Linux ext2/ext3 文件删除恢复工具ext3grep安装使用

2010-08-23 18:03:10|  分类: 默认分类|举报|字号 订阅

 
 

一.           安装前系统环境检查(我的实验环境:AS5.2 2.6.18-92.el5内核)< xmlnamespace prefix ="o" ns ="urn:schemas-microsoft-com:office:office" />

1.)查看所需要的依赖包

rpm -qa |grep e2fsprogs

e2fsprogs-devel-1.39-15.el5

e2fsprogs-libs-1.39-15.el5

e2fsprogs-1.39-15.el5

e2fsprogs-libs-1.39-15.el5

保证以上的包已经正确安装。

2.)下载安装运行ext3grep

mkdir –p /home/erico/test/

cd /home/erico/test/

wgethttp://ext3grep.googlecode.com/files/ext3grep-0.10.1.tar.gz

mkdir –p /soft/data_recover/

tar xzvf ext3grep-0.10.1.tar.gz

cd ext3grep-0.10.1

./configure --prefix=/soft/data_recover/

make && make install

运行ext3grep命令必须要加路径

/soft/data_recover/bin/ext3grep【参数】

3.)利用ext3grep测试恢复数据

1)我的硬盘分区情况

[root@erico-test erico]# fdisk -l

Disk /dev/sda: 80.0 GB, 80026361856 bytes

255 heads, 63 sectors/track, 9729 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot     Start        End     Blocks  Id System

/dev/sda1  *          1        127    1020096  83 Linux

/dev/sda2           2434       9729   58605120   f W95 Ext'd (LBA)

/dev/sda3            128       2039   15358140  83 Linux

/dev/sda4           2040       2166    1020127+ 82 Linux swap / Solaris

/dev/sda5           2434       9729   58605088+ 83 Linux

Partition table entries are not in disk order

2.)把/dev/sda5挂载到/data/下,用来做测试。

[root@erico-test erico]# mount /dev/sda5 /data/

3.)创建测试文件和文件目录,准备做测试

[root@erico-test data]# cp /home/erico/all_system_app_check_bak_test.log /data/

4.)删除/data/目录下的文件

[root@erico-test erico]# rm -rf /data/all_system_app_check_bak_test.log

5.)取消挂载需要恢复数据的区/dev/sda5

[root@erico-test /]# umount /dev/sda5

6.)恢复数据

测试一:文本文件(小文件)

1】扫描/dev/sda5被删除的数据情况

[root@erico-test erico]#/soft/data_recover/bin/ext3grep /dev/sda5 --ls --inode 2

Loading group metadata... done

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246478245 = Wed Jul 1 15:57:25 2009

Number of descriptors in journal: 19; min / max sequence numbers: 2 / 5

Inode is Allocated

Loading sda5.ext3grep.stage2... done

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

3 end r  48865 D 1246478282 Wed Jul 1 15:58:02 2009 rrw-r--r-- all_system_app_check_bak_test.log

根据上面的情况,可以知道我们删除了的文件。

2】恢复数据

[root@erico-testerico]#/soft/data_recover/bin/ext3grep /dev/sda5 --restore-file all_system_app_check_bak_test.log

[root@erico-test erico]# ls -al RESTORED_FILES/

total 12

drwxr-xr-x 2 root root 4096 Jul 1 15:59 .

drwxr-xr-x 7 root root 4096 Jul 1 15:56 ..

-rw-r--r-- 1 root root 1368 Jul 1 15:57 all_system_app_check_bak_test.log

在RESTORED_FILES/下我们看到了恢复出来的文件all_system_app_check_bak_test.log

测试二:大文件(220M)

1重新格式化测试盘,让盘变成空盘

[root@erico-test erico]# umount /dev/sda5

[root@erico-test erico]# mkfs.ext3 /dev/sda5

mke2fs 1.39 (29-May-2006)

Filesystem label=

OS type: Linux

Block size=4096 (log=2)

Fragment size=4096 (log=2)

2443200 inodes, 4885760 blocks

244288 blocks (5.00%) reserved for the super user

First data block=0

Maximum filesystem blocks=4294967296

150 block groups

32768 blocks per group, 32768 fragments per group

16288 inodes per group

Superblock backups stored on blocks:

32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,

4096000

Writing inode tables: done

Creating journal (32768 blocks): done

Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 30 mounts or

180 days, whichever comes first. Use tune2fs -c or -i to override.

确认格式后盘是空的!

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --ls --inode 2

Running ext3grep version 0.10.1

Number of groups: 150

Loading group metadata... done

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 0 = Wed Dec 31 19:00:00 1969

Number of descriptors in journal: 0; min / max sequence numbers: 4294967295 / 0

Inode is Allocated

Loading sda5.ext3grep.stage2... done

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

[root@erico-test erico]#

2】创建测试文件和文件目录,准备做测试

[root@erico-test erico]# mount /dev/sda5 /data/

[root@erico-test erico]# cp /home/erico/Level1.7z /data/

该文件大小是220M的压缩文件(里面包括几十万以上的png图片文件)

3.)删除/data/目录下的文件

[root@erico-test erico]# rm -rf /data/Level1.7z

4.)扫描/dev/sda5被删除的数据情况

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --ls --inode 2

Running ext3grep version 0.10.1

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.

Number of groups: 150

Loading group metadata... done

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246479046 = Wed Jul 1 16:10:46 2009

Number of descriptors in journal: 82; min / max sequence numbers: 2 / 8

Inode is Allocated

Loading sda5.ext3grep.stage2... done

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

 3 end r  48865 D 1246479377 Wed Jul 1 16:16:17 2009 rrw-r--r-- Level1.7z

[root@erico-test erico]#

同样找到了删除的文件Level1.7z

5.)恢复Level1.7z文件

 

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --restore-file Level1.7z

Running ext3grep version 0.10.1

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.

Number of groups: 150

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246479046 = Wed Jul 1 16:10:46 2009

Number of descriptors in journal: 82; min / max sequence numbers: 2 / 8

Loading sda5.ext3grep.stage2... done

Restoring Level1.7z

[root@erico-test erico]# du -hs RESTORED_FILES/

60K RESTORED_FILES/

[root@erico-test erico]#

恢复让人失望,文件是恢复了,但是内容只有几十K,打开文件打不开。说明恢复失败!

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --restore-file Level12.7z

Running ext3grep version 0.10.1

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.

Number of groups: 150

Minimum / maximum journal block: 1542 / 35880

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1246479046 = Wed Jul 1 16:10:46 2009

Number of descriptors in journal: 103; min / max sequence numbers: 2 / 12

Writing output to directory RESTORED_FILES/

Loading sda5.ext3grep.stage2... done

Restoring Level12.7z

WARNING: Failed to restore Level12.7z: encountered a reused or corrupted (double/triple) indirect block!

Running iterate_over_all_blocks_of again with diagnostic messages ON:

Processing direct blocks... 124928 124929 124930 124931 124932 124933 124934 124935 124936 124937 124938 124939

Processing indirect block 124940: entry 0 contains block number 2979148019, which is too large.

[root@erico-test erico]# ls RESTORED_FILES/Level12.7z

RESTORED_FILES/Level12.7z

[root@erico-test erico]# du -hs RESTORED_FILES/Level12.7z

48K RESTORED_FILES/Level12.7z

[root@erico-test erico]#

注意到了,由于我是在windows下拷贝Level12.7z文件到/data/目录下的,该BLOCK NUMBER

太大,导致恢复不了。

【尝试恢复1.8GB的数据】

Result of stage one:

5 inodes are referenced by one or more directory blocks, 1 of those inodes is still allocated.

1 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.

0 blocks contain an extended directory.

Result of stage two:

1 of those inodes could be resolved because it is still allocated.

All directory inodes are accounted for!

Writing analysis so far to 'sda5.ext3grep.stage2'. Delete that file if you want to do this stage again.

The first block of the directory is 1536.

Inode 2 is directory "".

Directory block 1536:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1 end d      2                                        drwxr-xr-x ..

2 end d     11 D 1246482239 Wed Jul 1 17:03:59 2009 drwx------ lost+found

3   4 r  48865 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK

4   5 r  48866 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK.bak

5   6 r  48867 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port7001

6   7 r  48868 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port7001.bak

7   8 r  48869 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port80

8   9 r  48870 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port80.bak

9  10 r  48871 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port8008_16_port80

10  11 r  48872 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port8008_16_port80.bak

11  12 r  48873 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port8080

12  13 r  48874 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port8080.bak

13  14 r  48875 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_file_from_15

14  15 r  48876 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_file_from_15.bak

15  16 r  48877 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_file_from_16

16  17 r  48878 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_file_from_16.bak

17  18 r  48879 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_pro_and_send_message_15

18  19 r  48880 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_pro_and_send_message_15.bak

19  20 r  48881 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_pro_and_send_message_16

20  21 r  48882 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_pro_and_send_message_16.bak

 21 end r  48883 D 1246482239 Wed Jul 1 17:03:59 2009 rrw-r--r-- linux_11gR1_database_1013.zip

再次确认了,ext3grep只能恢复小文件,大于200M单文件的都无法恢复!

测试三:多文件和多目录恢复(文件目录多于100个,文件多于50万个,全部为png图片

1重新格式化测试盘,让盘变成空盘

2】创建测试文件和文件目录,准备做测试

[root@erico-test erico]# mount /dev/sda5 /data/

[root@erico-test erico]# ls –al /data/

total 124

drwxr-xr-x   6 root root 4096 Jul 2 10:01 .

drwxr-xr-x  28 root root 4096 Jul 2 10:03 ..

drwx------ 2225 root root 69632 Jul 2 11:45 Level1

drwxr-xr-x 656 root root 20480 Jul 2 05:45 Level6

drwxr-xr-x   3 root root 4096 Jul 2 05:24 Level9

drwx------   2 root root 16384 Jul 1 17:46 lost+found

[root@erico-test data]# ls /data/Level9/ |wc -l

4

[root@erico-test data]#ls /data/Level6/ |wc -l

654

[root@erico-test T00110011]# df -h

Filesystem           Size Used Avail Use% Mounted on

/dev/sda3             15G  13G 663M 96% /

/dev/sda1            965M  23M 893M  3% /boot

tmpfs                234M    0 234M  0% /dev/shm

/dev/sda5             56G 4.6G  48G  9% /data

[root@erico-test T00110011]#

其中:一级目录有4个,二级目录有Level1:4522*225=1017450  Level6:657个(总文件大约:657*225=147825)

Level9:4个(总文件大约:4*225=900)估计恢复文件大小为:4.6G,总文件数:1166175

3.)删除/data/目录下的文件

[root@erico-test erico]# rm -rf /data/*

[root@erico-test /]# umount /data/

4.)扫描/dev/sda5被删除的数据情况

Adding extended directory block(s) for directory "Level1".

WARNING: Rejecting a dir_entry (block 153811) because it contains legal but unlikely characters.

Use --ls --block 153811 to examine this possible directory block.

If it looks like a directory to you, and '\020'

looks like a filename that might belong in that directory, then add

--accept='\020' as commandline parameter AND remove both stage* files!

Adding extended directory block(s) for directory "Level6".

Writing analysis so far to 'sda5.ext3grep.stage2'. Delete that file if you want to do this stage again.

The first block of the directory is 1538.

Inode 2 is directory "".

Directory block 1538:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

|         .-- D: Deleted ; R: Reallocated

Indx Next | Inode  | Deletion time                       Mode       File name

==========+==========+----------------data-from-inode------+-----------+=========

0   1 d      2                                        drwxr-xr-x .

1   2 d      2                                        drwxr-xr-x ..

2 end d     11                                        drwx------ lost+found

3 end d 5428865 D 1246561941 Thu Jul 2 15:12:21 2009 drwxr-xr-x Level9

4 end d 5903073 D 1246561941 Thu Jul 2 15:12:21 2009 drwxr-xr-x Level6

5 end d 5379809 D 1246561926 Thu Jul 2 15:12:06 2009 drwx------ Level1

同样找到了删除的文件夹

5.)恢复所有文件

[root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --restore-all

查看恢复出来的文件和目录:

[root@erico-test Level9]# find ../../../RESTORED_FILES/ -name *.png -print |wc -l

33057

[root@erico-test Level9]#find ../../../RESTORED_FILES/ -type d -print |wc -l

5163

恢复出来的PNG文件只有33057个(只恢复了很少很少一部分文件),目录是5163个(全部恢复)

ext3grep 恢复删除的更多相关文章

  1. ext3grep 模拟恢复删除文件

    一,下载ext3grep-0.10.1.tar.gz 点此下载 二,安装 #tar zxvf ext3grep-0.10.1.tar.gz #cd ext3grep-0.10.1 #./configu ...

  2. ext3文件系统反删除利器-ext3grep

    导读 Linux作为企业级服务器,数据的安全性至关重要,任何数据德尔丢失和误删都是不可容忍的!最近我接触到一款软件-ext3grep,它可以恢复误删的数据,下面简单讲解一下这个软件. ext3grep ...

  3. Linux 利用lsof命令恢复删除的文件

    lsof命令 lsof命令用于查看你进程开打的文件,打开文件的进程,进程打开的端口(TCP.UDP).找回/恢复删除的文件.是十分方便的系统监视工具,因为lsof命令需要访问核心内存和各种文件,所以需 ...

  4. Linux lsof命令 以及 恢复删除的文件

    1.简介 lsof(list open files)是一个列出当前系统打开文件的工具.在linux环境下,任何事物都以文件的形式存在,通过文件不仅仅可以访问常规数据,还可以访问网络连接和硬件.所以如传 ...

  5. Eclipse 恢复删除的文件

    这件事发生在,两周以前,那时我正在写LLT,补充完代码覆盖率.突然,我的代码呢,我的代码去哪里了?由于对Eclipse还不太熟悉,代码就则样被我从磁盘删掉了.然后火速给同事打电话,同事说如果删除了,而 ...

  6. Linux下恢复删除的文件

    转自:http://github.tiankonguse.com/blog/2015/09/13/linux-remove-recovery/ 下午, DBA找我说有些SQL执行了两个小时了,导致主从 ...

  7. 高性能Linux服务器 第6章 ext3文件系统反删除利器ext3grep extundelete工具恢复rm -rf 误删除的文件

    高性能Linux服务器 第6章  ext3文件系统反删除利器ext3grep  extundelete工具恢复rm -rf 误删除的文件 只能用于ext3文件系统!!!!!!!高俊峰(高性能Linux ...

  8. 使用 ext3grep 恢复数据试验成功 笔记

    使用 ext3grep 恢复数据试验成功 笔记   来源:  Linux论坛 日期: 2009.07.07 10:03 (共有条评论)  我要评论   [Copy to clipboard] [ - ...

  9. ext3文件系统反删除利器ext3grep应用实战

    推荐:10年技术力作:<高性能Linuxserver构建实战Ⅱ>全网发行,附试读章节和全书实例源代码下载! 一."rm –rf"带来的困惑 国外一份非常著名的Linux ...

随机推荐

  1. jquery里用each遍历的值存到数组和字符串

    $("img").each(function(){ var a = $(this).attr("src"); }); //遍历后存放到数组中..要用的时候再根据 ...

  2. C++ 11 之学习总结

    感慨时间过的好快,C++ 11出来都5年了,现在才开始学习,但为时也不晚: 主要是网上及身边的朋友大肆宣扬C++ 11的某些优化,弄得别人心里痒痒的,所以就花了3天学习了点基本知识,相对于整个C++ ...

  3. [Guava源码分析]ImmutableCollection:不可变集合

    摘要: 我的技术博客经常被流氓网站恶意爬取转载.请移步原文:http://www.cnblogs.com/hamhog/p/3888557.html,享受整齐的排版.有效的链接.正确的代码缩进.更好的 ...

  4. Azure + vsftpd + ubntu14 + 虚拟用户 遇到的问题:从网上摘抄

    :在Azure安装好ubuntu虚拟机,安装包选择ubuntu14.04 LTS,选择LTS,以便微软对其以后的更好支持,不选就可能技术支持不会很久,现只开一台,端口默认选择22 :打开虚拟机,进入端 ...

  5. linux命令行解析函数介绍

    函数原型:         int getopt(int argc,char * const argv[ ],const char * optstring);         给定了命令参数的数量 ( ...

  6. c#键盘鼠标钩子

    using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.W ...

  7. 七天学会NodeJS-学习笔记

    在网上发现一篇nodeJS教程,名为七天学会NodeJS,标题很有吸引力.我不指望七天能学会,只希望可以入门,下面是我的学习笔记和遇到的问题. 教程网址:http://nqdeng.github.io ...

  8. mongodb的常用操作

    对于nosql之前工作中有用到bekerlydb,最近开始了解mongodb,先简单写下mongodb的一些常用操作,当是个总结: 1.mongodb使用数据库(database)和集合(collec ...

  9. android 线程

    android线程: 通用多个线程通信管理框架: 1.Handler监听者框架:子线程是事件源,主线程是监听者.        Handler作为子线程的监听器出现:主线程中生成Handler的子类, ...

  10. VS编译时自动下载NuGet管理的库

    之前一直使用NuGet来管理一些第三方的库,但是每次check in代码时候为了保证编译通过,都需要把对应的packages check in. 比较耗费时间,特别是往github上同步代码,而且这些 ...