# 1、安装

cd /opt
wget [url]http://ext3grep.googlecode.com/files/ext3grep-0.10.1.tar.gz[/url]
tar -zxf ext3grep-0.10.1.tar.gz
cd ext3grep-0.10.1
./configure 
make
make install

# 2、制造分区
mkdir /home/sheng
cd /home/sheng
dd if=/dev/zero of=file count=102400
mkfs.ext3 file
# !!!!按Y继续
mount -o loop /home/sheng/file /mnt/

# 可以看到已经挂上去了

df -h

# 写入数据到 /mnt

mkdir /mnt/del
echo 1 > /mnt/del/1
echo 2 > /mnt/del/2
echo 3 > /mnt/del/3

# 删除数据

rm -rf /mnt/del

# 3、开始恢复

# 卸载文件所在的分区 /home/sheng/file
umount /home/sheng/file
# 查看
df -h

# 扫描分区

ext3grep /home/sheng/file --ls --inode 2

- - - - - 

[root@db1 sheng]# ext3grep /home/sheng/file --ls --inode 2

Running ext3grep version 0.10.1
Number of groups: 7
Loading group metadata... done
Minimum / maximum journal block: 447 / 4561
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 12454502                                                                                             09 = Sat Jun 20 06:23:29 2009
Number of descriptors in journal: 17; min / max sequence numbers: 2 / 3
Inode is Allocated
Finding all blocks that might be directories.
D: block containing directory start, d: block containing more directory entries.
Each plus represents a directory start that references the same inode as a direc                                                                                             tory start that we found previously.

Searching group 0: DDD++

Searching group 1:
Searching group 2:
Searching group 3:
Searching group 4:
Searching group 5:
Searching group 6:
Writing analysis so far to 'file.ext3grep.stage1'. Delete that file if you want                                                                                              to do this stage again.
Result of stage one:
  3 inodes are referenced by one or more directory blocks, 2 of those inodes are                                                                                              still allocated.
  1 inodes are referenced by more than one directory block, 1 of those inodes is                                                                                              still allocated.
  0 blocks contain an extended directory.
Result of stage two:
  2 of those inodes could be resolved because they are still allocated.
All directory inodes are accounted for!

Writing analysis so far to 'file.ext3grep.stage2'. Delete that file if you want                                                                                              to do this stage again.
The first block of the directory is 433.
Inode 2 is directory "".
Directory block 433:
          .-- File type in dir_entry (r=regular file, d=directory, l=symlink)
          |          .-- D: Deleted ; R: Reallocated
Indx Next |  Inode   | Deletion time                        Mode        File nam                                                                                             e
==========+==========+----------------data-from-inode------+-----------+========                                                                                             =
   0    1 d       2                                         drwxr-xr-x  .
   1    2 d       2                                         drwxr-xr-x  ..
   2  end d      11                                         drwx------  lost+fou                                                                                             nd
   3  end d    5497  D 1245450214 Sat Jun 20 06:23:34 2009  drwxr-xr-x  del
[root@db1 sheng]#

- - - - - 

# 查询
ext3grep /home/sheng/file --ls --inode 2

# 恢复单个 仅目录 里面的文件恢复失败 ..

ext3grep /home/sheng/file --restore-file del --depth del

# 恢复目录里面的一个文件

ext3grep /home/sheng/file --restore-file del/1

# 恢复所有文件

ext3grep /home/sheng/file --restore-all