Daten wiederherstellen mit ext3grep
Aus Andor2Wiki
Das übliche Problem: Ein oder mehrere Dateien und Verzeichnisse auf einem ext3 Dateisystem wurden versehentlich gelöscht. Unter Linux gibt es für diesen Fall ein Tool namens ext3grep, das verwendet man so:
Betroffene Partition unmounten:
~ # umount /dev/mapper/via_bgeedgfhid3 umount: /media: device is busy. ~ # fuser /dev/mapper/via_bgeedgfhid3 ~ # lsof /dev/mapper/via_bgeedgfhid3 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME smbd 7354 andor2 cwd DIR 253,3 4096 50888705 /media/ ~ # /etc/init.d/samba stop ~ # umount /dev/mapper/via_bgeedgfhid3
In der Partition nach dem verlorenen Verzeichnis oder einer Datei suchen:
~ # ext3grep --search tolledatei /dev/mapper/via_bgeedgfhid3 Running ext3grep version 0.10.1 Number of groups: 3488 Minimum / maximum journal block: 1545 / 35886 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 1257372505 = Wed Nov 4 23:08:25 2009 Journal transaction 3424402 wraps around, some data blocks might have been lost of this transaction. Number of descriptors in journal: 29754; min / max sequence numbers: 3423360 / 3426366 Blocks containing "tolledatei": 20992 (allocated) 21310 (allocated) 24267 (allocated) 24275 (allocated) 24306 (allocated) 24326 (allocated) 24332 (allocated) 24345 (allocated) 24359 (allocated) 24365 (allocated) 24377 (allocated) 24397 (allocated) 24403 (allocated) 24416 (allocated) 24430 (allocated) 24436 (allocated) 24449 (allocated) 24455 (allocated) 24464 (allocated) 24495 (allocated) 24543 (allocated) 24557 (allocated) 24603 (allocated) 24622 (allocated) 24665 (allocated) 24681 (allocated) 24727 (allocated) 24742 (allocated) 24788 (allocated) 24803 (allocated) 24850 (allocated) 24875 (allocated) 24883 (allocated) 25277 (allocated) 25974 (allocated) 26024 (allocated) 26037 (allocated)
Die Blöcke kann man sich jetzt alle anschauen um den wiederherzustellenden inode zu finden:
~ # ext3grep /dev/mapper/via_bgeedgfhid3 --ls --block 20992
Running ext3grep version 0.10.1
Number of groups: 3488
Loading group metadata... done
Minimum / maximum journal block: 1545 / 35886
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1257372505 = Wed Nov 4 23:08:25 2009
Journal transaction 3424402 wraps around, some data blocks might have been lost of this transaction.
Number of descriptors in journal: 29754; min / max sequence numbers: 3423360 / 3426366
Group: 0
Block 24681 is a directory. The block is a Journal block
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d28902421 drwxrwxr-x .
1 2 d28902420 drwxrwxr-x ..
2 3 r42893329 D 1258196891 Sat Nov 14 12:08:11 2009 rrw-rw-r-- tolledatei.test
Ist der inode gefunden, kann man ihn so wiederherstellen:
~ # ext3grep /dev/mapper/via_bgeedgfhid3 --restore-inode 42893329 Running ext3grep version 0.10.1 Number of groups: 3488 Minimum / maximum journal block: 1545 / 35886 Loading journal descriptors... sorting... done The oldest inode block that is still in the journal, appears to be from 1257372505 = Wed Nov 4 23:08:25 2009 Journal transaction 3424402 wraps around, some data blocks might have been lost of this transaction. Number of descriptors in journal: 29754; min / max sequence numbers: 3423360 / 3426366 Restoring inode.42893329
Dieser ist dann im folgenden Verzeichnis zu finden:
~ # ll RESTORED_FILES/ total 29M -rw-r--r-- 1 root root 29M Nov 12 22:37 inode.42893329
