Ext3 File System Structure Brief introduction In the EXT3 file system used in Linux, the file is stored in blocks. By default, the size of each block is 1K, and the different blocks are distinguished by block. Each file has a node, including information such as file owner, read and write permissions, file types. For a file that is less than 12 blocks, the block number of the file data block is stored directly in the node. If the file is greater than 12 blocks, then the node stores a block number of a indirect block after 12 blocks. In the block corresponding to this indirect block number, the block number of 256 file data blocks is stored (each block in EXT2FS). The number occupies 4 bytes, so the block number that can be stored in such a block is 1024/4 = 256). If there is a bigger file, the secondary indirect block and the three-stage indirect block are also appeared in the node. 2. Most of the Linux distributions that recovers the misused files provide a debugfs tool that can be used to edit the EXT3 file system. But before using this tool, there are some work to do. First, in a read-only mode, you are re-mounted in the partition in the partition. Use the following command: (Suppose the file is in / usr partition) mount -r -n -o remount / usr-r indicates the read-only mode mount; -N means not writing / etc / mtab, if it is a file on / etc , Add this parameter. If the system says xxx partization busy, you can use the fuser command to use this process using the file on this partition: fuser -v -m / usr If there is no important process, stop them with the following command: fuser -k -v - M / USR then re-mounted these file systems. If you are uniformly installed in a large / partition, you can use Linux Single to enter a single user mode in the boot prompt, try to reduce the opportunity to write data to your hard disk, you should not simply hang your hard drive. Machine. In addition, the recoverable data should not be written / above to avoid destroying those useful data. If there is DOS / Windows on the machine, you can write these partitions top: mount -r -n / dev / hda1 / mnt / had can then perform Debugfs: (assuming Linux in / dev / hda5) #debugfs / dev / hda5 Debugfs prompt Debugfs: Use the lsdel command to list many of the deleted files: debugfs: lsdeldebugfs: 2692 deleted inodes found.inode Owner mode size block time deleted164821 0 100600 8192 1/1 Sun May 13 19:22: 46 2001 .............................................. ............................................. 36137 0 100644 4 1 / 1 tue apr 24 10:11:15 2001196829 0 100644 149500 38/38 MON May 27 13:52:04 2001Debugfs: Listed files have a lot of files (2692 here), the first field is the file node number, the second The field is the file owner, the third field is read and write permissions, next is the file size, the number of occupies, and the delete time. Then you can judge what we need according to the file size and deletion date.
