Ext3grep 是ext3文件系统下的一个开源数据恢复工具,官方下载地址http://code.google.com/p/ext3grep/downloads/detail?name=ext3grep-0.10.2.tar.gz 。
它的恢复原理很简单:ext2/ext3 文件系统是采用 block+inode 的方式存放文件的,其中 inode 存放文件的元数据,包含文件权限、更改时间、属性等。而在带有日志功能的 ext3 文件系统中,删除一个文件,就是将该文件的 inode节点中的指针清除,其实数据还在存在block当中的。所以如果没有新的数据来占用该 block,只要恢复了inode指向,该文件就恢复了。
接下来是安装过程和模拟误删演示:
1: cd ext3grep-0.10.22: ./configure3: make && make install
1、 我现在是将 sdb5 挂载到分区 /mnt/data2 下:
1: mount /dev/sdb5 /mnt/data2/
分别在下面新建一个目录和一文件
1: [root@localhost src]# cd /mnt/data2/2: [root@localhost data2]# ls3: [root@localhost data2]# echo "I Love you" > nodelete.txt
4: [root@localhost data2]# ls5: nodelete.txt6: [root@localhost data2]# cat nodelete.txt7: I Love you8: [root@localhost data2]# mkdir nodelete9: [root@localhost data2]# ls10: nodelete nodelete.txt11:
2、 接下来假设我误删2个数据了,
1: [root@localhost data2]# rm -fR no*2: [root@localhost data2]# ls3: [root@localhost data2]#4:
3、恢复。误删之后千万注意整个硬盘不能有任何写入操作了,我们先卸载所在分区。
1: [root@localhost data2]# cd2: [root@localhost ~]# umount /mnt/data2/
#查看要恢复的数据
1: [root@localhost ~]# ext3grep /dev/sdb5 --ls --inode 22: Running ext3grep version 0.10.13: WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.4: Number of groups: 85: Loading group metadata... done6: Minimum / maximum journal block: 583 / 46857: Loading journal descriptors... sorting... done8: The oldest inode block that is still in the journal, appears to be from 1350471162 = Wed Oct 17 18:52:42 20129: Number of descriptors in journal: 65; min / max sequence numbers: 9 / 3510: Inode is Allocated11:
#指定恢复nodelete.txt
1: [root@localhost ~]# ext3grep /dev/sdb5 --restore-file nodelete.txt2: Running ext3grep version 0.10.13: WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.4: Number of groups: 85: Minimum / maximum journal block: 583 / 46856: Loading journal descriptors... sorting... done7: The oldest inode block that is still in the journal, appears to be from 1350471162 = Wed Oct 17 18:52:42 20128:
#恢复所有数据 ext3grep /dev/sdb5 --restore-all
执行恢复后会在当前目录下生成一个 目录 “RESTORED_FILES”,你要的数据就在里面了。
1: [root@localhost ~]# ls |grep RE2: RESTORED_FILES3: