[root@ora10g ora10g]# cd ~
[root@ora10g ~]# umount /zlm/test1
[root@ora10g ~]# df -Th
Filesystem Type Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
ext3 7.7G 5.6G 1.7G 77% /
/dev/sda1 ext3 99M 12M 82M 13% /boot
tmpfs tmpfs 506M 0 506M 0% /dev/shm
--开始扫描/zlm/test1分区中被删除的文件
[root@ora10g ~]# ext3grep /zlm/test1 --ls --inode 2
Running ext3grep version 0.10.2
Number of groups: 13
Loading group metadata... done
Minimum / maximum journal block: 519 / 4633
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1409119917 = Wed Aug 27 14:11:57 2014
Number of descriptors in journal: 32; min / max sequence numbers: 2 / 10
Inode is Allocated
Finding all blocks that might be directories.
D: block containing directory start, d: block containing more directory entries.
Each plus represents a directory start that references the same inode as a directory start that we found previously.
Searching group 0: DD++
Searching group 1:
Searching group 2:
Searching group 3:
Searching group 4:
Searching group 5:
Searching group 6:
Searching group 7:
Searching group 8:
Searching group 9:
Searching group 10:
Searching group 11:
Searching group 12:
Writing analysis so far to 'test1.ext3grep.stage1'. Delete that file if you want to do this stage again.
Result of stage one:
2 inodes are referenced by one or more directory blocks, 2 of those inodes are still allocated.
1 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.
0 blocks contain an extended directory.
Result of stage two:
2 of those inodes could be resolved because they are still allocated.
All directory inodes are accounted for!
Writing analysis so far to 'test1.ext3grep.stage2'. Delete that file if you want to do this stage again.
The first block of the directory is 505.
Inode 2 is directory "".
Directory block 505:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 2 drwxr-xr-x .
1 2 d 2 drwxr-xr-x ..
2 end d 11 drwx------ lost+found
3 4 r 12 D 1409120047 Wed Aug 27 14:14:07 2014 rrw-r--r-- redo01.log
4 5 r 13 D 1409120047 Wed Aug 27 14:14:07 2014 rrw-r--r-- redo02.log
5 end r 14 D 1409120047 Wed Aug 27 14:14:07 2014 rrw-r--r-- redo03.log
[root@ora10g ~]# ll
total 80
-rw------- 1 root root 1618 Aug 22 11:19 anaconda-ks.cfg
drwxr-xr-x 2 root root 4096 Aug 22 12:58 Desktop
-rw-r--r-- 1 root root 39989 Aug 22 11:19 install.log
-rw-r--r-- 1 root root 4270 Aug 22 11:19 install.log.syslog
drwxr-xr-x 3 root root 4096 Aug 27 14:17 RESTORED_FILES
-rw-r--r-- 1 root root 186 Aug 27 14:16 test1.ext3grep.stage1
-rw-r--r-- 1 root root 133 Aug 27 14:16 test1.ext3grep.stage2
test1.ext3grep.stage文件是执行命令后生成的,用来存放扫描信息