ext3grep
Overview
Section titled “Overview”ext3grep is a specialized tool for recovering deleted files from ext3 filesystems by analyzing the ext3 journal. It can restore deleted inodes, files, and complete directory structures without mounting the filesystem. Essential for digital forensics, incident response, and accidental data loss recovery.
Key Features:
- Journal-based recovery (no filesystem mount required)
- Recover single files or entire directory trees
- Restore deleted inodes directly
- Parallel processing for faster recovery
- Zero impact on filesystem integrity
Installation
Section titled “Installation”Debian/Ubuntu
Section titled “Debian/Ubuntu”# Install from repositories
sudo apt-get update
sudo apt-get install ext3grep
# Verify installation
ext3grep --versionRedHat/CentOS
Section titled “RedHat/CentOS”# Install via package manager
sudo yum install ext3grep
# Or compile from source
wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/ext3grep/ext3grep-0.10.2.tar.gz
tar -xzf ext3grep-0.10.2.tar.gz
cd ext3grep-0.10.2
./configure && make && sudo make installmacOS (via Homebrew)
Section titled “macOS (via Homebrew)”# Install using Homebrew
brew install ext3grep
# Verify
ext3grep --versionFrom Source
Section titled “From Source”# Clone or download source
git clone https://github.com/ckane/ext3grep.git
cd ext3grep
# Build and install
./configure
make
sudo make install
# Verify
which ext3grepPrerequisite: Unmount Filesystem
Section titled “Prerequisite: Unmount Filesystem”Critical: ext3grep must analyze an unmounted filesystem. Mounting the disk will update timestamps and potentially overwrite deleted data.
Unmount ext3 Partition
Section titled “Unmount ext3 Partition”# Identify filesystem device
lsblk -f
df -h
# Unmount safely
sudo umount /dev/sda1
# For root filesystem, use rescue mode or live USB
sudo reboot # Boot into single-user mode or recovery environmentUsing Live USB/CD
Section titled “Using Live USB/CD”# Boot from Kali Linux or Ubuntu Live USB
# Don't mount the target filesystem
# Use /dev/sda1 directly (unmounted)Create Raw Disk Image (Alternative)
Section titled “Create Raw Disk Image (Alternative)”# If unable to unmount, create forensic image
sudo dd if=/dev/sda1 of=filesystem.img bs=4M
# Work with image instead of live disk
ext3grep filesystem.img --lsJournal Analysis Basics
Section titled “Journal Analysis Basics”View Journal Contents
Section titled “View Journal Contents”# List all journal blocks
ext3grep /dev/sda1 --journal
# Output shows journal transaction history
# Lists deleted files and recovery timestampsExamine Journal Entries
Section titled “Examine Journal Entries”# Show journal summary
ext3grep /dev/sda1 --summary
# Detailed journal transactions
ext3grep /dev/sda1 --dump-namesRecovering Deleted Files
Section titled “Recovering Deleted Files”List Deleted Files
Section titled “List Deleted Files”# Show all deleted files found in journal
ext3grep /dev/sda1 --ls
# Output shows:
# - Inode numbers
# - File names
# - Original directory
# - File sizes
# - Deletion timestamps (approx.)Restore Specific File by Name
Section titled “Restore Specific File by Name”# Restore single deleted file
ext3grep /dev/sda1 --restore-file documents/important.pdf
# File restored to: ./RESTORED_FILES/documents/important.pdf
ls -la RESTORED_FILES/documents/
# Check file integrity
file RESTORED_FILES/documents/important.pdf
md5sum RESTORED_FILES/documents/important.pdfRestore Multiple Files by Pattern
Section titled “Restore Multiple Files by Pattern”# Restore all .txt files
ext3grep /dev/sda1 --restore-file "*.txt"
# Restore from specific directory
ext3grep /dev/sda1 --restore-file "home/user/Documents/*.pdf"
# View restored files
find RESTORED_FILES -type f -name "*.pdf"Restoring by Inode
Section titled “Restoring by Inode”Find Inode of Deleted File
Section titled “Find Inode of Deleted File”# List files with inode numbers
ext3grep /dev/sda1 --ls | grep -i "filename"
# Output shows: inode=12345 name=deleted_file.txt
# Extract inode number
ext3grep /dev/sda1 --ls | awk '/deleted_file/ {print $0}'Restore by Inode Number
Section titled “Restore by Inode Number”# Restore specific inode
ext3grep /dev/sda1 --restore-inode 12345
# File restored with inode name: 12345
ls -la RESTORED_FILES/
# Rename to original name
mv RESTORED_FILES/12345 RESTORED_FILES/deleted_file.txtBatch Restore by Inode Range
Section titled “Batch Restore by Inode Range”# Restore multiple inodes
ext3grep /dev/sda1 --restore-inode 12340 12345 12350
# Or restore all inodes in range (custom script)
for inode in {12340..12350}; do
ext3grep /dev/sda1 --restore-inode $inode
doneRestoring Directory Trees
Section titled “Restoring Directory Trees”Restore Entire Directory
Section titled “Restore Entire Directory”# Restore complete directory structure
ext3grep /dev/sda1 --restore-directory "home/user/Documents"
# All files and subdirectories restored
ls -la RESTORED_FILES/home/user/Documents/
# Verify directory tree
tree RESTORED_FILES/home/user/Documents/Restore to Different Output Location
Section titled “Restore to Different Output Location”# Specify custom output directory
ext3grep /dev/sda1 --restore-directory "var/www/html" \
--output-dir /mnt/recovery_drive/
# Files restored to specified location
ls -la /mnt/recovery_drive/var/www/html/Restore All Deleted Files
Section titled “Restore All Deleted Files”Full Recovery
Section titled “Full Recovery”# Recover all deleted files and directories
ext3grep /dev/sda1 --restore-all
# All files restored to: RESTORED_FILES/
du -sh RESTORED_FILES/
find RESTORED_FILES -type f | wc -lParallel Processing (Faster Recovery)
Section titled “Parallel Processing (Faster Recovery)”# Enable multi-threaded recovery (faster for large partitions)
ext3grep /dev/sda1 --restore-all --jobs 4
# Show progress
ext3grep /dev/sda1 --restore-all -v 3Verify Recovered Files
Section titled “Verify Recovered Files”# Check total recovered
find RESTORED_FILES -type f | wc -l
# List large files
find RESTORED_FILES -type f -size +100M -exec ls -lh {} \;
# Check filesystem usage
du -sh RESTORED_FILES/Time-Based Recovery
Section titled “Time-Based Recovery”Restore Files Deleted After Date
Section titled “Restore Files Deleted After Date”# Recover files deleted after specific timestamp
# Note: Requires journal to contain transaction dates
# Alternative: Check journal timestamps
ext3grep /dev/sda1 --summary | grep -i "timestamp"
# Use --restore-all, then filter by modification time
ls -la RESTORED_FILES/ | awk '{print $6, $7, $8, $9}'Filter by File Modification Date
Section titled “Filter by File Modification Date”# Find files modified after specific date
find RESTORED_FILES -type f -newer reference_file
# Compare with original backup date
find RESTORED_FILES -type f -mtime -30 # Last 30 daysCommon Recovery Workflows
Section titled “Common Recovery Workflows”Workflow 1: Simple Document Recovery
Section titled “Workflow 1: Simple Document Recovery”# User accidentally deleted important document
# Step 1: Boot from live USB, don't mount filesystem
# Step 2: List deleted files
ext3grep /dev/sda1 --ls | grep -i ".docx"
# Step 3: Restore by name
ext3grep /dev/sda1 --restore-file "report_2024.docx"
# Step 4: Verify integrity
file RESTORED_FILES/report_2024.docx
libreoffice RESTORED_FILES/report_2024.docxWorkflow 2: Directory-Level Recovery
Section titled “Workflow 2: Directory-Level Recovery”# Recover entire project folder
# Step 1: List directory contents
ext3grep /dev/sda1 --ls | grep "src/"
# Step 2: Restore directory tree
ext3grep /dev/sda1 --restore-directory "home/dev/projects/src"
# Step 3: Verify file count
find RESTORED_FILES/home/dev/projects/src -type f | wc -l
# Step 4: Copy to safe location
cp -r RESTORED_FILES/home/dev/projects/src /mnt/backup/Workflow 3: Forensic Investigation
Section titled “Workflow 3: Forensic Investigation”# Recover files for digital forensics
# Step 1: Create forensic image
sudo dd if=/dev/sda1 of=/mnt/forensics/evidence.img bs=4M
# Step 2: Mount image (read-only)
sudo mount -o ro,loop evidence.img /mnt/evidence
# Step 3: Run recovery
ext3grep /mnt/evidence --restore-all --output-dir /mnt/forensics/recovered/
# Step 4: Generate recovery report
find /mnt/forensics/recovered -type f > recovery_manifest.txt
du -sh /mnt/forensics/recovered/Workflow 4: Batch Inode Recovery
Section titled “Workflow 4: Batch Inode Recovery”# Recover multiple specific files by inode
# Step 1: Identify inodes
ext3grep /dev/sda1 --ls | tee deleted_files.log
# Step 2: Create recovery script
cat > recover_inodes.sh << 'EOF'
#!/bin/bash
for inode in 12345 12346 12347; do
ext3grep /dev/sda1 --restore-inode $inode
echo "Recovered inode: $inode"
done
EOF
# Step 3: Execute recovery
bash recover_inodes.sh
# Step 4: Verify restored files
ls -la RESTORED_FILES/Output and Organization
Section titled “Output and Organization”Default Recovery Location
Section titled “Default Recovery Location”# Files restored to current working directory
pwd
ls -la RESTORED_FILES/
# Subdirectory structure preserved
ls -la RESTORED_FILES/home/user/Documents/Organize Recovered Files
Section titled “Organize Recovered Files”# Sort by file type
mkdir -p recovered/{documents,images,code,other}
for file in RESTORED_FILES/**/*; do
case $file in
*.pdf|*.docx|*.txt) cp "$file" recovered/documents/ ;;
*.jpg|*.png|*.gif) cp "$file" recovered/images/ ;;
*.py|*.js|*.cpp) cp "$file" recovered/code/ ;;
*) cp "$file" recovered/other/ ;;
esac
doneBackup Recovery Results
Section titled “Backup Recovery Results”# Archive recovered files
tar -czf recovered_files_backup.tar.gz RESTORED_FILES/
# Generate checksums for verification
find RESTORED_FILES -type f -exec md5sum {} \; > recovery_checksums.txt
# Store both archive and checksum list
cp -v recovered_files_backup.tar.gz /mnt/external_drive/
cp -v recovery_checksums.txt /mnt/external_drive/Limitations and Considerations
Section titled “Limitations and Considerations”Journal Limitations
Section titled “Journal Limitations”# Ext3 journal typically stores 30-90 days of transactions
# Very old deletions may not be recoverable
# Journal overwrites as new data is written
# Check journal size
tune2fs -l /dev/sda1 | grep -i journalFilesystem Overwriting
Section titled “Filesystem Overwriting”# Deleted file blocks may be reused for new data
# Fragmented recovery possible but incomplete
# Minimize overwriting:
# 1. Don't mount filesystem after deletion
# 2. Shut down immediately after discovering deletion
# 3. Work with forensic image if possibleFile Corruption Risk
Section titled “File Corruption Risk”# Some recovered files may be corrupted if:
# - Original data blocks were overwritten
# - File metadata is incomplete
# - Filesystem was damaged
# Test recovered files before relying on them
file RESTORED_FILES/*Troubleshooting
Section titled “Troubleshooting”No Deleted Files Found
Section titled “No Deleted Files Found”# Journal may be too old or overwritten
ext3grep /dev/sda1 --summary
# Verify journal size
tune2fs -l /dev/sda1 | grep "Journal size"
# Try ext3grep with aggressive journal parsing
ext3grep /dev/sda1 --ls --verboseSegmentation Fault
Section titled “Segmentation Fault”# Corrupted filesystem or journal
# Use alternative recovery tool
# Try extundelete (alternative)
extundelete /dev/sda1 --restore-all
# Or use dd + photorec on forensic image
dd if=/dev/sda1 of=image.img
photorec image.imgIncomplete File Recovery
Section titled “Incomplete File Recovery”# File may be fragmented or partially overwritten
# Attempt recovery anyway and verify
ext3grep /dev/sda1 --restore-file "document.pdf"
# Check file size vs expected size
ls -la RESTORED_FILES/document.pdf
file RESTORED_FILES/document.pdf
# Try recovery tools like `scalpel` or `foremost`References
Section titled “References”| Resource | Purpose |
|---|---|
| ext3grep man page | Full command documentation |
| Ext3 filesystem docs | Journal recovery principles |
| Digital Forensics wiki | Recovery best practices |
| Linux Survival Guide | Filesystem recovery procedures |