针对rm误删除的文件,可以使用ext3grep工具恢复,我们可以采用debugfs加dd的方法进行补救,相对ext3grep工具使用比较麻烦一点。以下是本人实验过程
1、新建文件
[root@wdj data0]# echo "very good" >test.txt
2、删除test.txt文件
[root@wdj data0]# rm -f test.txt
3、使用debugfs(一般发行版本系统自带)工具找test.txt文件的inode
[root@wdj data0]# debugfs /dev/sda3
debugfs:  ls -d /data0
1760916  (12) .    2  (4084) ..   <1760917> (4072) test.txt
“<>”中的数值为test.txt的inode编号,被删除的inode放在"<>"中
4、通过inode获取block的编号
debugfs:        logdump -i <1760917>
Inode 1760917 is at group 54, block 1769476, offset 2560
Journal starts at block 1, transaction 212754
  FS block 1769476 logged at sequence 213248, journal block 2253 (flags 0x2)
    (inode block for inode 1760917):
    Inode: 1760917   Type: bad type        Mode:  0000   Flags: 0x0
    Generation: 0    Version: 0x00000000
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Thu Jan  1 08:00:00 1970
    atime: 0x00000000 -- Thu Jan  1 08:00:00 1970
    mtime: 0x00000000 -- Thu Jan  1 08:00:00 1970
    Blocks: 
  FS block 1769476 logged at sequence 213587, journal block 9249 (flags 0x2)
    (inode block for inode 1760917):
    Inode: 1760917   Type: bad type        Mode:  0000   Flags: 0x0
    Generation: 0    Version: 0x00000000
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Thu Jan  1 08:00:00 1970
    atime: 0x00000000 -- Thu Jan  1 08:00:00 1970
    mtime: 0x00000000 -- Thu Jan  1 08:00:00 1970
    Blocks: 
  FS block 1769476 logged at sequence 213588, journal block 9305 (flags 0x2)
    (inode block for inode 1760917):
    Inode: 1760917   Type: bad type        Mode:  0000   Flags: 0x0
    Generation: 0    Version: 0x00000000
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Thu Jan  1 08:00:00 1970
    atime: 0x00000000 -- Thu Jan  1 08:00:00 1970
    mtime: 0x00000000 -- Thu Jan  1 08:00:00 1970
    Blocks: 
  FS block 1769476 logged at sequence 213673, journal block 14966 (flags 0xa)
    (inode block for inode 1760917):
    Inode: 1760917   Type: bad type        Mode:  0000   Flags: 0x0
    Generation: 0    Version: 0x00000000
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Thu Jan  1 08:00:00 1970
    atime: 0x00000000 -- Thu Jan  1 08:00:00 1970
    mtime: 0x00000000 -- Thu Jan  1 08:00:00 1970
    Blocks: 
  FS block 1769476 logged at sequence 213674, journal block 14979 (flags 0x2)
    (inode block for inode 1760917):
    Inode: 1760917   Type: bad type        Mode:  0000   Flags: 0x0
    Generation: 0    Version: 0x00000000
    User:     0   Group:     0   Size: 0
    File ACL: 0    Directory ACL: 0
    Links: 0   Blockcount: 0
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x00000000 -- Thu Jan  1 08:00:00 1970
    atime: 0x00000000 -- Thu Jan  1 08:00:00 1970
    mtime: 0x00000000 -- Thu Jan  1 08:00:00 1970
    Blocks: 
  FS block 1769476 logged at sequence 213736, journal block 16114 (flags 0x2)
    (inode block for inode 1760917):
    Inode: 1760917   Type: regular        Mode:  0644   Flags: 0x0
    Generation: 1090083295    Version: 0x00000000
    User:     0   Group:     0   Size: 10
    File ACL: 0    Directory ACL: 0
    Links: 1   Blockcount: 8
    Fragment:  Address: 0    Number: 0    Size: 0
    ctime: 0x4cf51f96 -- Wed Dec  1 00:00:22 2010
    atime: 0x4cf51f96 -- Wed Dec  1 00:00:22 2010
    mtime: 0x4cf51f96 -- Wed Dec  1 00:00:22 2010
    Blocks:  (0+1): 1777664
从上面的信息中可以得出block使用一个,编码为1777664
5、使用dd进行数据恢复
debugfs:           quit
[root@wdj data0]# dd if=/dev/sda3 of=/tmp/test.txt bs=4096 count=1 skip=1777664
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.0552693 seconds, 74.1 kB/s
查看数据文件是否恢复
[root@wdj data0]#   vim /tmp/test.txt

very good
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
从上面可以看到数据已经恢复,其中"@"是NULL字符可以直接删除掉