ext3grep恢复ext3/ext4文件系统下误删的文件

2016-11-28

ext3grep恢复ext3/ext4文件系统下误删的文件

环境说明：

CentOS release 5.4 64bit

文件系统EXT3/EXT4

原理

ext3grep工具的恢复原理并不是依赖特定文件格式。以ext3grep为例，他首先通过文件系统的root

inode（一般为2）来获得所有当前文件系统下文件的信息，包括存在的和已经删除的，这些信息当然也包括文件名和其inode。

然后利用inode到日志来去查询该inode所在的block位置，包括直接块，间接块等信息。最后利用dd来将这些信息dump出来，而形成一个文件。

ext3grep官方网站：http://code.google.com/p/ext3grep/

如果是把所有的文件统一安装在一个大的/分区当中，可以在boot提示符下用linuxsingle进入单用户模式，尽量减少系统进程向硬盘写入数据的机会，要不干脆把硬盘挂在别的机器上。另外，恢复出来的数据不要写到/上面，避免破坏那些有用的数据。

如果是根分区操作提示：

进入single模式：

mount -o ro,remount / ----重新挂载分区为只读模式

挂载U盘或者移动硬盘至/mnt目录

在U盘或者移动硬盘上安装ext3grep

并进行文件的恢复工作

建立样本文件:

在/boot分区下建立个文件test并输入内容

#cat test

test del

#rm -rf test

wget http://ext3grep.googlecode.com/files/ext3grep-0.10.1.tar.gz

tar xvf ext3grep-0.10.1.tar.gz

cd ext3grep-0.10.1

./configure

make && make install

[root@test /]# df -h
Filesystem            Size Used Avail Use% Mounted on
/dev/xvda3             19G   14G 3.5G 81% /
/dev/xvda1             99M   19M   76M 20% /boot
tmpfs                 256M     0 256M   0%/dev/shm

umount /boot

[root@test/]# ext3grep /dev/xvda1 --ls --inode 2
Runningext3grep version 0.10.1
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 13
Loading group metadata... done
Minimum / maximum journal block: 526 / 4640
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from1324973184 = Tue Dec 27 16:06:24 2011
Number of descriptors in journal: 93; min / max sequence numbers: 78 / 118
Inode is Allocated
Finding all blocks that might be directories.
D: block containing directory start, d: block containing more directoryentries.
Each plus represents a directory start that references the same inode as adirectory start that we found previously.

Searching group 0: DD+++++++D
Searching group 1:
Searching group 2:
Searching group 3:
Searching group 4:
Searching group 5:
Searching group 6:
Searching group 7: +
Searching group 8:
Searching group 9:
Searching group 10:
Searching group 11:
Searching group 12:
Writing analysis so far to 'xvda1.ext3grep.stage1'. Delete that file if youwant to do this stage again.
Result of stage one:
3 inodesare referenced by one or more directory blocks, 3 of those inodes are stillallocated.
2 inodesare referenced by more than one directory block, 2 of those inodes are stillallocated.
0 blockscontain an extended directory.
Result of stage two:
3 ofthose inodes could be resolved because they are still allocated.
All directory inodes are accounted for!

Writing analysis so far to 'xvda1.ext3grep.stage2'. Delete that file if youwant to do this stage again.
The first block of the directory is 512.
Inode 2 is directory "".
Directory block 512:
          .-- Filetype in dir_entry (r=regular file, d=directory, l=symlink)
          |          .-- D:Deleted ; R: Reallocated
Indx Next | Inode   | Deletion time                        Mode        Filename
==========+==========+----------------data-from-inode------+-----------+=========
   0    1 d       2                                        drwxr-xr-x .
   1    2 d       2                                        drwxr-xr-x ..
   2    3 d      11                                        drwx------ lost+found
   3    4 d   14057                                        drwxr-xr-x grub
   4    5 l    6026                                        lrwxrwxrwx System.map -> /boot/System.map-2.6.26
   5    6 r      12                                        rrw-r--r-- message
   6    8 r      20                                        rrw------- initrd-2.6.18-164.el5xen.img
   7    8 r    6028 D 1339784370 Sat Jun 16 02:19:30 2012 rrw-r--r-- test
   8    9 r      13                                        rrw-r--r-- .vmlinuz-2.6.18-164.el5xen.hmac
   9   10 r      14                                        rrw-r--r-- System.map-2.6.18-164.el5xen
10   11 r      15                                        rrw-r--r-- config-2.6.18-164.el5xen
11   12 r      16                                        rrw-r--r-- symvers-2.6.18-164.el5xen.gz
12   13 r      17                                        rrw-r--r-- vmlinuz-2.6.18-164.el5xen
13   14 r      18                                        rrwxr-xr-x xen-syms-2.6.18-164.el5
14   15 r      19                                        rrw-r--r-- xen.gz-2.6.18-164.el5
15   16 r      22                                        rrw-r--r-- vmlinuz-2.6.26
16   17 r      23                                         rrw-r--r-- System.map-2.6.26
17   18 l    6025                                        lrwxrwxrwx vmlinuz-> /boot/vmlinuz-2.6.26
18 end r    6027                                        rrw------- initrd-2.6.26.img
19 end r    6028 D 1339784370 Sat Jun16 02:19:30 2012 rrw-r--r-- test

[root@test /]# ext3grep /dev/xvda1 --restore-filetest
Runningext3grep version 0.10.1
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 13
Minimum / maximum journal block: 526 / 4640
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from1324973184 = Tue Dec 27 16:06:24 2011
Number of descriptors in journal: 93; min / max sequence numbers: 78 / 118
Loading xvda1.ext3grep.stage2... done
Restoring test
[root@test /]# mount /boot

[root@test /]# cd RESTORED_FILES/
[root@test RESTORED_FILES]# ls
test

[root@test RESTORED_FILES]# cat test
test del

列出待恢复文件列表：

ext3grep /dev/xvda1 --dump-names | tee filelist.txt