Linux下ext3分区数据恢复工具ext3grep
Linux下无回收站,rm -rf是个很危险的命令,ext3分区下误操作删除重要文件可使用ext3grep恢复。
ext3grep安装:
1 | yum install ext3grep |
ext3grep使用参数:
1 2 3 | #选项: --superblock #显示superblock信息 --print # |
恢复删除文件应用示例,为快速新建磁盘分区:
1 2 3 4 | dd if=/dev/zero of=/root/ext3grep bs=1M count=64 mkfs.ext3 ext3grep mkdir test mount -o loop ext3grep test/ |
进入挂载目录新建测试文件并删除:
1 2 3 4 5 | cd test echo test > ext3grep md5sum ext3grep d8e8fca2dc0f896fd7cb4cb0031ba249 ext3grep rm -rf ext3grep |
用ext3grep列出设备/root/ext3grep根目录下所有文件,包含已删除的。
1 2 3 4 5 6 7 8 9 10 11 12 | ext3grep /root/ext3grep --ls --inode 2
Directory block 516:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 2 drwxr-xr-x .
1 2 d 2 drwxr-xr-x ..
2 3 d 11 drwx------ lost+found
3 4 r 12 rrw-r--r-- ext3grep
4 5 r 13 rrw-r--r-- ext3grep.ext3grep.stage1
5 end r 14 rrw-r--r-- ext3grep.ext3grep.stage2 |
恢复删除的文件ext3grep,inode为12.
1 2 3 4 5 6 7 8 9 | ext3grep /root/ext3grep --restore-inode 12 Running ext3grep version 0.10.2 Number of groups: 8 Minimum / maximum journal block: 530 / 4644 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 1342293703 = Sun Jul 15 03:21:43 2012 Number of descriptors in journal: 30; min / max sequence numbers: 2 / 8 Writing output to directory RESTORED_FILES/ Restoring inode.12 |
可见文件已恢复并以inode为名字存放在RESTORED_FILES目录下,查看恢复的文件与删除的文件是否一致。
1 2 3 4 5 | cd RESTORED_FILES/ cat inode.12 test md5sum inode.12 d8e8fca2dc0f896fd7cb4cb0031ba249 inode.12 |
其它应用:
查看inode对应的block:
1 | ext3grep /root/ext3grep --print --inode-to-block 8194 |
查看inode的superblock:
1 | ext3grep /root/ext3grep --print --superblock --inode 2 |
目录 返回
首页