在 linux 解救 rm 的檔案 (ext3grep)
有時後會不小心 rm 掉檔案. 那時候就會很懊悔沒有備份. 想要怎麼 undelete 那個檔案呢?後來找到一個 ext3grep 工具. 可以把檔案還原.
首先,先把檔案系統反掛載 umount 那個磁區 partition 這很重要!以免把檔案覆蓋過去。最好是紀錄下來檔案的路徑與檔名後比較容易還原
可以先認真的把這篇文章看完:HOWTO recover deleted files on an ext3 file system我很懶惰沒看就先亂測試. 下面是我還原的筆記:
在 redhat 系統可以到 DAG packages for Red Hat Linux el6 x86_64找 ext3grep 安裝. ubuntu 直接在 software center 就可以安裝. 先假設你們安裝好了
假設知道要還原哪個路徑下的檔案名稱,可以用下列指令:
# ext3grep /dev/sdbX –restore-file home/sandbox/sand1.txt
Running ext3grep version 0.10.1 WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is. Number of groups: 13 Minimum / maximum journal block: 49402 / 53515 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 1394695427 = Thu Mar 13 15:23:47 2014 Number of descriptors in journal: 690; min / max sequence numbers: 7 / 47 Writing output to directory RESTORED_FILES/ Loading sdbX.ext3grep.stage2... done Restoring home/sandbox/sand1.txt
就會把你要還原的檔案還原到 RESTORED_FILES 目錄內
注意上面的指令 home 前面沒有 / 因為目前那個 partition 是掛載在 / 所以前面不用寫 /
如果不記得檔名 可以用下列指令列出 該 partition 的根目錄.
# ext3grep /dev/sdbX –inode 2
在列表過程會產生下列兩個檔案:sdbX.ext3grep.stage1, sdbX.ext3grep.stage2
再進去 sdb1.ext3grep.stage2 檔案尋找你要還原目錄的 inode
# Stage 2 data for /dev/sdb1. # Inodes path and directory blocks. # INODE PATH BLOCK [BLOCK ...] 2 '' 508 11 'lost+found' 509 3953 'home' 17921 3954 'home/sandbox' 18433
例如我要列表 home/sandbox 的檔案我就把在 sdb1.ext3grep.stage2 檔案找到的 inode 3954 傳遞到下列指令:
# ext3grep /dev/sdbX –ls –inode 3954
Running ext3grep version 0.10.1
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 13
Minimum / maximum journal block: 49402 / 53515
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1394695427 = Thu Mar 13 15:23:47 2014
Number of descriptors in journal: 690; min / max sequence numbers: 7 / 47
Inode is Allocated
Loading sdbX.ext3grep.stage2... done
The first block of the directory is 18433.
Inode 3954 is directory "home/sandbox".
Directory block 18433:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 3954 drwxr-xr-x .
1 2 d 3953 drwxr-xr-x ..
2 3 d 3955 drwxr-xr-x Desktop
3 4 d 3956 drwxr-xr-x Documents
4 5 d 3957 drwxr-xr-x Downloads
5 end d 5929 drwxrwxr-x sandbox
6 7 r 4520 D 1394766080 Fri Mar 14 11:01:20 2014 rrw------- .sand4.txt.swp
7 8 r 4521 D 1394766092 Fri Mar 14 11:01:32 2014 rrw-rw-r-- sand1.txt
8 9 r 4522 D 1394766094 Fri Mar 14 11:01:34 2014 rrw-rw-r-- sand2.txt
9 10 r 4523 D 1394766096 Fri Mar 14 11:01:36 2014 rrw-rw-r-- sand3.txt
10 end r 4524 D 1394766098 Fri Mar 14 11:01:38 2014 rrw-rw-r-- sand4.txt
這樣我就得到該目錄的檔案列表,也就可以用前面的指令針對檔案進行還原
或是直接透過 inode 還原也可以, 如果我要還原 sand1.txt 就把 4521 傳遞到下列指令:
ext3grep /dev/sdb1 –restore-inode 4521
這樣就還原那個檔案 只是檔名會變成 inode.4521 再自行更改名稱即可
最後懶人解法, 全部還原的大絕招, 前提示還原的磁碟要有辦法接收要還原的資料空間:
# ext3grep /dev/sdb1 –restore-all