大家都知道Linux中,删除了的文件想恢复很难!而且不同文件系统下恢复的命令和工具可能还不一样。下面说下用debugfs,Linux中自带的命令,在ext3文件系统上恢复被删除文件的一次尝试。
[root]# mkdir /root/test //-->建测试文件夹
[root]# cd /root/test //-->进入该目录下
[root]# touch test.txt //-->建测试文件名
[root]# cat /proc/meminfo >> test.txt //-->往测试文件写
[root]# cat test.txt
MemTotal: 16432172 kB
MemFree: 7577528 kB
Buffers: 896832 kB
Cached: 5724212 kB
SwapCached: 0 kB
Active: 2737104 kB
Inactive: 4246932 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 16432172 kB
LowFree: 7577528 kB
SwapTotal: 16777208 kB
SwapFree: 16777208 kB
Dirty: 1944 kB
Writeback: 0 kB
AnonPages: 362976 kB
Mapped: 179000 kB
Slab: 1756168 kB
PageTables: 9432 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
CommitLimit: 24993292 kB
Committed_AS: 1469296 kB
VmallocTotal: 34359738367 kB
VmallocUsed: 291068 kB
VmallocChunk: 34359447031 kB
HugePages_Total: 0
HugePages_Free: 0
HugePages_Rsvd: 0
Hugepagesize: 2048 kB
[root]# rm test.txt //-->删除此测试文件
[root]# ls -lart //-->查看是否删除
total 12
drwxr-x--- 6 root root 4096 Aug 6 09:51 ..
drwxr-xr-x 2 root root 4096 Aug 6 09:52 .
[root]# mount -r -n /dev/mapper/vg00-lvol1 / //-->重新以只都的方式挂载,防止别的进程用
[root]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/rootVG-root
83G 7.4G 72G 10% /
/dev/mapper/rootVG-tmp
3.9G 137M 3.6G 4% /tmp
/dev/mapper/rootVG-var
31G 5.0G 24G 18% /var
/dev/cciss/c0d0p1 145M 26M 111M 19% /boot
/dev/mapper/vgglobal-lvol2
27G 291M 25G 2% /home
/dev/mapper/vgglobal-lvol1
105G 7.3G 93G 8% /d/oss/global
[root@nas2ds1 test]# df -T
Filesystem Type 1K-blocks Used Available Use% Mounted on
/dev/mapper/rootVG-root
ext3 86623180 7696528 74455460 10% /
/dev/mapper/rootVG-tmp
ext3 4062912 139456 3713744 4% /tmp
/dev/mapper/rootVG-var
ext3 31741856 5222564 24880892 18% /var
/dev/cciss/c0d0p1
ext3 147764 26611 113524 19% /boot
/dev/mapper/vgglobal-lvol2
ext3 27447508 297580 25755652 2% /home
/dev/mapper/vgglobal-lvol1
ext3 109806464 7579200 96649332 8% /d/oss/global
[root]# debugfs //-->使用该命令
debugfs 1.39 (29-May-2006)
debugfs: open /dev/mapper/rootVG-root //-->打开文件系统
debugfs: ls -d /root/test //-->查看被删文件
16269861 (12) . 16269793 (4084) .. <16269863> (4072) test.txt
debugfs: logdump -i <16269861> //-->查看节点所在的块
Inode 16269861 is at group 497, block 16285700, offset 512
Journal starts at block 6182, transaction 1128695
FS block 16285700 logged at sequence 1128698, journal block 6330
(inode block for inode 16269861):
Inode: 16269861 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Thu Jan 1 07:00:00 1970
atime: 0x00000000 -- Thu Jan 1 07:00:00 1970
mtime: 0x00000000 -- Thu Jan 1 07:00:00 1970
Blocks:
FS block 16285700 logged at sequence 1128704, journal block 6727
(inode block for inode 16269861):
Inode: 16269861 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Thu Jan 1 07:00:00 1970
atime: 0x00000000 -- Thu Jan 1 07:00:00 1970
mtime: 0x00000000 -- Thu Jan 1 07:00:00 1970
Blocks:
FS block 16285700 logged at sequence 1128705, journal block 6819
(inode block for inode 16269861):
Inode: 16269861 Type: bad type Mode: 0000 Flags: 0x0 Generation: 0
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x00000000 -- Thu Jan 1 07:00:00 1970
atime: 0x00000000 -- Thu Jan 1 07:00:00 1970
mtime: 0x00000000 -- Thu Jan 1 07:00:00 1970
Blocks:
FS block 16285700 logged at sequence 1128707, journal block 6860
(inode block for inode 16269861):
Inode: 16269861 Type: directory Mode: 0755 Flags: 0x0 Generation: 285284165
User: 0 Group: 0 Size: 4096
File ACL: 0 Directory ACL: 0
Links: 2 Blockcount: 8
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x53e18a66 -- Wed Aug 6 09:52:38 2014
atime: 0x53e18a44 -- Wed Aug 6 09:52:04 2014
mtime: 0x53e18a66 -- Wed Aug 6 09:52:38 2014
Blocks: (0+1): 16312328
Found sequence 1127169 (not 1128751) at block 9518: end of journal
debugfs: quit //-->退出后,执行dd命令,count设置为1,skip为刚才查看的值,将其放在/tmp目录。
[root]# dd if=/dev/mapper/rootVG-root of=/tmp/test.txt.bak bs=4096 count=1 skip=16312328
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 4.1e-05 seconds, 99.9 MB/s
[root]# cat /tmp/test.txt //-->检查内容,和原先的一致!