linux恢复误删除文件-ext3grep



linux恢复误删除文件，有时候执行rm -rf * 是一件很危险的事；如果万一不小心删除了文件，该如何恢复？

注意：该工具支持ext3文件系统，不支持ext4文件系统

1. 安装rpm包
[root@zw_test_26_74 /]# rpm -ivh ext3grep-0.10.2-1.el4.rf.x86_64.rpm
warning: ext3grep-0.10.2-1.el4.rf.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 6b8d79e6: NOKEY
Preparing...                ########################################### [100%]
   1:ext3grep               ########################################### [100%]

2.查看工具版本
[root@zw_test_26_74 /]# ext3grep -v
Running ext3grep version 0.10.2
ext3grep v0.10.2, Copyright (C) 2008 Carlo Wood.
ext3grep comes with ABSOLUTELY NO WARRANTY;
This program is free software; your freedom to use, change
and distribute this program is protected by the GPL.

3.创建一个文件系统：
[root@zw_test_26_74 ~]# mkfs -t ext3 /dev/sdb1

4.挂载文件系统
[root@zw_test_26_74 /]# mount /dev/sdb1  /test

5.复制几个文件到/test

[root@zw_test_26_74 test]# ll -ssh
total 65M
4.0K -rw-r--r-- 1 root root   56 Dec 30 11:19 aaa.txt
 16K drwx------ 2 root root  16K Dec 30 11:17 lost+found
872K -rw-r--r-- 1 root root 865K Dec 30 11:19 nginx-1.9.7.tar.gz
 64M -rw-r--r-- 1 root root  64M Dec 30 11:19 software.tar
 

6.删除/test下所有文件

[root@zw_test_26_74 test]# rm -rf *
[root@zw_test_26_74 test]# ll
total 0
[root@zw_test_26_74 test]#

到此/test目录下没有文件和目录，下面我们就开始恢复所有文件和目录。

7. 卸载/dev/sdb1分区,防止磁盘有更多的读写操作，覆盖了删除的文件
[root@localhost ~]# umount /test

8. 查询恢复数据信息

[root@localhost ~]# ext3grep /dev/sdb1 --ls --inode 2
主要用于扫描当前文件系统下所有文件的信息，包括存在的和已删除的文件，其中含有D表示就是已经删除的文件，如果不记得被删除的文件的名称，

[root@zw_test_26_74 /]# ext3grep /dev/sdb1 --ls --inode 2
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 9
Loading group metadata... done
Minimum / maximum journal block: 131535 / 139736
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1451445526 = Wed Dec 30 11:18:46 2015
Number of descriptors in journal: 36; min / max sequence numbers: 2 / 5
Inode is Allocated
Finding all blocks that might be directories.
D: block containing directory start, d: block containing more directory entries.
Each plus represents a directory start that references the same inode as a directory start that we found previously.

Searching group 0: DD
Searching group 1:
Searching group 2:
Searching group 3:
Searching group 4: ++
Searching group 5:
Searching group 6:
Searching group 7:
Searching group 8:
Writing analysis so far to 'sdb1.ext3grep.stage1'. Delete that file if you want to do this stage again.
Result of stage one:
  2 inodes are referenced by one or more directory blocks, 1 of those inodes is still allocated.
  1 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.
  0 blocks contain an extended directory.
Result of stage two:
  1 of those inodes could be resolved because it is still allocated.
All directory inodes are accounted for!

Writing analysis so far to 'sdb1.ext3grep.stage2'. Delete that file if you want to do this stage again.
The first block of the directory is 529.
Inode 2 is directory "".
Directory block 529:
          .-- File type in dir_entry (r=regular file, d=directory, l=symlink)
          |          .-- D: Deleted ; R: Reallocated
Indx Next |  Inode   | Deletion time                        Mode        File name
==========+==========+----------------data-from-inode------+-----------+=========
   0    1 d       2                                         drwxr-xr-x  .
   1  end d       2                                         drwxr-xr-x  ..
   2    3 d      11  D 1451445637 Wed Dec 30 11:20:37 2015  drwx------  lost+found
   3    4 r      12  D 1451445637 Wed Dec 30 11:20:37 2015  rrw-r--r--  nginx-1.9.7.tar.gz
   4  end r      13  D 1451445637 Wed Dec 30 11:20:37 2015  rrw-r--r--  software.tar
   5  end r      14  D 1451445636 Wed Dec 30 11:20:36 2015  rrw-r--r--  aaa.txt
  

9. 恢复单个文件
注明：要恢复被删除的某个文件，操作如下：

[root@zw_test_26_74 /]# ext3grep /dev/sdb1 --restore-file nginx-1.9.7.tar.gz
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 9
Minimum / maximum journal block: 131535 / 139736
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1451445526 = Wed Dec 30 11:18:46 2015
Number of descriptors in journal: 36; min / max sequence numbers: 2 / 5
Loading sdb1.ext3grep.stage2... done
Restoring nginx-1.9.7.tar.gz

10. 查看是否恢复成功，在当前目录会生成一个目录RESTORED_FILES

[root@zw_test_26_74 /]# cd /RESTORED_FILES/
[root@zw_test_26_74 RESTORED_FILES]# # ll -ssh
total 66M
4.0K -rw-r--r-- 1 root root   56 Dec 30 11:37 aaa.txt
4.0K drwx------ 2 root root 4.0K Dec 30 11:35 lost+found
872K -rw-r--r-- 1 root root 865K Dec 30 11:35 nginx-1.9.7.tar.gz
 64M -rw-r--r-- 1 root root  64M Dec 30 11:35 software.tar
 
 可以看到已经恢复回来了！
 
11. 重新挂载分区
[root@zw_test_26_74 test]# mount /dev/sdb1 /test

将恢复的文件和目录移动到原来的目录中
[root@zw_test_26_74 RESTORED_FILES]# cp * /test -R

可以看到都恢复了，到此数据恢复完成。
[root@zw_test_26_74 test]# ll -ssh
total 66M
4.0K -rw-r--r-- 1 root root   56 Dec 30 11:37 aaa.txt
4.0K drwx------ 2 root root 4.0K Dec 30 11:35 lost+found
872K -rw-r--r-- 1 root root 865K Dec 30 11:35 nginx-1.9.7.tar.gz
 64M -rw-r--r-- 1 root root  64M Dec 30 11:35 software.tar

二、恢复所有文件和目录
[root@zw_test_26_74 /]# ext3grep /dev/sdb2 --restore-all

注明：“--restore-all”参数将指定存储设备中可以恢复的文件都恢复出来并放到了“RESTORED_FILES”目录中;
“--restore-all”参数对恢复大量数据文件时非常有用。