1. Installing ext3grep…
wget http://ext3grep.googlecode.com/files/ext3grep-0.7.0.tar.gz
tar -xvzf ext3grep-0.7.0.tar.gz
cd ext3grep
./configure
make
cd src
./ext3grep –help
Done, ext3grep is built and working
3.Lets search for deleted folder:
Eg: ./ext3grep /dev/hda1 –search uaconsoleclientsample
Ext3grep will find many deleted blocks, now we need to check each blocks to find exact block associated with our deleted folder.
4.Find exact block assosicated with our deleted folder by checking each block
Eg: ./ext3grep /dev/hda1 –ls –block 240017
Use this script to automate this checking process.
#!/bin/sh
blocks=“255079 336393 336518 336526 395434 395435 395457 737282 984250 1346129 1868670 1869273 1950436 3915933 3915935 4069411 4087953 4216611 4292193 4292196 4292275 4530219 4538370 4538371 4538372 4538376 4538378 4538382 4538385 4543743 4543750 4543752 4544514 4544517 4544528 4544539 4550683 4550707 4655509 4655533 4670417 4670423 4689385 4689746 4785120 5046823 6525842 7370457 7805912“
# Replace above blocks with blocks found in step 3
for block in $blocks; do
./ext3grep /dev/hda1 –ls –block $block | tee -a output.txt
done
This script does the same procedure for each block in the list, shows the output on console and writes it to the file output.txt using tee. This way you can recheck the result later also in vim.
Analyze the output.txt and find entries like
"Block 1869273 is a directory. The block is Allocated" and find all inode associated with this block
5.Check content of the block with inode from previous step
Eg: ./ext3grep /dev/hda1 –ls –inode 656495
6.Now just restore the files you want using the right inode.
Eg: ./ext3grep /dev/hda1 –restore-inode 2263308
No comments:
Post a Comment