通过ext3grep恢复文件
dd if=/dev/zero of=/disk/disk1 count=102400
  118  cd disk/
  119  ls
  120  ls -lh
  121  cd ..
  122  ls
  123  cd /disk/
  124  mkfs.ext3 /disk/disk1
  125  mount -o loop /disk/disk1 /mnt/
  126  cp /etc/profile /mnt/
  127  cp /boot/initrd-2.6.18-194.el5.img /disk/
  128  echo "ext3grep test" > /mnt/ext3grep.txt
  129  cp /etc/hosts /mnt/

获取md5 删除掉所有文件
[root@localhost mnt]# md5sum ext3grep.txt
5afe55495cdb666daad667e1cd797dcb  ext3grep.txt
[root@localhost mnt]# md5sum hosts
3f6bc5fdac37347e2c6913259470ae9c  hosts
[root@localhost mnt]# md5sum profile
a6e82d979bb95919082d9aceddf56c39  profile
[root@localhost mnt]# md5sum
ext3grep.txt  hosts         lost+found/   profile      
[root@localhost mnt]# rm -rf *

卸载磁盘分区
umount /mnt
查询恢复数据信息
[root@localhost /]# ext3grep /disk/disk1 --ls --inode 2
Running ext3grep version 0.10.1
Number of groups: 7
Loading group metadata... done
Minimum / maximum journal block: 447 / 4561
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1333639433 = Thu Apr  5 23:23:53 2012
Number of descriptors in journal: 44; min / max sequence numbers: 2 / 12
Inode is Allocated
Loading disk1.ext3grep.stage2... done
The first block of the directory is 433.
Inode 2 is directory "".
Directory block 433:
          .-- File type in dir_entry (r=regular file, d=directory, l=symlink)
          |          .-- D: Deleted ; R: Reallocated
Indx Next |  Inode   | Deletion time                        Mode        File name
==========+==========+----------------data-from-inode------+-----------+=========
   0    1 d       2                                         drwxr-xr-x  .
   1  end d       2                                         drwxr-xr-x  ..
   2    3 d      11  D 1333640520 Thu Apr  5 23:42:00 2012  drwx------  lost+found
   3  end r      12  D 1333640520 Thu Apr  5 23:42:00 2012  rrw-r--r--  profile
   4    5 r      13  D 1333640520 Thu Apr  5 23:42:00 2012  rrw-r--r--  ext3grep.txt
   5  end r      14  D 1333640520 Thu Apr  5 23:42:00 2012  rrw-r--r--  hosts
--ls --inode 2 表示主要用于少猫当前文件系统下所有文件的信息,包括存在和已经删除的文件,其中D表示就是已经被删除的文件,



获取文件和要恢复的路径信息
[root@localhost /]# ext3grep /disk/disk1 --dump-names
Running ext3grep version 0.10.1
Number of groups: 7
Minimum / maximum journal block: 447 / 4561
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1333639433 = Thu Apr  5 23:23:53 2012
Number of descriptors in journal: 44; min / max sequence numbers: 2 / 12
Loading disk1.ext3grep.stage2... done
ext3grep.txt
hosts
lost+found
profile
恢复单个文件
[root@localhost /]# ext3grep /disk/disk1 --restore-file hosts
Running ext3grep version 0.10.1
Number of groups: 7
Minimum / maximum journal block: 447 / 4561
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1333639433 = Thu Apr  5 23:23:53 2012
Number of descriptors in journal: 44; min / max sequence numbers: 2 / 12
Writing output to directory RESTORED_FILES/
Loading disk1.ext3grep.stage2... done
Restoring hosts
查看恢复文件
[root@localhost /]# cd RESTORED_FILES/
[root@localhost RESTORED_FILES]# ls
hosts  inode.13
[root@localhost RESTORED_FILES]# md5sum hosts
3f6bc5fdac37347e2c6913259470ae9c  hosts
恢复所有删除的数据
[root@localhost RESTORED_FILES]# ext3grep /disk/disk1 --restore-all
Running ext3grep version 0.10.1
Number of groups: 7
Minimum / maximum journal block: 447 / 4561
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1333639433 = Thu Apr  5 23:23:53 2012
Number of descriptors in journal: 44; min / max sequence numbers: 2 / 12
Loading disk1.ext3grep.stage2... done
Restoring ext3grep.txt
Restoring hosts
Restoring profile
[root@localhost RESTORED_FILES]# ls
disk1.ext3grep.stage1  disk1.ext3grep.stage2  hosts  inode.13  RESTORED_FILES