As a multi-user, multitasking operating system, the file under Linux is deleted, it is difficult to recover. Although the deletion command is just deleted in the file node, it does not really clear the file content, but other users and some writings with writes will soon cover these data. However, for the home stand-alone use Linux, or timely remedy after being deleted, it can still be recovered.
1. EXT2 file system structure Brief introduction In the EXT2 file system used in Linux, the file is stored in blocks. By default, the size of each block is 1K, and the different blocks distinguishes between blocks. Each file has a node, including information such as file owner, read and write permissions, file types. For a file that is less than 12 blocks, the block number of the file data block is stored directly in the node. If the file is greater than 12 blocks, then the node stores a block number of a indirect block after 12 blocks. In the block corresponding to this indirect block number, the block number of 256 file data blocks is stored (each block in EXT2FS). The number occupies 4 bytes, so the block number that can be stored in such a block is 1024/4 = 256). If there is a bigger file, the secondary indirect block and the three-stage indirect block are also appeared in the node.
2. Most of the Linux distributions that recover the misused files provide a debugfs tool that can be used to edit the EXT2 file system. But before using this tool, there are some work to do. First, in a read-only mode, you are re-mounted in the partition in the partition. Use the following command: (Suppose the file in / usr partition) mount -r -n -o transount / usr -r means a read-only mode mount; -n means not writing / etc / mtab, if it is a file on / etc , Add this parameter. If the system says xxx partization busy, you can use the fuser command to use this process using the file on this partition: fuser -v -m / usr If there is no important process, stop them with the following command: fuser -k -v - M / USR then re-mounted these file systems. If you are uniformly installed in a large / partition, you can use Linux Single to enter a single user mode in the boot prompt, try to reduce the opportunity to write data to your hard disk, you should not simply hang your hard drive. Machine. In addition, the recoverable data should not be written / above to avoid destroying those useful data. If there is DOS / Windows on the machine, you can write these partitions top: mount -r -n / dev / hda1 / mnt / had can then perform Debugfs: (assuming Linux in / dev / hda5) #debugfs / dev / hda5 The Debugfs prompt debugfs appears: Use the lsdel command to list many of the deleted files: debugfs: lsdel debugfs: 2692 deleted inodes found. Inode Owner Mode Size Blocks Time deleted 164821 0 100600 8192 1/1 Sun May 13 19: 22:46 2001 .............................................................................................. 0 100644 4 1/1 Tue apr 24 10:11:15 2001 196829 0 100644 149500 38/38 Mon May 27 13:52:04 2001
