_and_send_message_15

18  19 r  48880 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_pro_and_send_message_15.bak

19  20 r  48881 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_pro_and_send_message_16

20  21 r  48882 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_pro_and_send_message_16.bak

 21 end r  48883 D 1246482239 Wed Jul 1 17:03:59 2009 rrw-r--r-- linux_11gR1_database_1013.zip

再次确认了,ext3grep只能恢复小文件,大于200M单文件的都无法恢复!

测试三:多文件和多目录恢复(文件目录多于100个,文件多于50万个,全部为png图片

1重新格式化测试盘,让盘变成空盘

2】创建测试文件和文件目录,准备做测试

[root@erico-test erico]# mount /dev/sda5 /data/

[root@erico-test erico]# ls –al /data/

total 124

drwxr-xr-x   6 root root 4096 Jul 2 10:01 .

drwxr-xr-x  28 root root 4096 Jul 2 10:03 ..

drwx------ 2225 root root 69632 Jul 2 11:45 Level1

drwxr-xr-x 656 root root 20480 Jul 2 05:45 Level6

drwxr-xr-x   3 root root 4096 Jul 2 05:24 Level9

drwx------   2 root root 16384 Jul 1 17:46 lost+found

[root@erico-test data]# ls /data/Level9/ |wc -l

4

[root@erico-test data]#ls /data/Level6/ |wc -l

654

[root@erico-test T00110011]# df -h

Filesystem           Size Used Avail Use% Mounted on

/dev/sda3             15G  13G 663M 96% /

/dev/sda1            965M  23M 893M  3% /boot

tmpfs                234M    0 234M  0% /dev/shm

/dev/sda5             56G 4.6G  48G  9% /data

[root@erico-test T00110011]#

其中:一级目录有4个,二级目录有Level1:4522*225=1017450  Level6:657个(总文件大约:657*225=147825)

Level9:4个(总文件大约:4*225=900)估计恢复文件大小为:4.6G,总文件数:1166175

3.)删除/data/目录下的文件

[root@erico-test erico]# rm -rf /data/*

[root@erico-test /]# umount /data/

4.)扫描/dev/sda5被删除的数据情况

Adding extended directory block(s) for directory "Level1".

WARNING: Rejecting a dir_entry (block 153811) because it contains legal but unlikely characters.

Use --ls --block 153811 to examine this possible directory block.

If it looks like a directory to you, and '\020'

looks like a filename that might belong in that directory, then add

--accept='\020' as commandline parameter AND remove both stage* files!

Adding extended directory block(s) for directory "Level6".

Writing analysis so far to 'sda5.ext3grep.stage2'. Delete that file if you want to do this stage again.

The first block of the directory is 1538.

Inode 2 is directory "".

Directory block 1538:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

3 end d 5428865 D 1246561941 Thu Jul 2 15:12:21 2009 drwxr-xr-x Level9

4 end d 5903073 D 1246561941 Thu Jul 2 15:12:21 2009 drwxr-xr-x Level6

5 end d 5379809 D 1246561926 Thu Jul 2 15:12:06 2009 drwx------ Level1

同样找到了删除的文件夹

5.)恢复所有文件

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --restore-all

查看恢复出来的文件和目录:

[root@erico-test Level9]# find ../../../RESTORED_FILES/ -name *.png -print |wc -l

33057

[root@erico-test Level9]#find ../../../RESTORED_FILES/ -type d -print |wc -l

5163

恢复出来的PNG文件只有33057个(只恢复了很少很少一部分文件),目录是5163个(全部恢复)

ext3grep 恢复删除的更多相关文章

  1. ext3grep 模拟恢复删除文件

    一,下载ext3grep-0.10.1.tar.gz 点此下载 二,安装 #tar zxvf ext3grep-0.10.1.tar.gz #cd ext3grep-0.10.1 #./configu ...

  2. ext3文件系统反删除利器-ext3grep

    导读 Linux作为企业级服务器,数据的安全性至关重要,任何数据德尔丢失和误删都是不可容忍的!最近我接触到一款软件-ext3grep,它可以恢复误删的数据,下面简单讲解一下这个软件. ext3grep ...

  3. Linux 利用lsof命令恢复删除的文件

    lsof命令 lsof命令用于查看你进程开打的文件,打开文件的进程,进程打开的端口(TCP.UDP).找回/恢复删除的文件.是十分方便的系统监视工具,因为lsof命令需要访问核心内存和各种文件,所以需 ...

  4. Linux lsof命令 以及 恢复删除的文件

    1.简介 lsof(list open files)是一个列出当前系统打开文件的工具.在linux环境下,任何事物都以文件的形式存在,通过文件不仅仅可以访问常规数据,还可以访问网络连接和硬件.所以如传 ...

  5. Eclipse 恢复删除的文件

    这件事发生在,两周以前,那时我正在写LLT,补充完代码覆盖率.突然,我的代码呢,我的代码去哪里了?由于对Eclipse还不太熟悉,代码就则样被我从磁盘删掉了.然后火速给同事打电话,同事说如果删除了,而 ...

  6. Linux下恢复删除的文件

    转自:http://github.tiankonguse.com/blog/2015/09/13/linux-remove-recovery/ 下午, DBA找我说有些SQL执行了两个小时了,导致主从 ...

  7. 高性能Linux服务器 第6章 ext3文件系统反删除利器ext3grep extundelete工具恢复rm -rf 误删除的文件

    高性能Linux服务器 第6章  ext3文件系统反删除利器ext3grep  extundelete工具恢复rm -rf 误删除的文件 只能用于ext3文件系统!!!!!!!高俊峰(高性能Linux ...

  8. 使用 ext3grep 恢复数据试验成功 笔记

    使用 ext3grep 恢复数据试验成功 笔记   来源:  Linux论坛 日期: 2009.07.07 10:03 (共有条评论)  我要评论   [Copy to clipboard] [ - ...

  9. ext3文件系统反删除利器ext3grep应用实战

    推荐:10年技术力作:<高性能Linuxserver构建实战Ⅱ>全网发行,附试读章节和全书实例源代码下载! 一."rm –rf"带来的困惑 国外一份非常著名的Linux ...

随机推荐

  1. (转)RabbitMQ消息队列(七):适用于云计算集群的远程调用(RPC)

    在云计算环境中,很多时候需要用它其他机器的计算资源,我们有可能会在接收到Message进行处理时,会把一部分计算任务分配到其他节点来完成.那么,RabbitMQ如何使用RPC呢?在本篇文章中,我们将会 ...

  2. 3月3日(6) Climbing Stairs

    原题 Climbing Stairs 求斐波那契数列的第N项,开始想用通项公式求解,其实一个O(n)就搞定了. class Solution { public: int climbStairs(int ...

  3. IOS动画隐式,显式,翻页

    //  ViewController.m //  IOS动画0817 // //  Created by 张艳锋 on 15/8/17. //  Copyright (c) 2015年 张艳锋. Al ...

  4. .NET中变量的类型问题

    1.JAVA和C# Byte的不同. java里一个byte取值范围是-128~127, 而C#里一个byte是0~255. 首位不同. 但是底层I/O存储的数据是一样的, 比如, 十进制的100, ...

  5. C#工具介绍

    VisualStudio是微软的官方提供的.NET开发工具. 除了VisualStudio外,还有一些开源的.NET开发IDE. MonoDevelop.SharpDevelop等. 开发未必需要使用 ...

  6. c++11:copy_n

    copy_n: Copies exactly count values from the range beginning at first to the range beginning at resu ...

  7. 如何使用NET Reactor为您的.Net(C#,VB.Net) 源代码加密

    前言 VS开发的源代码安全性,是很多开发者头痛的事情.于是保护好源代码便成了开发者们最关心的事情之一了. 在网上搜一搜,很多有不少的第三方工具可以为源代码加密.加密方式不外乎就是混淆,加壳. 理论上, ...

  8. jquery插件开发模板

    (function($){ $.fn.extend({ //将可选择的变量传递给方法 pluginname: function(options) { //设置默认值并用逗号隔开 var default ...

  9. 方法的可变长参数 传入参数个数不确定可用(Type ... values)

    /** * 可变长的参数. * 有时候,我们传入到方法的参数的个数是不固定的,为了解决这个问题,我们一般采用下面的方法: * 1. 重载,多重载几个方法,尽可能的满足参数的个数.显然这不是什么好办法. ...

  10. 一个PHP加密脚本,达到一定免杀效果

    <?php /**************************************** *author: L.N. *blog : [url]http://lanu.sinaapp.co ...