ext3文件系統反刪利器（2）

 一：Ext3grep

註明：ext3grep是一個開源的ext3文件系統反刪除工具，在ext3grep出現之前，數據被刪除後，通過常規手段恢復基本上不可能的，雖然debugfs命令可以對ext2文件系統做一些恢復，但對ext3文件系統就不能無力了。ext3是一個日誌文件系統，ext3grep正是通過分析ext3文件系統的日誌信息來恢復被刪除的文件和數據。

Ext3grep安裝步驟
操作系統: centos 5.4
ext3grep 版本：ext3grep-0.10.2

下載地址：http://code.google.com/p/ext3grep/downloads/detail?name=ext3grep-0.10.2.tar.gz
[root@localhost ~]# rpm -qa | grep e2fsprogs
e2fsprogs-devel-1.39-23.el5
e2fsprogs-libs-1.39-23.el5
e2fsprogs-1.39-23.el5
[root@localhost ~]# tar -zxvf ext3grep-0.10.2.tar.gz
[root@localhost ~]# cd ext3grep-0.10.2
[root@localhost ~]# ./configure
[root@localhost ~]# make
[root@localhost ~]# make install

[root@localhost ~]# ext3grep -v #檢查版本
Running ext3grep version 0.10.2
ext3grep v0.10.2, Copyright (C) 2008 Carlo Wood.
ext3grep comes with ABSOLUTELY NO WARRANTY;
This program is free software; your freedom to use, change
and distribute this program is protected by the GPL.

Ext3grep到此安裝完成，默認ext3grep命令放在/usr/local/bin 目錄下。

1：下面通過刪除文件盒目錄案例說明Ext3grep使用：

（1）模擬數據誤刪除環境，詳細介紹ext3grep恢復數據文件過程並掛在一塊虛擬2G硬盤，劃分一個分區/dev/sdb1 作爲測試。
掛在新的分區
[root@localhost ~]# mkdir /test
[root@localhost ~]# mkfs.ext3 /dev/sdb1
[root@localhost ~]# mount /dev/sdb1 /test/

拷貝文件測試用
[root@localhost ~]# cp /etc/profile /test/
[root@localhost ~]# cp /boot/initrd-2.6.18-164.el5.img /test/
[root@localhost ~]# echo "ext3grep test" > /test/ext3grep.txt
[root@localhost ~]# mkdir /test/ext3grep
[root@localhost ~]#cp /etc/hosts /test/ext3grep
[root@localhost ~]# cd /test/
[root@localhost test]# ls -lh
total 3.2M
drwxr-xr-x 2 root root 4.0K Jun 20 19:03 ext3grep
-rw-r--r-- 1 root root 14 Jun 20 19:03 ext3grep.txt
-rw------- 1 root root 3.2M Jun 20 19:03 initrd-2.6.18-164.el5.img
drwx------ 2 root root 16K Jun 20 19:02 lost+found
-rw-r--r-- 1 root root 1.1K Jun 20 19:02 profile

[root@localhost test]# md5sum profile #獲取文件效驗碼
a6e82d979bb95919082d9aceddf56c39 profile
[root@localhost test]# md5sum initrd-2.6.18-164.el5.img
cf423e478525d3d8960edd5f315e84a8 initrd-2.6.18-164.el5.img
[root@localhost test]# md5sum ext3grep.txt
5afe55495cdb666daad667e1cd797dcb ext3grep.txt

刪除/test下所有文件
[root@localhost ~]# rm -rf /test/*
[root@localhost ~]# cd /test/
[root@localhost test]# ls

到此/test目錄下沒有文件和目錄，下面我們就開始恢復所有文件和目錄。

(2) 卸載/dev/sdb1分區
[root@localhost ~]# umount /test/

(3) 查詢恢復數據信息
[root@localhost ~]# ext3grep /dev/sdb1 --ls --inode 2
Running ext3grep version 0.10.2
Number of groups: 16
Loading group metadata... done
Minimum / maximum journal block: 649 / 8851
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1340190176 = Wed Jun 20 19:02:56 2012
Number of descriptors in journal: 59; min / max sequence numbers: 2 / 15
Inode is Allocated
Finding all blocks that might be directories.
D: block containing directory start, d: block containing more directory entries.
Each plus represents a directory start that references the same inode as a directory start that we found previously.

Searching group 0: DD+++D+++
Searching group 1:
Searching group 2:
Searching group 3:
Searching group 4:
Searching group 5:
Searching group 6:
Searching group 7: +
Searching group 8:
Searching group 9:
Searching group 10:
Searching group 11:
Searching group 12:
Searching group 13:
Searching group 14:
Searching group 15:
Writing analysis so far to 'sdb1.ext3grep.stage1'. Delete that file if you want to do this stage again.
Result of stage one:
3 inodes are referenced by one or more directory blocks, 1 of those inodes is still allocated.
2 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.
0 blocks contain an extended directory.
Result of stage two:
1 of those inodes could be resolved because it is still allocated.
1 inodes could be resolved because all refering blocks but one were journal blocks.
All directory inodes are accounted for!

Writing analysis so far to 'sdb1.ext3grep.stage2'. Delete that file if you want to do this stage again.
The first block of the directory is 643.
Inode 2 is directory "".
Directory block 643:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 2 drwxr-xr-x .
1 end d 2 drwxr-xr-x ..
2 3 d 11 D 1340190570 Wed Jun 20 19:09:30 2012 drwx------ lost+found
3 end r 12 D 1340190570 Wed Jun 20 19:09:30 2012 rrw-r--r-- profile
4 end r 13 D 1340190570 Wed Jun 20 19:09:30 2012 rrw------- initrd-2.6.18-164.el5.img
5 end r 14 D 1340190570 Wed Jun 20 19:09:30 2012 rrw-r--r-- ext3grep.txt
6 end d 114689 D 1340190570 Wed Jun 20 19:09:30 2012 drwxr-xr-x ext3grep

註明：“ext3grep /dev/sdb1 --ls --inode 2 ”主要用於掃描當前文件系統下所有文件的信息，包括存在的和已刪除的文件，其中含有D表示就是已經刪除的文件，如果不記得被刪除的文件的名稱，可以通過一下方式來查找：通過獲取文件恢復的路徑信息。
[root@localhost ~]# ext3grep /dev/sdb1 --dump-names
Running ext3grep version 0.10.2
Number of groups: 16
Minimum / maximum journal block: 649 / 8851
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1340190176 = Wed Jun 20 19:02:56 2012
Number of descriptors in journal: 59; min / max sequence numbers: 2 / 15
Loading sdb1.ext3grep.stage2... done
ext3grep
ext3grep.txt
ext3grep/hosts
initrd-2.6.18-164.el5.img
lost+found
profile

（4）恢復單個文件
註明：要恢復被刪除的某個文件，操作如下：
[root@localhost ~]# ext3grep /dev/sdb1 --restore-file ext3grep.txt
Running ext3grep version 0.10.2
Number of groups: 16
Minimum / maximum journal block: 649 / 8851
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1340190176 = Wed Jun 20 19:02:56 2012
Number of descriptors in journal: 59; min / max sequence numbers: 2 / 15
Writing output to directory RESTORED_FILES/
Loading sdb1.ext3grep.stage2... done
Restoring ext3grep.txt

通過 “--restore-inode” 對應inode值即可恢復
[root@localhost ~]# ext3grep /dev/sdb1 --restore-inode 12
Running ext3grep version 0.10.2
Number of groups: 16
Minimum / maximum journal block: 649 / 8851
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1340190176 = Wed Jun 20 19:02:56 2012
Number of descriptors in journal: 59; min / max sequence numbers: 2 / 15
Restoring inode.12

 

（5）恢復所有文件和目錄
ext3grep /dev/sdb1 --restore-all
Running ext3grep version 0.10.2
Number of groups: 16
Minimum / maximum journal block: 649 / 8851
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1340190176 = Wed Jun 20 19:02:56 2012
Number of descriptors in journal: 59; min / max sequence numbers: 2 / 15
Loading sdb1.ext3grep.stage2... done
Restoring ext3grep.txt
Restoring ext3grep/hosts
Restoring initrd-2.6.18-164.el5.img
Restoring profile

註明：“--restore-all”參數將指定存儲設備中可以恢復的文件都恢復出來並放到了“RESTORED_FILES”目錄中，“--restore-all”參數對恢復大量數據文件時非常有用。

(4) 查看是否恢復成功，在當前目錄會生成一個目錄“RESTORED_FILES”
[root@localhost ~]# cd RESTORED_FILES/
[root@localhost RESTORED_FILES]# ls -l
total 3252
drwxr-xr-x 2 root root 4096 Jun 20 19:32 ext3grep
-rw-r--r-- 1 root root 14 Jun 20 19:03 ext3grep.txt
-rw------- 1 root root 3304473 Jun 20 19:03 initrd-2.6.18-164.el5.img
-rw-r--r-- 1 root root 1029 Jun 20 19:02 inode.12
drwx------ 2 root root 4096 Jun 20 19:09 lost+found
-rw-r--r-- 1 root root 1029 Jun 20 19:02 profile

重新掛載分區並將恢復的文件和目錄移動到原來的目錄中，到此數據恢復完成。
[root@localhost RESTORED_FILES]# mount /dev/sdb1 /test/
[root@localhost RESTORED_FILES]# mv * /test/
[root@localhost RESTORED_FILES]# cd /test/
[root@localhost test]# ls
ext3grep ext3grep.txt initrd-2.6.18-164.el5.img inode.12 lost+found profile
[root@localhost test]# ls -lh
total 3.2M
drwxr-xr-x 2 root root 4.0K Jun 20 19:32 ext3grep
-rw-r--r-- 1 root root 14 Jun 20 19:03 ext3grep.txt
-rw------- 1 root root 3.2M Jun 20 19:03 initrd-2.6.18-164.el5.img
-rw-r--r-- 1 root root 1.1K Jun 20 19:02 inode.12
drwx------ 2 root root 4.0K Jun 20 19:09 lost+found
-rw-r--r-- 1 root root 1.1K Jun 20 19:02 profile

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2：通過ext3grep恢復誤刪除的MYSQL表

實施步驟如下：

（1） 模擬MYSQL表被刪除環境，註明：下面介紹在採用的是MyISAM存儲引擎的mysql中模擬表被誤刪除的恢復過程。假設：mysql所在的磁盤分區爲/dev/sdb1， 掛在到/test目錄下。

（2）查看mysql數據庫表信息

[root@localhost test]# mysql -u root -p

mysql> use mysql;

Database changed

mysql> show tables;

+---------------------------+

| Tables_in_mysql |

+---------------------------+

| columns_priv |

| db |

| func |

| help_category |

| help_keyword |

| help_relation |

| help_topic |

| host |

| proc |

| procs_priv |

| tables_priv |

| time_zone |

| time_zone_leap_second |

| time_zone_name |

| time_zone_transition |

| time_zone_transition_type |

| user |

+---------------------------+

17 rows in set (0.01 sec)

mysql> select * from host;

Empty set (0.01 sec)

mysql> desc host;

+-----------------------+---------------+------+-----+---------+-------+

| Field | Type | Null | Key | Default | Extra |

+-----------------------+---------------+------+-----+---------+-------+

| Host | char(60) | NO | PRI | | |

| Db | char(64) | NO | PRI | | |

| Select_priv | enum('N','Y') | NO | | N | |

| Insert_priv | enum('N','Y') | NO | | N | |

| Update_priv | enum('N','Y') | NO | | N | |

| Delete_priv | enum('N','Y') | NO | | N | |

| Create_priv | enum('N','Y') | NO | | N | |

| Drop_priv | enum('N','Y') | NO | | N | |

| Grant_priv | enum('N','Y') | NO | | N | |

| References_priv | enum('N','Y') | NO | | N | |

| Index_priv | enum('N','Y') | NO | | N | |

| Alter_priv | enum('N','Y') | NO | | N | |

| Create_tmp_table_priv | enum('N','Y') | NO | | N | |

| Lock_tables_priv | enum('N','Y') | NO | | N | |

| Create_view_priv | enum('N','Y') | NO | | N | |

| Show_view_priv | enum('N','Y') | NO | | N | |

| Create_routine_priv | enum('N','Y') | NO | | N | |

| Alter_routine_priv | enum('N','Y') | NO | | N | |

| Execute_priv | enum('N','Y') | NO | | N | |

+-----------------------+---------------+------+-----+---------+-------+

19 rows in set (0.01 sec)

mysql>

（3）刪除 “host”表

mysql> drop table host;

Query OK, 0 rows affected (0.03 sec)

mysql> show tables;

+---------------------------+

| Tables_in_mysql |

+---------------------------+

| columns_priv |

| db |

| func |

| help_category |

| help_keyword |

| help_relation |

| help_topic |

| proc |

| procs_priv |

| tables_priv |

| time_zone |

| time_zone_leap_second |

| time_zone_name |

| time_zone_transition |

| time_zone_transition_type |

| user |

+---------------------------+

16 rows in set (0.01 sec)

（4）停止mysql數據庫，卸載MYSQL所在分區

[root@localhost ~]# service mysqld stop

[root@localhost ~]# umount /test/

（5）ext3grep分析數據，恢復數據

對mysql執行分區數據掃描

[root@localhost ~]# ext3grep /dev/sdb1 --ls --inode 2

Running ext3grep version 0.10.2

Number of groups: 16

Loading group metadata... done

Minimum / maximum journal block: 649 / 8851

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1340192235 = Wed Jun 20 19:37:15 2012

Number of descriptors in journal: 238; min / max sequence numbers: 18 / 65

Inode is Allocated

Loading sdb1.ext3grep.stage2... done

The first block of the directory is 643.

Inode 2 is directory "".

Directory block 643:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

| .-- D: Deleted ; R: Reallocated

Indx Next | Inode | Deletion time Mode File name

==========+==========+----------------data-from-inode------+-----------+=========

0 1 d 2 drwxr-xr-x .

1 2 d 2 drwxr-xr-x ..

2 3 d 16385 drwxr-xr-x ext3grep

3 4 r 11 rrw-r--r-- ext3grep.txt

4 5 r 12 rrw------- initrd-2.6.18-164.el5.img

5 6 r 13 rrw-r--r-- inode.12

6 7 d 32769 drwx------ lost+found

7 8 r 14 rrw-r--r-- profile

8 9 d 114689 drwx------ mysql

9 10 d 131073 drwx------ test

10 11 r 15 rrw-rw---- ibdata1

11 12 r 16 rrw-rw---- ib_logfile0

12 end r 17 rrw-rw---- ib_logfile1

通過上圖可知，mysql目錄中有可恢復數據信息，根據查詢到的恢復信息，可知mysql目錄Inode號是114689 ，接着掃描mysql目錄的inode信息。

[root@localhost ~]# ext3grep /dev/sdb1 --ls --inode 114689

Running ext3grep version 0.10.2

Number of groups: 16

Minimum / maximum journal block: 649 / 8851

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1340192235 = Wed Jun 20 19:37:15 2012

Number of descriptors in journal: 238; min / max sequence numbers: 18 / 65

Inode is Allocated

Loading sdb1.ext3grep.stage2... done

The first block of the directory is 253952.

Inode 114689 is directory "ext3grep".

Directory block 253952:

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

| .-- D: Deleted ; R: Reallocated

Indx Next | Inode | Deletion time Mode File name

==========+==========+----------------data-from-inode------+-----------+=========

0 1 d 114689 drwx------ .

1 2 d 2 drwxr-xr-x ..

2 end r 114690 rrw-rw---- hosts

註明：在上面的操作中，首先通過“--ls --inode 2” 參數掃描了整個分區信息，查找到mysql目錄對應的inode爲114689，接着查找inode爲114689下面的文件信息。通過對inode爲114689的mysql目錄進行掃描，查找到了目錄下所有文件盒目錄的inode信息，根據上面一步操作可知mysql目錄的Directory block爲253952 下面通過命令查看mysql目錄下inode信息。

[root@localhost ~]# ext3grep /dev/sdb1 --ls --block 253952

Running ext3grep version 0.10.2

Number of groups: 16

Minimum / maximum journal block: 649 / 8851

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1340192235 = Wed Jun 20 19:37:15 2012

Number of descriptors in journal: 238; min / max sequence numbers: 18 / 65

Group: 7

Block 253952 is a directory. The block is Unallocated

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)

| .-- D: Deleted ; R: Reallocated

Indx Next | Inode | Deletion time Mode File name

==========+==========+----------------data-from-inode------+-----------+=========

0 1 d 114689 drwx------ .

1 2 d 2 drwxr-xr-x ..

2 end r 114690 rrw-rw---- hosts

WARNING: inode 114689 was reallocated!

（6）恢復mysql數據文件

[root@localhost ~]# ext3grep /dev/sdb1 --restore-inode 114690

Running ext3grep version 0.10.2

Number of groups: 16

Minimum / maximum journal block: 649 / 8851

Loading journal descriptors... sorting... done

The oldest inode block that is still in the journal, appears to be from 1340192235 = Wed Jun 20 19:37:15 2012

Number of descriptors in journal: 238; min / max sequence numbers: 18 / 65

Restoring inode.114690