[출처] http://kldp.org/node/103288
Fedora 10 패키지 목록을 살펴보던 중 호기심을 자극하는 패키지가 하나 있었다. 뭔가하고 살펴보니 ext3 파일 시스템에서 지워진 파일의 복구를 해주는 놈이다.
ext2와 다른 특성으로 인해 ext3에서 지워진 파일의 복구는 꽤 어려운 명령어들을 알아야했고 복구율도 좋지 않았었다. 하지만 ext3grep은 이러한 생각을 바꾸게 만들기에 충분했다.
소스 다운로드는 http://code.google.com/p/ext3grep/ 에서 할 수 있고 Fedora나 Debian의 최신 버전에는 포함되어 있으니 해당 배포판의 패키지 관리자로 설치하면 된다.
설치를 하고 간단한 테스트를 해보았다. 시간상 1GB정도의 파티션을 만들고 테스트를 진행했다.
# mkfs.ext3 /dev/sdb1 # mount /dev/sdb1 /mnt/test/ # df -h /dev/sdb1 966M 18M 899M 2% /mnt/test
몇개의 디렉토리와 파일을 만들었다.
# ls * test1.txt test2.txt 테스트.txt 테스트2.txt dir1: dir1.txt dir2: dir2.txt dir3: dir3.txt lost+found: 디렉토리1: 디렉토리1.txt 디렉토리2: 디렉토리2.txt 디렉토리3: 디렉토리3.txt
그 중에 몇개를 삭제했다.
# rm -rf dir2 dir3 test2.txt 디렉토리1 디렉토리3 테스트.txt
이제 unmount 하고 실제 ext3grep 을 사용할 차례다.
# umount /mnt/test
–dump-names 로 경로를 포함한 파일들의 경로를 알 수 있다.
# ext3grep –dump-names /dev/sdb1 Running ext3grep version 0.10.1 Number of groups: 8 Minimum / maximum journal block: 562 / 4664 Loading journal descriptors… sorting… done The oldest inode block that is still in the journal, appears to be from 1235694214 = Fri Feb 27 09:23:34 2009 Number of descriptors in journal: 269; min / max sequence numbers: 2 / 40 Finding all blocks that might be directories. D: block containing directory start, d: block containing more directory entries. Each plus represents a directory start that references the same inode as a directory start that we found previously. Searching group 0: DDD+DD+++++++++++++++++D+DD+++++++++ Searching group 1: + Searching group 2: + Searching group 3: + Searching group 4: + Searching group 5: + Searching group 6: + Searching group 7: Writing analysis so far to ’sdb1.ext3grep.stage1′. Delete that file if you want to do this stage again. Result of stage one: 8 inodes are referenced by one or more directory blocks, 4 of those inodes are still allocated. 7 inodes are referenced by more than one directory block, 3 of those inodes are still allocated. 0 blocks contain an extended directory. Result of stage two: 4 of those inodes could be resolved because they are still allocated. 4 inodes could be resolved because all refering blocks but one were journal blocks. All directory inodes are accounted for! Writing analysis so far to ’sdb1.ext3grep.stage2′. Delete that file if you want to do this stage again. dir1 dir1/.dir1.txt.swp dir1/dir1.txt dir2 dir2/.dir2.txt.swp dir2/dir2.txt dir3 dir3/.dir3.txt.swp dir3/dir3.txt lost+found test1.txt test2.txt 디렉토리1 디렉토리1/.디렉토리1.txt.swp 디렉토리1/디렉토리1.txt 디렉토리2 디렉토리2/.디렉토리2.txt.swp 디렉토리2/디렉토리2.txt 디렉토리3 디렉토리3/.디렉토리3.txt.swp 디렉토리3/디렉토리3.txt 테스트.txt 테스트2.txt
위 명령어를 실행한 후 ext3grep.stage1, ext3grep.stage2 파일이 생성되는데 inode와 block의 정보를 담고 있다. 한번 생성되면 다른 명령어를 실행할때 재사용되기 때문에 검색에 소요되는 시간이 줄어든다.
# cat sdb1.ext3grep.stage1 # Stage 1 data for /dev/sdb1. # Inodes and directory start blocks that use it for dir entry ‘.’. # INODE : BLOCK [BLOCK ...] 2 : 556 573 597 605 610 682 688 698 703 713 719 732 859 11 : 557 15713 : 740 792 800 805 40960 31425 : 582 659 666 671 79872 47137 : 571 620 628 633 112640 62849 : 578 645 651 145408 78561 : 736 774 780 172032 94273 : 730 749 757 762 204800 # Extended directory blocks. # END # cat sdb1.ext3grep.stage2 # Stage 2 data for /dev/sdb1. # Inodes path and directory blocks. # INODE PATH BLOCK [BLOCK ...] 2 ” 556 11 ‘lost+found’ 557 15713 ‘디렉토리3′ 40960 31425 ‘dir3′ 79872 47137 ‘dir1′ 112640 62849 ‘dir2′ 145408 78561 ‘디렉토리2′ 172032 94273 ‘디렉토리1′ 204800 # END
–restore-all 은 해당 장치의 모든 파일을 명령어가 실행된 위치에 RESTORED_FILES라는 디렉토리를 생성하고 그 안에 복구해준다. 명령어를 실행하기 전에 충분한 공간이 있는지 확인하자.
# ext3grep –restore-all /dev/sdb1 Running ext3grep version 0.10.1 Number of groups: 8 Minimum / maximum journal block: 562 / 4664 Loading journal descriptors… sorting… done The oldest inode block that is still in the journal, appears to be from 1235694214 = Fri Feb 27 09:23:34 2009 Number of descriptors in journal: 269; min / max sequence numbers: 2 / 40 Writing output to directory RESTORED_FILES/ Finding all blocks that might be directories. D: block containing directory start, d: block containing more directory entries. Each plus represents a directory start that references the same inode as a directory start that we found previously. Searching group 0: DDD+DD+++++++++++++++++D+DD+++++++++ Searching group 1: + Searching group 2: + Searching group 3: + Searching group 4: + Searching group 5: + Searching group 6: + Searching group 7: Writing analysis so far to ’sdb1.ext3grep.stage1′. Delete that file if you want to do this stage again. Result of stage one: 8 inodes are referenced by one or more directory blocks, 4 of those inodes are still allocated. 7 inodes are referenced by more than one directory block, 3 of those inodes are still allocated. 0 blocks contain an extended directory. Result of stage two: 4 of those inodes could be resolved because they are still allocated. 4 inodes could be resolved because all refering blocks but one were journal blocks. All directory inodes are accounted for! Writing analysis so far to ’sdb1.ext3grep.stage2′. Delete that file if you want to do this stage again. Restoring dir1/.dir1.txt.swp Restoring dir1/dir1.txt Restoring dir2/.dir2.txt.swp Restoring dir2/dir2.txt Restoring dir3/.dir3.txt.swp Restoring dir3/dir3.txt Restoring test1.txt Restoring test2.txt Restoring 디렉토리1/.디렉토리1.txt.swp Restoring 디렉토리1/디렉토리1.txt Restoring 디렉토리2/.디렉토리2.txt.swp Restoring 디렉토리2/디렉토리2.txt Restoring 디렉토리3/.디렉토리3.txt.swp Restoring 디렉토리3/디렉토리3.txt Restoring 테스트.txt Restoring 테스트2.txt # cd RESTORED_FILES/ # ls * test1.txt test2.txt 테스트.txt 테스트2.txt dir1: dir1.txt dir2: dir2.txt dir3: dir3.txt lost+found: 디렉토리1: 디렉토리1.txt 디렉토리2: 디렉토리2.txt 디렉토리3: 디렉토리3.txt
–restore-all 명령어와 함께 사용할 수 있는 필터가 여러개 있는데 –after 옵션을 주면 그 시간 이후의 파일들만 복구해준다. unix time을 적어주면 된다.
# ext3grep –restore-all –after=1235694514 /dev/sdb1 Running ext3grep version 0.10.1 Only show/process deleted entries if they are deleted on or after Fri Feb 27 09:28:34 2009. Number of groups: 8 Minimum / maximum journal block: 562 / 4664 Loading journal descriptors… sorting… done The oldest inode block that is still in the journal, appears to be from 1235694214 = Fri Feb 27 09:23:34 2009 Number of descriptors in journal: 269; min / max sequence numbers: 2 / 40 Loading sdb1.ext3grep.stage2… done Not undeleting “dir1/.dir1.txt.swp” because it was deleted before 1235694514 (32767) Restoring dir1/dir1.txt Not undeleting “dir2/.dir2.txt.swp” because it was deleted before 1235694514 (1235694303) Not undeleting “dir2/dir2.txt” because it was deleted before 1235694514 (1235694303) Not undeleting “dir3/.dir3.txt.swp” because it was deleted before 1235694514 (1235694303) Not undeleting “dir3/dir3.txt” because it was deleted before 1235694514 (1235694303) Restoring test1.txt Not undeleting “test2.txt” because it was deleted before 1235694514 (1235694287) Not undeleting “디렉토리1/.디렉토리1.txt.swp” because it was deleted before 1235694514 (1235694287) Not undeleting “디렉토리1/디렉토리1.txt” because it was deleted before 1235694514 (1235694287) Not undeleting “디렉토리2/.디렉토리2.txt.swp” because it was deleted before 1235694514 (1235694287) Restoring 디렉토리2/디렉토리2.txt Not undeleting “디렉토리3/.디렉토리3.txt.swp” because it was deleted before 1235694514 (1235694404) Not undeleting “디렉토리3/디렉토리3.txt” because it was deleted before 1235694514 (1235694404) Not undeleting “테스트.txt” because it was deleted before 1235694514 (1235694404) Restoring 테스트2.txt
특정 이름의 파일만 복구 하려면 –restore-file 다음에 파일명을 써주면 된다.
# ext3grep –restore-file 테스트.txt /dev/sdb1 Running ext3grep version 0.10.1 Number of groups: 8 Minimum / maximum journal block: 562 / 4664 Loading journal descriptors… sorting… done The oldest inode block that is still in the journal, appears to be from 1235694214 = Fri Feb 27 09:23:34 2009 Number of descriptors in journal: 269; min / max sequence numbers: 2 / 40 Writing output to directory RESTORED_FILES/ Loading sdb1.ext3grep.stage2… done Restoring 테스트.txt # cd RESTORED_FILES/ # ls 테스트.txt
디렉토리 밑에 있는 파일이라면 경로까지 정확하게 써주면 된다. 경로를 포함한 파일명은 위에서 한번 실행했던 –dump-names로 알 수 있다.
# ext3grep –restore-file dir2/dir2.txt /dev/sdb1 Running ext3grep version 0.10.1 Number of groups: 8 Minimum / maximum journal block: 562 / 4664 Loading journal descriptors… sorting… done The oldest inode block that is still in the journal, appears to be from 1235694214 = Fri Feb 27 09:23:34 2009 Number of descriptors in journal: 269; min / max sequence numbers: 2 / 40 Loading sdb1.ext3grep.stage2… done Restoring dir2/dir2.txt
더 많은 옵션이 있지만 일반적인 사용자라면 이정도만 알아도 충분히 복구할 수 있을 것이다. 이름처럼 ext3에 대해서 복구를 해주기 때문에 포맷이 되었거나 다른 파일시스템에서는 복구가 안된다.
마지막으로 노파심에서 한마디 하자면 실수로 파일을 삭제했을때에는 최대한 빨리 해당 장치를 unmount 해서 덮어써지지 않게 해야한다.
자세한 정보는 저자의 홈페이지에서 확인하자.