Chinaunix首页 | 论坛 | 博客
  • 博客访问: 41615
  • 博文数量: 8
  • 博客积分: 13
  • 博客等级: 民兵
  • 技术积分: 55
  • 用 户 组: 普通用户
  • 注册时间: 2011-06-13 10:23
文章分类
文章存档

2014年(2)

2013年(3)

2012年(2)

2011年(1)

我的朋友

分类: LINUX

2013-02-25 11:40:04

本人使用ext3grep工具恢复数据,大家首先在官方网站下载ext3grep软件包,然后解压安装。

1.ext3grep /data/afh  --ls  --inode 2   :/data/afh为数据丢失的目录 ,这里是列出/data/afh目录的inode信息,目录inode信息一般为2.

(这个命令主要扫描当前文件系统下所有文件信息,包括存在的和已经删除的文件,其中含有D标志的就是已被删除的文件,如果不记得被删除的文件名称,可以通过以下命令获得要恢复的文件名称)

2.ext3grep /data/afh  --dump-names  :此命令列出当前文件系统下所有文件信息。

3.现在我们恢复删除的数据。

[root@jiankong /]# mkdir -p /data/

[root@jiankong /]#dd if=/dev/zero of=/data/afh  bs=1024 count=10240

10240+0 records in
10240+0 records out
10485760 bytes (10 MB) copied, 0.0448091 s, 234 MB/s

[root@jiankong /]#mkfs.ext3 /data/afh

mke2fs 1.41.12 (17-May-2010)
/data/afh is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
2560 inodes, 10240 blocks
512 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=10485760
2 block groups
8192 blocks per group, 8192 fragments per group
1280 inodes per group
Superblock backups stored on blocks:
 8193

Writing inode tables: done                           
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 23 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

[root@jiankong /]#mkdir /afc

[root@jiankong /]#mount -o loop /data/afh /afc

[root@jiankong /]# cp /etc/passwd /boot/* /afc/

[root@jiankong /]# cd /afh
[root@jiankong afc]# ls
config-2.6.32-279.el6.x86_64         symvers-2.6.32-279.el6.x86_64.gz
initramfs-2.6.32-279.el6.x86_64.img  System.map-2.6.32-279.el6.x86_64
lost+found                           vmlinuz-2.6.32-279.el6.x86_64
passwd

[root@jiankong afc]# rm -rf *
[root@jiankong afc]# ls
[root@jiankong afc]# cd /opt/

[root@jiankong opt]# ls
[root@jiankong opt]#

[root@jiankong opt]# ext3grep /data/afh --ls --inode 2
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 2
Loading group metadata... done
Minimum / maximum journal block: 218 / 1247
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1361608793 = Sat Feb 23 16:39:53 2013
Number of descriptors in journal: 198; min / max sequence numbers: 2 / 27
Inode is Allocated
Finding all blocks that might be directories.
D: block containing directory start, d: block containing more directory entries.
Each plus represents a directory start that references the same inode as a directory start that we found previously.

Searching group 0: DD++++D+++
Searching group 1: +
Writing analysis so far to 'disk1.ext3grep.stage1'. Delete that file if you want to do this stage again.
Result of stage one:
  3 inodes are referenced by one or more directory blocks, 1 of those inodes is still allocated.
  2 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.
  0 blocks contain an extended directory.
Result of stage two:
  1 of those inodes could be resolved because it is still allocated.
  1 inodes could be resolved because all refering blocks but one were journal blocks.
All directory inodes are accounted for!


Writing analysis so far to 'disk1.ext3grep.stage2'. Delete that file if you want to do this stage again.
The first block of the directory is 204.
Inode 2 is directory "".
Directory block 204:
          .-- File type in dir_entry (r=regular file, d=directory, l=symlink)
          |          .-- D: Deleted ; R: Reallocated
Indx Next |  Inode   | Deletion time                        Mode        File name
==========+==========+----------------data-from-inode------+-----------+=========
   0    1 d       2                                         drwxr-xr-x  .
   1  end d       2                                         drwxr-xr-x  ..
   2    3 d      11  D 1361608866 Sat Feb 23 16:41:06 2013  drwx------  lost+found
   3    7 r      12  D 1361608866 Sat Feb 23 16:41:06 2013  rrw-r--r--  profile
   4    6 r      13  D 1361608866 Sat Feb 23 16:41:06 2013  rrw-r--r--  hosts
   5    6 r      14  D 1361608866 Sat Feb 23 16:41:06 2013  rrw-r--r--  config-2.6.32-279.el6.x86_64
   6    7 r      15  D 1361608866 Sat Feb 23 16:41:06 2013  rrw-r--r--  initramfs-2.6.32-279.el6.x86_64.img
   7    8 r    1281  D 1361608866 Sat Feb 23 16:41:06 2013  rrw-r--r--  symvers-2.6.32-279.el6.x86_64.gz
   8    9 r    1282  D 1361608866 Sat Feb 23 16:41:06 2013  rrw-r--r--  System.map-2.6.32-279.el6.x86_64
   9  end r    1283  D 1361608866 Sat Feb 23 16:41:06 2013  rrwxr-xr-x  vmlinuz-2.6.32-279.el6.x86_64
  10  end

:执行命令就开始搜索可以恢复的数据文件信息(包括已删除的和存在的),其中包含D标志的是已被删除的文件,如果不记得被删除的文件名,可以通过下面命令获得。 d    1284  D 1361608866 Sat Feb 23 16:41:06 2013  drwxr-xr-x  ext3grep

[root@jiankong opt]# ext3grep /data/afh   --dump-names
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 2
Minimum / maximum journal block: 218 / 1247
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1361608793 = Sat Feb 23 16:39:53 2013
Number of descriptors in journal: 198; min / max sequence numbers: 2 / 27
Loading disk1.ext3grep.stage2... done
System.map-2.6.32-279.el6.x86_64
config-2.6.32-279.el6.x86_64
ext3grep
ext3grep/hosts
hosts
initramfs-2.6.32-279.el6.x86_64.img
lost+found
profile
symvers-2.6.32-279.el6.x86_64.gz
vmlinuz-2.6.32-279.el6.x86_64

[root@jiankong opt]#  ext3grep /data/afh  --restore-file  ext3grep/hosts
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.
Number of groups: 2
Minimum / maximum journal block: 218 / 1247
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1361610467 = Sat Feb 23 17:07:47 2013
Number of descriptors in journal: 193; min / max sequence numbers: 2 / 27
Writing output to directory RESTORED_FILES/
Loading afh.ext3grep.stage2... done
Cannot find an inode number for file "ext3grep/hosts".
[root@jiankong opt]# ls
afh.ext3grep.stage1 RESTORED_FILES
afh.ext3grep.stage2
[root@jiankong opt]# cd RESTORED_FILES/
[root@jiankong RESTORED_FILES]# ls
[root@jiankong RESTORED_FILES]# cd ..
[root@jiankong opt]# ext3grep /data/afh  --restore-inode 12
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.
Number of groups: 2
Minimum / maximum journal block: 218 / 1247
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1361610467 = Sat Feb 23 17:07:47 2013
Number of descriptors in journal: 193; min / max sequence numbers: 2 / 27
Restoring inode.12
[root@jiankong opt]# ls
afh.ext3grep.stage1    RESTORED_FILES
afh.ext3grep.stage2 
[root@jiankong opt]# cd RESTORED_FILES/
[root@jiankong RESTORED_FILES]# ls
inode.12
[root@jiankong RESTORED_FILES]#  ext3grep /data/afh  --restore-all
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.
Number of groups: 2
Minimum / maximum journal block: 218 / 1247
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1361610467 = Sat Feb 23 17:07:47 2013
Number of descriptors in journal: 193; min / max sequence numbers: 2 / 27
Writing output to directory RESTORED_FILES/
Finding all blocks that might be directories.
D: block containing directory start, d: block containing more directory entries.
Each plus represents a directory start that references the same inode as a directory start that we found previously.

Searching group 0: DD++++++
Searching group 1:
Writing analysis so far to 'afh.ext3grep.stage1'. Delete that file if you want to do this stage again.
Result of stage one:
  2 inodes are referenced by one or more directory blocks, 1 of those inodes is still allocated.
  1 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.
  0 blocks contain an extended directory.
Result of stage two:
  1 of those inodes could be resolved because it is still allocated.
All directory inodes are accounted for!


Writing analysis so far to 'afh.ext3grep.stage2'. Delete that file if you want to do this stage again.
Restoring System.map-2.6.32-279.el6.x86_64
Restoring config-2.6.32-279.el6.x86_64
Restoring initramfs-2.6.32-279.el6.x86_64.img
Restoring passwd
Restoring symvers-2.6.32-279.el6.x86_64.gz
Restoring vmlinuz-2.6.32-279.el6.x86_64
[root@jiankong RESTORED_FILES]# ls
afh.ext3grep.stage1  afh.ext3grep.stage2  inode.12  RESTORED_FILES

[root@jiankong RESTORED_FILES]# cd RESTORED_FILES/
[root@jiankong RESTORED_FILES]# ls
config-2.6.32-279.el6.x86_64         symvers-2.6.32-279.el6.x86_64.gz
initramfs-2.6.32-279.el6.x86_64.img  System.map-2.6.32-279.el6.x86_64
lost+found                           vmlinuz-2.6.32-279.el6.x86_64
passwd

恢复完毕  亲们这是相互学习,不对的地方大家指教。

 

 

 

阅读(2039) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~