在 linux 解救 rm 的檔案 (ext3grep)

有時後會不小心 rm 掉檔案. 那時候就會很懊悔沒有備份. 想要怎麼 undelete 那個檔案呢?後來找到一個 ext3grep 工具. 可以把檔案還原.

首先,先把檔案系統反掛載 umount 那個磁區 partition 這很重要!以免把檔案覆蓋過去。最好是紀錄下來檔案的路徑與檔名後比較容易還原

可以先認真的把這篇文章看完:HOWTO recover deleted files on an ext3 file system我很懶惰沒看就先亂測試. 下面是我還原的筆記:

在 redhat 系統可以到 DAG packages for Red Hat Linux el6 x86_64找 ext3grep 安裝. ubuntu 直接在 software center 就可以安裝. 先假設你們安裝好了

假設知道要還原哪個路徑下的檔案名稱,可以用下列指令:

# ext3grep /dev/sdbX –restore-file home/sandbox/sand1.txt

Running ext3grep version 0.10.1
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 13
Minimum / maximum journal block: 49402 / 53515
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1394695427 = Thu Mar 13 15:23:47 2014
Number of descriptors in journal: 690; min / max sequence numbers: 7 / 47
Writing output to directory RESTORED_FILES/
Loading sdbX.ext3grep.stage2... done
Restoring home/sandbox/sand1.txt

就會把你要還原的檔案還原到 RESTORED_FILES 目錄內
注意上面的指令 home 前面沒有 / 因為目前那個 partition 是掛載在 / 所以前面不用寫 /

如果不記得檔名 可以用下列指令列出 該 partition 的根目錄.

# ext3grep /dev/sdbX –inode 2

在列表過程會產生下列兩個檔案:sdbX.ext3grep.stage1, sdbX.ext3grep.stage2

再進去 sdb1.ext3grep.stage2 檔案尋找你要還原目錄的 inode

# Stage 2 data for /dev/sdb1.
# Inodes path and directory blocks.
# INODE PATH BLOCK [BLOCK ...]
2 '' 508
11 'lost+found' 509
3953 'home' 17921
3954 'home/sandbox' 18433

例如我要列表 home/sandbox 的檔案我就把在 sdb1.ext3grep.stage2 檔案找到的 inode 3954 傳遞到下列指令:

# ext3grep /dev/sdbX –ls –inode 3954

Running ext3grep version 0.10.1
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 13
Minimum / maximum journal block: 49402 / 53515
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1394695427 = Thu Mar 13 15:23:47 2014
Number of descriptors in journal: 690; min / max sequence numbers: 7 / 47
Inode is Allocated
Loading sdbX.ext3grep.stage2... done
The first block of the directory is 18433.
Inode 3954 is directory "home/sandbox".
Directory block 18433:
          .-- File type in dir_entry (r=regular file, d=directory, l=symlink)
          |          .-- D: Deleted ; R: Reallocated
Indx Next |  Inode   | Deletion time                        Mode        File name
==========+==========+----------------data-from-inode------+-----------+=========
   0    1 d    3954                                         drwxr-xr-x  .
   1    2 d    3953                                         drwxr-xr-x  ..
   2    3 d    3955                                         drwxr-xr-x  Desktop
   3    4 d    3956                                         drwxr-xr-x  Documents
   4    5 d    3957                                         drwxr-xr-x  Downloads
   5  end d    5929                                         drwxrwxr-x  sandbox
   6    7 r    4520  D 1394766080 Fri Mar 14 11:01:20 2014  rrw-------  .sand4.txt.swp
   7    8 r    4521  D 1394766092 Fri Mar 14 11:01:32 2014  rrw-rw-r--  sand1.txt
   8    9 r    4522  D 1394766094 Fri Mar 14 11:01:34 2014  rrw-rw-r--  sand2.txt
   9   10 r    4523  D 1394766096 Fri Mar 14 11:01:36 2014  rrw-rw-r--  sand3.txt
  10  end r    4524  D 1394766098 Fri Mar 14 11:01:38 2014  rrw-rw-r--  sand4.txt

這樣我就得到該目錄的檔案列表,也就可以用前面的指令針對檔案進行還原

或是直接透過 inode 還原也可以, 如果我要還原 sand1.txt 就把 4521 傳遞到下列指令:

ext3grep /dev/sdb1 –restore-inode 4521

這樣就還原那個檔案 只是檔名會變成 inode.4521 再自行更改名稱即可

最後懶人解法, 全部還原的大絕招, 前提示還原的磁碟要有辦法接收要還原的資料空間:

# ext3grep /dev/sdb1 –restore-all