[root@ora10g opt]# tar -zxvf ext3grep-0.10.2.tar.gz [root@ora10g opt]# ll total 500 drwxr-xr-x 3 1000 1000 4096 Aug 26 09:09 ext3grep-0.10.2 -rw-r--r-- 1 root root 236364 Aug 26 09:08 ext3grep-0.10.2.tar.gz drwxr-xr-x 3 root root 4096 Aug 22 16:44 ORCLfmap drwxrwxr-x 8 oracle oinstall 4096 Aug 25 11:39 rlwrap-0.37 -rw-r--r-- 1 root root 251438 Aug 25 11:37 rlwrap-0.37.tar.gz [root@ora10g opt]# cd ext3grep-0.10.2 [root@ora10g ext3grep-0.10.2]# ./configure&&make&&make install 编译过程略…… --查看软件命令使用方法 [root@ora10g ext3grep-0.10.2]# ext3grep --help Running ext3grep version 0.10.2 Usage: ext3grep [options] [--] device-file Options: --version, -[vV] Print version and exit successfully. --help, Print this help and exit successfully. --superblock Print contents of superblock in addition to the rest. If no action is specified then this option is implied. --print Print content of block or inode, if any. --ls Print directories with only one line per entry. This option is often needed to turn on filtering. --accept filen Accept "filen" as a legal filename. Can be used multi- ple times. If you change any --accept you must remove BOTH stage* files! --accept-all Simply accept everything as filename. --journal Show content of journal. --show-path-inodes Show the inode of each directory component in paths. Filters: --group grp Only process group "grp". --directory Only process directory inodes. --after dtime Only entries deleted on or after "dtime". --before dtime Only entries deleted before "dtime". --deleted Only show/process deleted entries. --allocated Only show/process allocated inodes/blocks. --unallocated Only show/process unallocated inodes/blocks. --reallocated Do not suppress entries with reallocated inodes. Inodes are considered "reallocated" if the entry is deleted but the inode is allocated, but also when the file type in the dir entry and the inode are different. --zeroed-inodes Do not suppress entries with zeroed inodes. Linked entries are always shown, regardless of this option. --depth depth Process directories recursively up till a depth of "depth". Actions: --inode-to-block ino Print the block that contains inode "ino". --inode ino Show info on inode "ino". If --ls is used and the inode is a directory, then the filters apply to the entries of the directory. If you do not use --ls then --print is implied. --block blk Show info on block "blk". If --ls is used and the block is the first block of a directory, then the filters apply to entries of the directory. If you do not use --ls then --print is implied. --histogram=[atime|ctime|mtime|dtime|group] Generate a histogram based on the given specs. Using atime, ctime or mtime will change the meaning of --after and --before to those times. --journal-block jblk Show info on journal block "jblk". --journal-transaction seq Show info on transaction with sequence number "seq". --dump-names Write the path of files to stdout. This implies --ls but suppresses it"s output. --search-start str Find blocks that start with the fixed string "str". --search str Find blocks that contain the fixed string "str". --search-inode blk Find inodes that refer to block "blk". --search-zeroed-inodes Return allocated inode table entries that are zeroed. --inode-dirblock-table dir Print a table for directory path "dir" of directory block numbers found and the inodes used for each file. --show-journal-inodes ino Show copies of inode "ino" still in the journal. --restore-inode ino[@seqnr][,ino[@seqnr],...] Restore the file(s) with known inode number "ino". The restored files are created in ./RESTORED_FILES/ with their inode number as extension (ie, inode.12345). If "@seqnr" is provided then (only) the journal entry with that sequence number is used, otherwise the latest entry is used (if any). You can use that in the case a a file was overwritten or truncated, rather than deleted. --restore-file "path" [--restore-file "path" ...] Will restore file "path". "path" is relative to the root of the partition and does not start with a "/" (it must be one of the paths returned by --dump-names). The restored directory, file or symbolic link is created in the current directory as "RESTORED_FILES/path". --restore-all As --restore-file but attempts to restore everything. The use of --after is highly recommended because the attempt to restore very old files will only result in them being hard linked to a more recently deleted file and as such polute the output. --show-hardlinks Show all inodes that are shared by two or more files. 我们看到,还是有很多功能可以用的,这里我们只需用到3个参数:--ls --inode --restore-all
--开始测试,模拟一个分区/zlm/test1 [root@ora10g ~]# mkdir /zlm [root@ora10g ~]# cd /zlm [root@ora10g zlm]# dd if=/dev/zero of=test1 bs=8096 count=12800 12800+0 records in 12800+0 records out 103628800 bytes (104 MB) copied, 0.586624 seconds, 177 MB/s [root@ora10g zlm]# mkfs.ext3 test1 mke2fs 1.39 (29-May-2006) test1 is not a block special device. Proceed anyway? (y,n) y Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) 25376 inodes, 101200 blocks 5060 blocks (5.00%) reserved for the super user First data block=1 Maximum filesystem blocks=67371008 13 block groups 8192 blocks per group, 8192 fragments per group 1952 inodes per group Superblock backups stored on blocks: 8193, 24577, 40961, 57345, 73729 Writing inode tables: done Creating journal (4096 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 27 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override. -- 创建测试目录并挂载
/zlm/test1 ext3 96M 5.6M 86M 7% /oradata/ora10g --在挂载完的目录/oradata/ora10g中创建测试文件并添加内容 [root@ora10g ora10g]# touch redo01.log redo02.log redo03.log [root@ora10g ora10g]# ll total 12 drwx------ 2 root root 12288 Aug 27 13:59 lost+found -rw-r--r-- 1 root root 0 Aug 27 14:11 redo01.log -rw-r--r-- 1 root root 0 Aug 27 14:11 redo02.log -rw-r--r-- 1 root root 0 Aug 27 14:11 redo03.log [root@ora10g ora10g]# cat >> redo01.log << EOF > AB > EOF [root@ora10g ora10g]# cat >> redo02.log << EOF > CD > EOF [root@ora10g ora10g]# cat >> redo03.log << EOF > EF > EOF [root@ora10g ora10g]# ll total 15 drwx------ 2 root root 12288 Aug 27 13:59 lost+found -rw-r--r-- 1 root root 3 Aug 27 14:12 redo01.log -rw-r--r-- 1 root root 3 Aug 27 14:12 redo02.log
-rw-r--r-- 1 root root 3 Aug 27 14:12 redo03.log --模拟误操作,删除/oradata/ora10g下所有文件 [root@ora10g ora10g]# rm -rf *.* [root@ora10g ora10g]# ll total 12 drwx------ 2 root root 12288 Aug 27 13:59 lost+found [root@ora10g ora10g]# umount /zlm/test1 umount: /oradata/ora10g: device is busy
umount: /oradata/ora10g: device is busy 由于当前目录是/oradata/ora10g,所以提示"device is busy",退出该目录后再执行 [root@ora10g ora10g]# cd ~ [root@ora10g ~]# umount /zlm/test1 [root@ora10g ~]# df -Th Filesystem Type Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 ext3 7.7G 5.6G 1.7G 77% / /dev/sda1 ext3 99M 12M 82M 13% /boot
tmpfs tmpfs 506M 0 506M 0% /dev/shm --开始扫描/zlm/test1分区中被删除的文件 [root@ora10g ~]# ext3grep /zlm/test1 --ls --inode 2 Running ext3grep version 0.10.2 Number of groups: 13 Loading group metadata... done Minimum / maximum journal block: 519 / 4633 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 1409119917 = Wed Aug 27 14:11:57 2014 Number of descriptors in journal: 32; min / max sequence numbers: 2 / 10 Inode is Allocated Finding all blocks that might be directories. D: block containing directory start, d: block containing more directory entries. Each plus represents a directory start that references the same inode as a directory start that we found previously. Searching group 0: DD++ Searching group 1: Searching group 2: Searching group 3: Searching group 4: Searching group 5: Searching group 6: Searching group 7: Searching group 8: Searching group 9: Searching group 10: Searching group 11: Searching group 12: Writing analysis so far to "test1.ext3grep.stage1". Delete that file if you want to do this stage again. Result of stage one: 2 inodes are referenced by one or more directory blocks, 2 of those inodes are still allocated. 1 inodes are referenced by more than one directory block, 1 of those inodes is still allocated. 0 blocks contain an extended directory. Result of stage two: 2 of those inodes could be resolved because they are still allocated. All directory inodes are accounted for! Writing analysis so far to "test1.ext3grep.stage2". Delete that file if you want to do this stage again. The first block of the directory is 505. Inode 2 is directory "". Directory block 505: .-- File type in dir_entry (r=regular file, d=directory, l=symlink) | .-- D: Deleted ; R: Reallocated Indx Next | Inode | Deletion time Mode File name ==========+==========+----------------data-from-inode------+-----------+========= 0 1 d 2 drwxr-xr-x . 1 2 d 2 drwxr-xr-x .. 2 end d 11 drwx------ lost+found 3 4 r 12 D 1409120047 Wed Aug 27 14:14:07 2014 rrw-r--r-- redo01.log 4 5 r 13 D 1409120047 Wed Aug 27 14:14:07 2014 rrw-r--r-- redo02.log 5 end r 14 D 1409120047 Wed Aug 27 14:14:07 2014 rrw-r--r-- redo03.log [root@ora10g ~]# ll total 80 -rw------- 1 root root 1618 Aug 22 11:19 anaconda-ks.cfg drwxr-xr-x 2 root root 4096 Aug 22 12:58 Desktop -rw-r--r-- 1 root root 39989 Aug 22 11:19 install.log -rw-r--r-- 1 root root 4270 Aug 22 11:19 install.log.syslog drwxr-xr-x 3 root root 4096 Aug 27 14:17 RESTORED_FILES -rw-r--r-- 1 root root 186 Aug 27 14:16 test1.ext3grep.stage1 -rw-r--r-- 1 root root 133 Aug 27 14:16 test1.ext3grep.stage2 test1.ext3grep.stage文件是执行命令后生成的,用来存放扫描信息--把扫描到的已删除文件恢复出来
[root@ora10g ~]# ext3grep /zlm/test1 --restore-all Running ext3grep version 0.10.2 Number of groups: 13 Minimum / maximum journal block: 519 / 4633 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 1409119917 = Wed Aug 27 14:11:57 2014 Number of descriptors in journal: 32; min / max sequence numbers: 2 / 10 Writing output to directory RESTORED_FILES/ Loading test1.ext3grep.stage2... done Restoring redo01.log Restoring redo02.log Restoring redo03.log注意,在哪个目录执行ext3grep命令恢复文件,就会在该目录中生成一个RESTORED_FILES子目录,下面存放所有恢复出来的文件,并且这个目录下的文件是隐含属性的。[root@ora10g ~]# ls -la RESTORED_FILES/ total 28 drwxr-xr-x 3 root root 4096 Aug 27 14:17 . drwxr-x--- 17 root root 4096 Aug 27 14:17 .. drwx------ 2 root root 4096 Aug 27 13:59 lost+found -rw-r--r-- 1 root root 3 Aug 27 14:12 redo01.log -rw-r--r-- 1 root root 3 Aug 27 14:12 redo02.log
易网时代-编程资源站