在Linux上如何使用ext3grep恢復(fù)文件

　　Linux系統(tǒng)操作中，有時會不小心刪除重要文件，而能夠恢復(fù)刪除文件的軟件有很多，ext3grep就是其中的一種，ext3grep在使用中需要用到不少命令，下面小編就給大家介紹下Linux使用ext3grep的方法。

　　步驟：

　　目前的最新版本是：ext3grep-0.10.2.tar.gz

　　我系統(tǒng)的環(huán)境是：虛擬機

　�。踨oot@localhost bin］# uname -a

　　Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux

　�。踨oot@localhost bin］# cat /etc/issue

　　Red Hat Enterprise Linux Server release 5.4 （Tikanga）

　    安裝很簡單

　　tar zxvf ext3grep-0.10.2.tar.gz

　　cd ext3grep-0.10.2

　　。/configure --prefix=/usr/local/ext3grep

　　make

　　make install

　　順利安裝完成。

　　然后進(jìn)入么安裝目錄看一下，只有一個bin

　�。踨oot@localhost ext3grep］# pwd

　　/usr/local/ext3grep

　�。踨oot@localhost ext3grep］# ls

　　bin

　　進(jìn)到bin里面看一下

　�。踨oot@localhost ext3grep］# cd bin

　　［root@localhost bin］# ls

　　ext3grep

　　我們可以看一下幫助，下面是部分

　�。踨oot@localhost bin］# 。/ext3grep -h

　　Running ext3grep version 0.10.2

　　。/ext3grep： invalid option -- h

　　No action specified; implying --superblock.

　　Usage： 。/ext3grep ［options］ ［--］ device-file

　　Options：

　　--version， -［vV］ Print version and exit successfully.

　　--help， Print this help and exit successfully.

　　--superblock Print contents of superblock in addition to the rest.

　　If no action is specified then this option is implied.

　　--print Print content of block or inode， if any.

　　--ls Print directories with only one line per entry.

　　This option is often needed to turn on filtering.

　　--accept filen Accept ‘filen’ as a legal filename. Can be used multi-

　　ple times. If you change any --accept you must remove

　　BOTH stage* files！

　　--accept-all Simply accept everything as filename.

　　--journal Show content of journal.

　　--show-path-inodes Show the inode of each directory component in paths.

　　Filters：

　　--group grp Only process group ‘grp’。

　　--directory Only process directory inodes.

　　--after dtime Only entries deleted on or after ‘dtime’。

　　--before dtime Only entries deleted before ‘dtime’。

　　--deleted Only show/process deleted entries.

　　--allocated Only show/process allocated inodes/blocks.

　　--unallocated Only show/process unallocated inodes/blocks.

　　--reallocated Do not suppress entries with reallocated inodes.

　　Inodes are considered ‘reallocated’ if the entry

　　is deleted but the inode is allocated， but also when

　　the file type in the dir entry and the inode are

　　different.

　　--zeroed-inodes Do not suppress entries with zeroed inodes. Linked

　　entries are always shown， regardless of this option.

　　--depth depth Process directories recursively up till a depth

　　of ‘depth’。

　　Actions：

　　--inode-to-block ino Print the block that contains inode ‘ino’。

　　--inode ino Show info on inode ‘ino’。

　　If --ls is used and the inode is a directory， then

　　the filters apply to the entries of the directory.

　　If you do not use --ls then --print is implied.

　　--block blk Show info on block ‘blk’。

　　If --ls is used and the block is the first block

　　of a directory， then the filters apply to entries

　　of the directory.

　　If you do not use --ls then --print is implied.

　　--histogram=［atime|ctime|mtime|dtime|group］

　　Generate a histogram based on the given specs.

　　Using atime， ctime or mtime will change the

　　meaning of --after and --before to those times.

　　--journal-block jblk Show info on journal block ‘jblk’。

　　--journal-transaction seq

　　Show info on transaction with sequence number ‘seq’。

　　--dump-names Write the path of files to stdout.

　　This implies --ls but suppresses it‘s output.

　　--search-start str Find blocks that start with the fixed string ’str‘。

　　--search str Find blocks that contain the fixed string ’str‘。

　　--search-inode blk Find inodes that refer to block ’blk‘。

　　--search-zeroed-inodes Return allocated inode table entries that are zeroed.

　　--inode-dirblock-table dir

　　Print a table for directory path ’dir‘ of directory

　　block numbers found and the inodes used for each file.

　　開始工作之前，我們先來制作一個分區(qū)，然后來做試驗

　�。踨oot@localhost bin］# mkdir /tmp/test

　　［root@localhost bin］# dd if=/dev/zero of=file count=102400

　�。踨oot@localhost bin］#mkfs.ext3 file

　　######按Y繼續(xù)

　�。踨oot@localhost bin］#mount -o loop /tmp/test/file /mnt

　　看一下有沒有掛上

　�。踨oot@localhost bin］# df -HT

　　Filesystem Type Size Used Avail Use% Mounted on

　　/dev/mapper/VolGroup00-LogVol00

　　ext3 20G 4.3G 15G 23% /

　　/dev/sda1 ext3 104M 13M 86M 13% /boot

　　tmpfs tmpfs 185M 0 185M 0% /dev/shm

　　/tmp/test/file

　　ext3 51M 5.1M 44M 11% /mnt

　　然后寫入數(shù)據(jù)到里面

　�。踨oot@localhost bin］#cd /mnt

　�。踨oot@localhost bin］#ls

　　lost+found

　�。踨oot@localhost mnt］# mkdir del

　　［root@localhost mnt］# cd del

　�。踨oot@localhost del］# touch 1 2 3

　�。踨oot@localhost del］# ls

　　1 2 3 lost+found

　　［root@localhost del］# cd 。。

　�。踨oot@localhost mnt］#rf -rf del

　　［root@localhost bin］#ls

　　lost+found

　　下面開始恢復(fù)了

　�。踨oot@localhost mnt］#cd /usr/local/ext3grep/bin

　　掃描一下分區(qū)

　�。踨oot@localhost bin］# 。/ext3grep /tmp/test/file --ls --inode 2

　　Running ext3grep version 0.10.2

　　Number of groups： 7

　　Loading group metadata.。。 done

　　Minimum / maximum journal block： 447 / 4561

　　Loading journal descriptors.。。 sorting.。。 done

　　The oldest inode block that is still in the journal， appears to be from 1315980293 = Wed Sep 14 14:04:53 2011

　　Number of descriptors in journal： 36; min / max sequence numbers： 2 / 6

　　Inode is Allocated

　　Finding all blocks that might be directories.

　　D： block containing directory start， d： block containing more directory entries.

　　Each plus represents a directory start that references the same inode as a directory start that we found previously.

　　Searching group 0： DD++D++

　　Searching group 1：

　　Searching group 2：

　　Searching group 3：

　　Searching group 4：

　　Searching group 5：

　　Searching group 6：

　　Writing analysis so far to ’file.ext3grep.stage1‘。 Delete that file if you want to do this stage again.

　　Result of stage one：

　　3 inodes are referenced by one or more directory blocks， 2 of those inodes are still allocated.

　　1 inodes are referenced by more than one directory block， 1 of those inodes is still allocated.

　　0 blocks contain an extended directory.

　　Result of stage two：

　　2 of those inodes could be resolved because they are still allocated.

　　All directory inodes are accounted for！

　　Writing analysis so far to ’file.ext3grep.stage2‘。 Delete that file if you want to do this stage again.

　　The first block of the directory is 433.

　　Inode 2 is directory “”。

　　Directory block 433：

　　。-- File type in dir_entry （r=regular file， d=directory， l=symlink）

　　| 。-- D： Deleted ; R： Reallocated

　　Indx Next | Inode | Deletion time Mode File name

　　==========+==========+----------------data-from-inode------+-----------+=========

　　0 1 d 2 drwxr-xr-x 。

　　1 2 d 2 drwxr-xr-x 。。

　　2 end d 11 drwx------ lost+found

　　3 4 r 12 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 1

　　4 5 r 13 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 2

　　5 6 r 14 D 1315980355 Wed Sep 14 14:05:55 2011 rrw-r--r-- 3

　　6 end d 1833 D 1315980355 Wed Sep 14 14:05:55 2011 drwxr-xr-x del

　�。踨oot@localhost bin］# 。/ext3grep /tmp/test/file --restore-file del --depth del

　　Running ext3grep version 0.10.2

　　Number of groups： 7

　　Minimum / maximum journal block： 447 / 4561

　　Loading journal descriptors.。。 sorting.。。 done

　　The oldest inode block that is still in the journal， appears to be from 1315980293 = Wed Sep 14 14:04:53 2011

　　Number of descriptors in journal： 36; min / max sequence numbers： 2 / 6

　　Writing output to directory RESTORED_FILES/

　　Loading file.ext3grep.stage2.。。 done

　　下面開始恢復(fù)文件

　�。踨oot@localhost bin］# 。/ext3grep /tmp/test/file --restore-all

　　Running ext3grep version 0.10.2

　　Number of groups： 7

　　Minimum / maximum journal block： 447 / 4561

　　Loading journal descriptors.。。 sorting.。。 done

　　The oldest inode block that is still in the journal， appears to be from 1315980313 = Wed Sep 14 14:05:13 2011

　　Number of descriptors in journal： 36; min / max sequence numbers： 3 / 9

　　Loading file.ext3grep.stage2.。。 done

　　Restoring 1

　　Restoring 2

　　Restoring 3

　　Restoring del/1

　　Restoring del/2

　　Restoring del/3

　　這個命令是恢復(fù)所有的，當(dāng)然也可以恢復(fù)指定文件的。

　　可以看到在當(dāng)前目錄下，多了一個目錄

　�。踨oot@localhost bin］# ls

　　RESTORED_FILES ext3grep

　　我們進(jìn)去看一下

　�。踨oot@localhost bin］# cd RESTORED_FILES/

　�。踨oot@localhost RESTORED_FILES］# ls

　　1 2 3 del lost+found

　　上面就是Linux使用ext3grep恢復(fù)文件的方法介紹了，通過本文的介紹可以看出，ext3grep不僅能夠恢復(fù)所有被刪除的文件，還能恢復(fù)指定的文件。