Shulou(Shulou.com)06/01 Report--

Editor to share with you how the Ext3 file system to restore the RM command to delete files, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

(1) A brief introduction to the structure of .Ext3 file system

In the Ext3 file system used by Linux, files are stored in blocks. By default, the size of each block is 1K, and different blocks are distinguished by block numbers. Each file also has a node, which contains information about the file owner, read and write permissions, file type, and so on. For a file with less than 12 blocks, the block number of the file block is stored directly in the node. If the file is larger than 12 blocks, the node stores the block number of an indirect block after 12 block numbers, and the block number corresponding to this indirect block number stores the block number of 256 file data blocks (each block number in Ext2fs takes up 4 bytes, so the block number that can be stored in such a block is 1024 quarter 256). If there is a larger file, secondary indirect blocks and tertiary indirect blocks also appear in the node.

(2)。 The method of restoring mistakenly deleted files

Most Linux distributions provide a debugfs tool that you can use to edit the Ext3 file system. However, there is still some work to be done before using this tool.

First, remount the partition where the file was mistakenly deleted in a read-only manner. Use the following command: (assuming the file is in the / usr partition)

Mount-r-n-o remount / usr

-r means to mount read-only;-n means not to write / etc/mtab, and if you are restoring files on / etc, add this parameter. If the system says xxx partion busy, you can use the fuser command to see which processes are using the files on this partition:

Fuser-v-m / usr

If there are no important processes, stop them with the following command:

Fuser-k-v-m / usr

These file systems can then be remounted.

If all files are installed in a large / partition, you can use linux single to enter single-user mode at the boot prompt to minimize the chances of the system process writing data to the hard disk, or simply hang the hard drive on another machine. In addition, the recovered data should not be written on / above to avoid destroying the useful data. If you have dos/windows on your machine, you can write it on these partitions:

Mount-r-n / dev/hda1 / mnt/had

Then you can execute debugfs: (assuming Linux is in / dev/hda5)

# debugfs / dev/hda5

The debugfs prompt debugfs appears:

Use the lsdel command to list information about many deleted files:

Debugfs:lsdel

Debugfs: 2692 deleted inodes found.

Inode Owner Mode Size Blocks Time deleted

164821 0 100600 8192 1/ 1 Sun May 13 19:22:46 2001

.

36137 0 100644 4 1/ 1 Tue Apr 24 10:11:15 2001

196829 0 100644 149500 38/ 38 Mon May 27 13:52:04 2001

Debugfs:

There are many files listed (2692 found here). The first field is the file node number, the second field is the file owner, and the third field is read and write permissions, followed by file size, number of blocks occupied, and deletion time. Then we can judge which ones we need based on the file size and the deletion date. For example, we want to restore a file with a node of 196829:

You can first take a look at the file data status:

Debugfs:stat

Inode: 196829 Type: regular Mode: 0644 Flags: 0 × 0 Version: 1

User: 0 Group: 0 Size: 149500

File ACL: 0 Directory ACL: 0

Links: 0 Blockcount: 38

Fragment: Address: 0 Number: 0 Size: 0

Ctime: 0x31a9a574-Mon May 27 13:52:04 2001

Atime: 0x31a21dd1-Tue May 21 20:47:29 2001

Mtime: 0x313bf4d7-Tue Mar 5 08:01:27 2001

Dtime: 0x31a9a574-Mon May 27 13:52:04 2001

BLOCKS:

594810 594811 594814 594815 594816 594817... .

TOTAL: 38

You can then restore the file with the dump directive:

Debugfs:dump / mnt/hda/01.sav

In this way, the file is restored. Exit debugfs:

Debugfs:quit

Another way is to edit the inode manually:

Debugfs:mi

Mode [0100644]

User ID [0]

Group ID [0]

Size [149500]

Creation time [0x31a9a574]

Modification time [0x31a9a574]

Access time [0x31a21dd1]

Deletion time [0x31a9a574] 0

Link count [0] 1

Block count [38]

File flags [0x0]

Reserved1 [0]

File acl [0]

Directory acl [0]

Fragment address [0]

Fragment number [0]

Fragment size [0]

Direct Block # 0 [594810]

... .

Triple Indirect Block [0]

After using the mi instruction, one line of information is displayed for editing each time. Other lines can be confirmed by pressing enter directly, changing deletion time to 0 (not deleted) and Link count to 1. Exit debugfs after modification:

Debugfs:quit

Then check / dev/hda5 with fsck

Fsck / dev/hda5

The program will say to find the missing data block and put it in the lost+found.

The above is all the contents of the article "how to restore the Ext3 file system with the RM command to delete files". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.