EXT3 file system structure brief introduction
In the EXT3 file system used in Linux, the file is stored in blocks. By default, the size of each block is 1K, and the different blocks are distinguished by block. Each file has a node, including information such as file owner, read and write permissions, file types. For a file that is less than 12 blocks, the block number of the file data block is stored directly in the node. If the file is greater than 12 blocks, then the node stores a block number of a indirect block after 12 blocks. In the block corresponding to this indirect block number, the block number of 256 file data blocks is stored (each block in EXT2FS). The number occupies 4 bytes, so the block number that can be stored in such a block is 1024/4 = 256). If there is a bigger file, the secondary indirect block and the three-stage indirect block are also appeared in the node.
2. Restore method of misused files
Most Linux distributions provide a debugfs tool that can be used to edit the EXT3 file system. But before using this tool, there are some work to do.
First, in a read-only mode, you are re-mounted in the partition in the partition. Use the following command: (assuming files in / usr partition)
mount -r -n -o remount / usr
-r represents a read-only mode mount; -N means not writing / etc / mtab, if it is a file on the / etc, add this parameter. If the system says XXX Partion Busy, you can use the fuser command to see which processes use the files on this partition:
Fuser -v -m / usr
If there is no important process, stop them with the following command:
Fuser -k -v -m / usr
Then you can re-mount these file systems.
If you are uniformly installed in a large / partition, you can use Linux Single to enter a single user mode in the boot prompt, try to reduce the opportunity to write data to your hard disk, you should not simply hang your hard drive. Machine. In addition, the recoverable data should not be written / above to avoid destroying those useful data. If there is DOS / Windows on the machine, you can write to these partitions:
mount -R-N / DEV / HDA1 / MNT / HAD
Then you can execute Debugfs: (assuming Linux in / dev / hda5)
#debugfs / dev / hda5
The Debugfs prompt debugfs will appear:
Use the lsdel command to list many information about the deleted files:
Debugfs: lsdel
Debugfs: 2692 deleted inodes found.
Inode Owner Mode Size Blocks Time Deleted
164821 0 100600 8192 1/1 Sun May 13 19:22:46 2001
.....................................................................................
36137 0 100644 4 1/1 Tue Apr 24 10:11:15 2001
196829 0 100644 149500 38/38 Mon May 27 13:52:04 2001
Debugfs:
There are a lot of files (now 2692 here), the first field is the file node number, the second field is the file owner, the third field is read and write, next is the file size, occupying the number of blocks, and deletes the time. Then you can judge what we need according to the file size and deletion date. For example, we have to recover the node is 196829 file:
You can look at the file data status first:
Debugfs: stat
Inode: 196829 Type: Regular Mode: 0644 Flags: 0x0 Version: 1User: 0 Group: 0 Size: 149500
FILE ACL: 0 Directory ACL: 0
LINKS: 0 blockcount: 38
Fragment: Address: 0 Number: 0 Size: 0
CTIME: 0x31a9a574 - Mon May 27 13:52:04 2001
ATIME: 0x31a21dd1 - Tue May 21 20:47:29 2001
Mtime: 0x313bf4d7 - Tue Mar 5 08:01:27 2001
DTIME: 0x31a9a574 - Mon May 27 13:52:04 2001
BLOCKS:
594810 594811 594814 594815 594816 594817 ......................................
Total: 38
Then you can recover files with DUMP instructions:
Debugfs: dump /mnt/hda/01.sav
This will restore the file. Exit Debugfs:
Debugfs: quit
Another method is manual editing inode:
Debugfs: mi
Mode [0100644]
User ID [0]
Group ID [0]
Size [149500]
Creation Time [0x31a9a574]
Modification Time [0x31a9a574]
Access Time [0x31a21dd1]
Deletion Time [0x31a9a574] 0
Link count [0] 1
Block count [38]
File flags [0x0]
RESERVED1 [0]
FILE ACL [0]
Directory ACL [0]
FRAGMENT ADDRESS [0]
Fragment Number [0]
FRAGMENT SIZE [0]
Direct Block # 0 [594810]
................................
Triple Indirect Block [0]
After using the MI instruction, each time you display a row of information for editing, other rows can be confirmed directly to confirm, change the Deletion Time to 0 (not deleted), link count is changed to 1. After you have changed, you will exit Debugfs:
Debugfs: quit
Then use FSCK to check / dev / hda5
FSCK / DEV / HDA5
The program will say that the lost data block is found, put it in Lost Found.
