作者：Carlo Wood

时间：2008年4月

作者网站：http://code.google.com/p/ext3grep/

翻译者：www_xylove（网络ID）

时间：2013年1月27日

说明：翻译这个软件的功能主要是想证明一下自己的英文水平，顺便推广一下Carlo Wood写的这个ext3grep工具，当然，这个工具很可能很多人都已经知道了，因为毕竟是作者2008年写的，但是还可能有些读者不知道这个工具，所以，顺便推广一下罢了，其实这个工具实在是太重要了，在这个工具之前，rm -rf 删除了文件，是不可能恢复的，这个连ext3文件系统的开发者Andreas Diger都承认，但Carlo Wood不这么认为，作者认为rm文件后是可以恢复的，所以就有了ext3grep这个工具。自己翻译下来，自己的英文水平着实还有待有提高,该篇译文算是自己的练兵这作罢了.由于自己的翻译水平连自己都不屑一顾了，至于发在博客的原因，想比是自己喜欢写博客而已，没有任何原因了.强烈建议读者朋友还是读原作，请看上面的链接.

[@more@]

恢复只有单个block的文件

依据原文，我在自己的环境恢复:

下面将仅仅恢复一个小的文件

我首先创建目录mkdir -p fandic/corebase,文件名为xiangyang.file

文件xiangyang.file内容

test a file with a block ,to recovery it ,alter delete file

删除目录 fangdic 子目录corebase，文件 xiangyang.file

下面开始恢复：

使用ext3grep /dev/mapper/VolGroup02-LogVol00 --ls --inode找出我们想要恢复的文件

# ext3grep /dev/mapper/VolGroup02-LogVol00 --ls --inode 2 | grep fandic

5    7 d  552161  D 1359337905 Sun Jan 27 20:51:45 2013  drwxr-xr-x  fandic

[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --ls --inode 552161 | grep corebase

2 end d 552162 D 1359337883 Sun Jan 27 20:51:23 2013 drwxr-xr-x corebase

[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --ls --inode 552162 | grep xiangyang.file

2 end r 552165 D 1359337875 Sun Jan 27 20:51:15 2013 rrw-r--r-- xiangyang.file

3 end r 552164 D 1359337854 Sun Jan 27 20:50:54 2013 rrw-r--r-- .xiangyang.file.swp

4 end r 552163 D 1359337854 Sun Jan 27 20:50:54 2013 rrw-r--r-- xiangyang.file~

Inode为552165的文件已经被删除，并且在文件系统中已经没有对应数据块.

[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --print --inode 552165

Running ext3grep version 0.10.2

WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.

Number of groups: 40

Minimum / maximum journal block: 1341 / 35478

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1338710654 = Sun Jun 3 04:04:14 2012

Number of descriptors in journal: 7706; min / max sequence numbers: 4853 / 7055

Hex dump of inode 552165:

0000 | a4 81 00 00 00 00 00 00 84 d9 05 51 93 d9 05 51 | ...........Q...Q

0010 | 93 d9 05 51 93 d9 05 51 00 00 00 00 00 00 00 00 | ...Q...Q........

0020 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0060 | 00 00 00 00 67 04 dc c9 00 00 00 00 00 00 00 00 | ....g...........

0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

Inode is Unallocated

Group: 17

Generation Id: 3386639463

uid / gid: 0 / 0

mode: rrw-r--r--

size: 0

num of links: 0

sectors: 0 (--> 0 indirect blocks).

Inode Times:

Accessed: 1359337860 = Sun Jan 27 20:51:00 2013

File Modified: 1359337875 = Sun Jan 27 20:51:15 2013

Inode Modified: 1359337875 = Sun Jan 27 20:51:15 2013

Deletion time: 1359337875 = Sun Jan 27 20:51:15 2013

Direct Blocks: 0

[root@primary /]#

因此我们必须在日志里寻找该块的拷贝.首先，我们找包含这个inode的文件系统的块.

[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --inode-to-block 552165 | grep resides

Inode 552165 resides in block 557058 at offset 0x200.

日志块557058是该数据块的一个拷贝，它包含了该块的详细信息.

[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --journal --block 557058

Running ext3grep version 0.10.2

No --ls used; implying --print.

WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.

Minimum / maximum journal block: 1341 / 35478

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1338710654 = Sun Jun 3 04:04:14 2012

Number of descriptors in journal: 7706; min / max sequence numbers: 4853 / 7055

Journal descriptors referencing block 557058:

5848 7277

7045 1352

7046 1362

7047 1370

7049 1379

7050 1385

7051 1393

7052 1396

7053 1405

7055 1419

[root@primary /]#

上面的显示中，最下的的数字，左边的表示事务编号，右边的表示数据块.最老的事务5848，对应的数据块为7277；最近的事务7055，对应的数据块为1419.

先从最近的事务开始查询，数据块的数据还在不在.

从事务7055，数据块1419查看有没有数据.

[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --print --block 1419 | grep -A15 'Inode 552165'

--------------Inode 552165-----------------------

Generation Id: 3386639463

uid / gid: 0 / 0

mode: rrw-r--r--

size: 0

num of links: 0

sectors: 0 (--> 0 indirect blocks).

Inode Times:

Accessed: 1359337860 = Sun Jan 27 20:51:00 2013

File Modified: 1359337875 = Sun Jan 27 20:51:15 2013

Inode Modified: 1359337875 = Sun Jan 27 20:51:15 2013

Deletion time: 1359337875 = Sun Jan 27 20:51:15 2013

Direct Blocks: 0

没有！

继续查找.

[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --print --block 1405 | grep -A15 'Inode 552165'

--------------Inode 552165-----------------------

Generation Id: 3386639463

uid / gid: 0 / 0

mode: rrw-r--r--

size: 0

num of links: 0

sectors: 0 (--> 0 indirect blocks).

Inode Times:

Accessed: 1359337860 = Sun Jan 27 20:51:00 2013

File Modified: 1359337875 = Sun Jan 27 20:51:15 2013

Inode Modified: 1359337875 = Sun Jan 27 20:51:15 2013

Deletion time: 1359337875 = Sun Jan 27 20:51:15 2013

Direct Blocks: 0

[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --print --block 1396 | grep -A15 'Inode 552165'

--------------Inode 552165-----------------------

Generation Id: 3386639463

uid / gid: 0 / 0

mode: rrw-r--r--

size: 0

num of links: 0

sectors: 0 (--> 0 indirect blocks).

Inode Times:

Accessed: 1359337860 = Sun Jan 27 20:51:00 2013

File Modified: 1359337875 = Sun Jan 27 20:51:15 2013

Inode Modified: 1359337875 = Sun Jan 27 20:51:15 2013

Deletion time: 1359337875 = Sun Jan 27 20:51:15 2013

Direct Blocks: 0

[root@primary /]# ext3grep /dev/mapper/VolGroup02-LogVol00 --print --block 1393 | grep -A15 'Inode 552165'

--------------Inode 552165-----------------------

Generation Id: 3386639463

uid / gid: 0 / 0

mode: rrw-r--r--

size: 61

num of links: 1

sectors: 8 (--> 0 indirect blocks).

Inode Times:

Accessed: 1359337860 = Sun Jan 27 20:51:00 2013

File Modified: 1359337854 = Sun Jan 27 20:50:54 2013

Inode Modified: 1359337854 = Sun Jan 27 20:50:54 2013

Deletion time: 0

Direct Blocks: 573448

终于从事务编号为7051，块为1393里找到了数据的拷贝.

该文件很小，就一个数据块.

使用dd命令恢复该文件.

[root@primary /]# dd if=/dev/mapper/VolGroup02-LogVol00 bs=4096 count=1 skip=573448 of=block.573448

1+0 records in

1+0 records out

4096 bytes (4.1 kB) copied, 0.022772 seconds, 180 kB/s

[root@primary /]# pwd

/

[root@primary /]# dd if=block.573448 bs=1 count=100 of=xiangyang.file

40+0 records in

40+0 records out

100 bytes (100 B) copied, 0.00116774 seconds, 34.3 kB/s

验证：文件已经恢复

[root@primary /]# more xiangyang.file

test a file with a block ,to recovery it ,alter delete file.

在ext3文件系统怎样恢复删除的文件（译4)