下载地址 http://code.google.com/p/ext3grep/downloads/list
安装
[root@local ext3grep-0.10.1]# ./configure
[root@local ext3grep-0.10.1]# make
[root@local ext3grep-0.10.1]# make install
安装完后,测试一下删除 /boot 下一个的文件
[root@local boot]# ls
config-2.6.18-194.el5 lost+found symvers-2.6.18-194.el5.gz
grub memtest86+-1.65 System.map-2.6.18-194.el5
initrd-2.6.18-194.el5.img message vmlinuz-2.6.18-194.el5
[root@local boot]# rm -rf symvers-2.6.18-194.el5.gz
[root@local boot]# ls
config-2.6.18-194.el5 initrd-2.6.18-194.el5.img memtest86+-1.65 System.map-2.6.18-194.el5
grub lost+found message vmlinuz-2.6.18-194.el5
开始恢复
先卸载
[root@local boot]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
3.8G 2.1G 1.5G 59% /
tmpfs 252M 0 252M 0%
/dev/shm/dev/sda1 99M 12M 82M 13% /boot
[root@local boot]#cd ..
[root@local /]# umount /boot
查看有哪些文件被删除了
[root@local /]# ext3grep /dev/sda1 --ls --inode 2
Running ext3grep version 0.10.1
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 13
Loading group metadata... done
Minimum / maximum journal block: 526 / 4640
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1331487878 = Mon Mar 12 01:44:38 2012
Number of descriptors in journal: 84; min / max sequence numbers: 6 / 44
Inode is Allocated
Loading sda1.ext3grep.stage2... done
The first block of the directory is 512.
Inode 2 is directory "".
Directory block 512:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 2 drwxr-xr-x .
1 2 d 2 drwxr-xr-x ..
2 3 d 11 drwx------ lost+found
3 4 d 10041 drwxr-xr-x grub
4 5 r 13 rrw-r--r-- memtest86+-1.65
5 6 r 12 rrw-r--r-- message
6 7 r 19 rrw------- initrd-2.6.18-194.el5.img
7 8 r 14 rrw-r--r-- .vmlinuz-2.6.18-194.el5.hmac
8 9 r 15 rrw-r--r-- System.map-2.6.18-194.el5
9 11 r 16 rrw-r--r-- config-2.6.18-194.el5
10 11 r 17 D 1331490557 Mon Mar 12 02:29:17 2012 rrw-r--r-- symvers-2.6.18-194.el5.gz
11 end r 18 rrw-r--r-- vmlinuz-2.6.18-194.el5
可以看到symvers-2.6.18-194.el5.gz 的删除时间
[root@local /]# ext3grep /dev/sda1 --restore-file symvers-2.6.18-194.el5.gz
Running ext3grep version 0.10.1
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 13
Minimum / maximum journal block: 526 / 4640
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1331487878 = Mon Mar 12 01:44:38 2012
Number of descriptors in journal: 84; min / max sequence numbers: 6 / 44
Loading sda1.ext3grep.stage2... done
Restoring symvers-2.6.18-194.el5.gz
恢复删除文件 后 保存在 RESTORED_FILES 文件夹里
[root@local /]# cd RESTORED_FILES/
[root@local RESTORED_FILES]# ls
symvers-2.6.18-194.el5.gz
恢复可以指定文件恢复,可以全部恢复,也可以指定时间恢复