本文介绍了一款名为Ext3grep的Linux文件恢复工具,详细记录了其安装过程及使用方法,并通过多个实例验证了该工具在不同场景下的文件恢复能力。结果显示,对于小文件的恢复效果较好,但大文件(超过200M)的恢复成功率较低。
Linux ext2/ext3 文件删除恢复工具ext3grep安装使用
erico/2009-7-3~2009-7-6
一. 安装前系统环境检查(我的实验环境:AS5.2 2.6.18-92.el5内核)
1.)查看所需要的依赖包
rpm -qa |grep e2fsprogs
| e2fsprogs-devel-1.39-15.el5 e2fsprogs-libs-1.39-15.el5 e2fsprogs-1.39-15.el5 e2fsprogs-libs-1.39-15.el5 |
保证以上的包已经正确安装。
2.)下载安装运行ext3grep
| mkdir –p /home/erico/test/ cd /home/erico/test/ wget http://ext3grep.googlecode.com/files/ext3grep-0.10.1.tar.gz mkdir –p /soft/data_recover/ tar xzvf ext3grep-0.10.1.tar.gz cd ext3grep-0.10.1 ./configure --prefix=/soft/data_recover/ make && make install |
运行ext3grep命令必须要加路径
/soft/data_recover/bin/ext3grep 【参数】
3.)利用ext3grep测试恢复数据
1)我的硬盘分区情况
| [root@erico-test erico]# fdisk -l
Disk /dev/sda: 80.0 GB, 80026361856 bytes 255 heads, 63 sectors/track, 9729 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System /dev/sda1 * 1 127 1020096 83 Linux /dev/sda2 2434 9729 58605120 f W95 Ext'd (LBA) /dev/sda3 128 2039 15358140 83 Linux /dev/sda4 2040 2166 1020127+ 82 Linux swap / Solaris /dev/sda5 2434 9729 58605088+ 83 Linux
Partition table entries are not in disk order |
2.)把/dev/sda5 挂载到/data/下,用来做测试。
| [root@erico-test erico]# mount /dev/sda5 /data/ |
3.)创建测试文件和文件目录,准备做测试
| [root@erico-test data]# cp /home/erico/all_system_app_check_bak_test.log /data/ |
4.)删除/data/目录下的文件
| [root@erico-test erico]# rm -rf /data/all_system_app_check_bak_test.log |
5.)取消挂载需要恢复数据的区/dev/sda5
| [root@erico-test /]# umount /dev/sda5 |
6.)恢复数据
测试一:文本文件(小文件)
1】扫描/dev/sda5被删除的数据情况
| [root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --ls --inode 2 Loading group metadata... done Minimum / maximum journal block: 1542 / 35880 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 1246478245 = Wed Jul 1 15:57:25 2009 Number of descriptors in journal: 19; min / max sequence numbers: 2 / 5 Inode is Allocated Loading sda5.ext3grep.stage2... done The first block of the directory is 1536. Inode 2 is directory "". Directory block 1536: .-- File type in dir_entry (r=regular file, d=directory, l=symlink) | .-- D: Deleted ; R: Reallocated Indx Next | Inode | Deletion time Mode File name ==========+==========+----------------data-from-inode------+-----------+========= 0 1 d 2 drwxr-xr-x . 1 2 d 2 drwxr-xr-x .. 2 end d 11 drwx------ lost+found 3 end r 48865 D 1246478282 Wed Jul 1 15:58:02 2009 rrw-r--r-- all_system_app_check_bak_test.log |
根据上面的情况,可以知道我们删除了的文件。
2】恢复数据
| [root@erico-testerico]#/soft/data_recover/bin/ext3grep /dev/sda5 --restore-file all_system_app_check_bak_test.log [root@erico-test erico]# ls -al RESTORED_FILES/ total 12 drwxr-xr-x 2 root root 4096 Jul 1 15:59 . drwxr-xr-x 7 root root 4096 Jul 1 15:56 .. -rw-r--r-- 1 root root 1368 Jul 1 15:57 all_system_app_check_bak_test.log |
在RESTORED_FILES/下我们看到了恢复出来的文件all_system_app_check_bak_test.log
测试二:大文件(220M)
1】重新格式化测试盘,让盘变成空盘
| [root@erico-test erico]# umount /dev/sda5 [root@erico-test erico]# mkfs.ext3 /dev/sda5 mke2fs 1.39 (29-May-2006) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 2443200 inodes, 4885760 blocks 244288 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=4294967296 150 block groups 32768 blocks per group, 32768 fragments per group 16288 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000
Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 30 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. |
确认格式后盘是空的!
| [root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --ls --inode 2 Running ext3grep version 0.10.1 Number of groups: 150 Loading group metadata... done Minimum / maximum journal block: 1542 / 35880 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 0 = Wed Dec 31 19:00:00 1969 Number of descriptors in journal: 0; min / max sequence numbers: 4294967295 / 0 Inode is Allocated Loading sda5.ext3grep.stage2... done The first block of the directory is 1536. Inode 2 is directory "". Directory block 1536: .-- File type in dir_entry (r=regular file, d=directory, l=symlink) | .-- D: Deleted ; R: Reallocated Indx Next | Inode | Deletion time Mode File name ==========+==========+----------------data-from-inode------+-----------+========= 0 1 d 2 drwxr-xr-x . 1 2 d 2 drwxr-xr-x .. 2 end d 11 drwx------ lost+found [root@erico-test erico]# |
2】创建测试文件和文件目录,准备做测试
| [root@erico-test erico]# mount /dev/sda5 /data/ [root@erico-test erico]# cp /home/erico/Level1.7z /data/ |
该文件大小是220M的压缩文件(里面包括几十万以上的png图片文件)
3.)删除/data/目录下的文件
| [root@erico-test erico]# rm -rf /data/Level1.7z |
4.)扫描/dev/sda5被删除的数据情况
| [root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --ls --inode 2 Running ext3grep version 0.10.1 WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state. Number of groups: 150 Loading group metadata... done Minimum / maximum journal block: 1542 / 35880 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 1246479046 = Wed Jul 1 16:10:46 2009 Number of descriptors in journal: 82; min / max sequence numbers: 2 / 8 Inode is Allocated Loading sda5.ext3grep.stage2... done The first block of the directory is 1536. Inode 2 is directory "". Directory block 1536: .-- File type in dir_entry (r=regular file, d=directory, l=symlink) | .-- D: Deleted ; R: Reallocated Indx Next | Inode | Deletion time Mode File name ==========+==========+----------------data-from-inode------+-----------+========= 0 1 d 2 drwxr-xr-x . 1 2 d 2 drwxr-xr-x .. 2 end d 11 drwx------ lost+found 3 end r 48865 D 1246479377 Wed Jul 1 16:16:17 2009 rrw-r--r-- Level1.7z [root@erico-test erico]# |
同样找到了删除的文件Level1.7z
5.)恢复Level1.7z文件
| [root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --restore-file Level1.7z Running ext3grep version 0.10.1 WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state. Number of groups: 150 Minimum / maximum journal block: 1542 / 35880 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 1246479046 = Wed Jul 1 16:10:46 2009 Number of descriptors in journal: 82; min / max sequence numbers: 2 / 8 Loading sda5.ext3grep.stage2... done Restoring Level1.7z [root@erico-test erico]# du -hs RESTORED_FILES/ 60K RESTORED_FILES/ [root@erico-test erico]# |
恢复让人失望,文件是恢复了,但是内容只有几十K,打开文件打不开。说明恢复失败!
| [root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --restore-file Level12.7z Running ext3grep version 0.10.1 WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state. Number of groups: 150 Minimum / maximum journal block: 1542 / 35880 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 1246479046 = Wed Jul 1 16:10:46 2009 Number of descriptors in journal: 103; min / max sequence numbers: 2 / 12 Writing output to directory RESTORED_FILES/ Loading sda5.ext3grep.stage2... done Restoring Level12.7z WARNING: Failed to restore Level12.7z: encountered a reused or corrupted (double/triple) indirect block! Running iterate_over_all_blocks_of again with diagnostic messages ON: Processing direct blocks... 124928 124929 124930 124931 124932 124933 124934 124935 124936 124937 124938 124939 Processing indirect block 124940: entry 0 contains block number 2979148019, which is too large. [root@erico-test erico]# ls RESTORED_FILES/Level12.7z RESTORED_FILES/Level12.7z [root@erico-test erico]# du -hs RESTORED_FILES/Level12.7z 48K RESTORED_FILES/Level12.7z [root@erico-test erico]# |
注意到了,由于我是在windows下拷贝Level12.7z文件到/data/目录下的,该BLOCK NUMBER
太大,导致恢复不了。
【尝试恢复1.8GB的数据】
| Result of stage one: 5 inodes are referenced by one or more directory blocks, 1 of those inodes is still allocated. 1 inodes are referenced by more than one directory block, 1 of those inodes is still allocated. 0 blocks contain an extended directory. Result of stage two: 1 of those inodes could be resolved because it is still allocated. All directory inodes are accounted for!
Writing analysis so far to 'sda5.ext3grep.stage2'. Delete that file if you want to do this stage again. The first block of the directory is 1536. Inode 2 is directory "". Directory block 1536: .-- File type in dir_entry (r=regular file, d=directory, l=symlink) | .-- D: Deleted ; R: Reallocated Indx Next | Inode | Deletion time Mode File name ==========+==========+----------------data-from-inode------+-----------+========= 0 1 d 2 drwxr-xr-x . 1 end d 2 drwxr-xr-x .. 2 end d 11 D 1246482239 Wed Jul 1 17:03:59 2009 drwx------ lost+found 3 4 r 48865 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK 4 5 r 48866 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK.bak 5 6 r 48867 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port7001 6 7 r 48868 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port7001.bak 7 8 r 48869 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port80 8 9 r 48870 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port80.bak 9 10 r 48871 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port8008_16_port80 10 11 r 48872 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port8008_16_port80.bak 11 12 r 48873 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x ITS_APP_CHECK_25_port8080 12 13 r 48874 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- ITS_APP_CHECK_25_port8080.bak 13 14 r 48875 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_file_from_15 14 15 r 48876 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_file_from_15.bak 15 16 r 48877 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_file_from_16 16 17 r 48878 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_file_from_16.bak 17 18 r 48879 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_pro_and_send_message_15 18 19 r 48880 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_pro_and_send_message_15.bak 19 20 r 48881 D 1246482237 Wed Jul 1 17:03:57 2009 rrwxr-xr-x check_pro_and_send_message_16 20 21 r 48882 D 1246482237 Wed Jul 1 17:03:57 2009 rrw-r--r-- check_pro_and_send_message_16.bak 21 end r 48883 D 1246482239 Wed Jul 1 17:03:59 2009 rrw-r--r-- linux_11gR1_database_1013.zip |
再次确认了,ext3grep只能恢复小文件,大于200M单文件的都无法恢复!
测试三:多文件和多目录恢复(文件目录多于100个,文件多于50万个,全部为png图片
1】重新格式化测试盘,让盘变成空盘
2】创建测试文件和文件目录,准备做测试
| [root@erico-test erico]# mount /dev/sda5 /data/ [root@erico-test erico]# ls –al /data/ total 124 drwxr-xr-x 6 root root 4096 Jul 2 10:01 . drwxr-xr-x 28 root root 4096 Jul 2 10:03 .. drwx------ 2225 root root 69632 Jul 2 11:45 Level1 drwxr-xr-x 656 root root 20480 Jul 2 05:45 Level6 drwxr-xr-x 3 root root 4096 Jul 2 05:24 Level9 drwx------ 2 root root 16384 Jul 1 17:46 lost+found [root@erico-test data]# ls /data/Level9/ |wc -l 4 [root@erico-test data]#ls /data/Level6/ |wc -l 654 [root@erico-test T00110011]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda3 15G 13G 663M 96% / /dev/sda1 965M 23M 893M 3% /boot tmpfs 234M 0 234M 0% /dev/shm /dev/sda5 56G 4.6G 48G 9% /data [root@erico-test T00110011]# |
其中:一级目录有4个,二级目录有Level1:4522*225=1017450 Level6:657个(总文件大约:657*225=147825)
Level9:4个(总文件大约:4*225=900) 估计恢复文件大小为:4.6G,总文件数:1166175
3.)删除/data/目录下的文件
| [root@erico-test erico]# rm -rf /data/* [root@erico-test /]# umount /data/ |
4.)扫描/dev/sda5被删除的数据情况
| Adding extended directory block(s) for directory "Level1".
WARNING: Rejecting a dir_entry (block 153811) because it contains legal but unlikely characters. Use --ls --block 153811 to examine this possible directory block. If it looks like a directory to you, and '\020' looks like a filename that might belong in that directory, then add --accept='\020' as commandline parameter AND remove both stage* files! Adding extended directory block(s) for directory "Level6".
Writing analysis so far to 'sda5.ext3grep.stage2'. Delete that file if you want to do this stage again. The first block of the directory is 1538. Inode 2 is directory "". Directory block 1538: .-- File type in dir_entry (r=regular file, d=directory, l=symlink) | .-- D: Deleted ; R: Reallocated Indx Next | Inode | Deletion time Mode File name ==========+==========+----------------data-from-inode------+-----------+========= 0 1 d 2 drwxr-xr-x . 1 2 d 2 drwxr-xr-x .. 2 end d 11 drwx------ lost+found 3 end d 5428865 D 1246561941 Thu Jul 2 15:12:21 2009 drwxr-xr-x Level9 4 end d 5903073 D 1246561941 Thu Jul 2 15:12:21 2009 drwxr-xr-x Level6 5 end d 5379809 D 1246561926 Thu Jul 2 15:12:06 2009 drwx------ Level1 |
同样找到了删除的文件夹
5.)恢复所有文件
| [root@erico-test erico]# /soft/data_recover/bin/ext3grep /dev/sda5 --restore-all |
查看恢复出来的文件和目录:
| [root@erico-test Level9]# find ../../../RESTORED_FILES/ -name *.png -print |wc -l 33057 [root@erico-test Level9]#find ../../../RESTORED_FILES/ -type d -print |wc -l 5163 |
恢复出来的PNG文件只有33057个(只恢复了很少很少一部分文件),目录是5163个(全部恢复)
总结:该软件只能应用于一般的小文件恢复,单个文件不能超过200M(具体大小没时间去测试),只能用于个人系统。
比较另人失望!
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/8404772/viewspace-608453/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/8404772/viewspace-608453/
扫一扫
347
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
