extundelete

Overview

extundelete is a powerful recovery utility for ext3 and ext4 filesystems that recovers deleted files and directories without mounting the partition. It analyzes the filesystem journal and inode tables to reconstruct deleted files. Ideal for digital forensics, data recovery, and incident response on Linux systems.

Key Features:

• Supports ext3 and ext4 filesystems
• No mount required (safe analysis)
• Single file or batch recovery
• Directory tree restoration
• Inode-based recovery
• Automatic journal analysis
• Partition-safe operations

Installation

Debian/Ubuntu

# Install from repositories
sudo apt-get update
sudo apt-get install extundelete

# Verify installation
extundelete --version

RedHat/CentOS/Fedora

# Install package
sudo yum install extundelete

# Or via dnf (newer versions)
sudo dnf install extundelete

macOS (Homebrew)

# Install via Homebrew (requires formula)
brew install extundelete

# Or build from source

Build from Source

# Download source
wget https://sourceforge.net/projects/extundelete/files/extundelete/0.2.4/extundelete-0.2.4.tar.bz2

# Extract and build
tar -xjf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
./configure
make
sudo make install

# Verify
extundelete --version

Prerequisite: Unmount Filesystem

Critical: Always work with unmounted filesystems to prevent data overwriting and ensure accurate recovery.

Identify and Unmount

# List block devices
lsblk -f
df -h

# Unmount filesystem
sudo umount /dev/sda1

# Verify unmounted
lsblk -f
mount | grep sda1  # Should return empty

Use Live USB for Root Partition

# Boot into recovery mode or live USB
# Don't mount target filesystem
# Access unmounted partition as /dev/sda1

# Verify partition is unmounted
sudo extundelete --version
# Device must be unmounted

Create Forensic Image (Alternative)

# If unable to unmount, create forensic copy
sudo dd if=/dev/sda1 of=partition.img bs=4M status=progress

# Work with image (same commands, use ./partition.img)
extundelete ./partition.img --ls

Basic Commands

List Deleted Files

# Show all deleted files in partition
extundelete /dev/sda1 --ls

# Output shows:
# File inode number, name, deletion status

# Save to file for analysis
extundelete /dev/sda1 --ls > deleted_files.txt

Show Filesystem Information

# Display partition details
extundelete /dev/sda1 --inode 2

# Shows:
# - Filesystem type (ext3 or ext4)
# - Total inodes
# - Block size
# - Journal location

List Deleted Files Recursively

# Enumerate all deleted items in directory tree
extundelete /dev/sda1 --ls -j

# Shows:
# - Directory structure
# - Deleted files at all levels
# - Inode references

Recovering Specific Files

Restore Single File by Name

# Recover deleted file
extundelete /dev/sda1 --restore-file "documents/report.pdf"

# File restored to: ./RECOVERED_FILES/documents/report.pdf

# Verify recovery
ls -la RECOVERED_FILES/documents/
file RECOVERED_FILES/documents/report.pdf

Restore Multiple Files by Pattern

# Restore all .txt files
extundelete /dev/sda1 --restore-file "*.txt"

# Restore from specific directory
extundelete /dev/sda1 --restore-file "home/user/Desktop/*.docx"

# Check restored files
find RECOVERED_FILES -name "*.txt"
find RECOVERED_FILES -name "*.docx"

Case-Insensitive Restore

# Restore with case variations
extundelete /dev/sda1 --restore-file "Report.PDF"
extundelete /dev/sda1 --restore-file "report.pdf"
extundelete /dev/sda1 --restore-file "REPORT.PDF"

# All case variations recovered if they exist

Restoring by Inode

Find File Inode Number

# List deleted files with inode numbers
extundelete /dev/sda1 --ls | grep "deleted_file"

# Output example:
# Inode number  11234, name deleted_file.txt

# Extract inode using grep
extundelete /dev/sda1 --ls | grep -oP 'Inode \K[0-9]+'

Restore by Single Inode

# Restore specific inode
extundelete /dev/sda1 --restore-inode 11234

# File restored to: RECOVERED_FILES/
# Filename will be inode number or original name if recoverable

ls -la RECOVERED_FILES/

Restore Multiple Inodes

# Restore multiple specific inodes
extundelete /dev/sda1 --restore-inode 11234,11235,11236

# Or one at a time in script
for inode in 11234 11235 11236; do
  extundelete /dev/sda1 --restore-inode $inode
done

# Verify all recovered
ls -la RECOVERED_FILES/

Restoring Directories

Restore Single Directory

# Recover entire directory
extundelete /dev/sda1 --restore-directory "home/user/projects"

# All subdirectories and files restored
ls -la RECOVERED_FILES/home/user/projects/

# Verify structure preserved
tree RECOVERED_FILES/home/user/projects/

Restore Specific Directory Inode

# Restore directory by inode number
extundelete /dev/sda1 --restore-inode 5000

# If inode 5000 is directory:
# All contents restored to RECOVERED_FILES/

ls -la RECOVERED_FILES/

Restore Nested Directories

# Recover directory with subdirectories
extundelete /dev/sda1 --restore-directory "var/www/html"

# Full tree restored
find RECOVERED_FILES/var/www/html -type f | wc -l

# Check directory structure
du -sh RECOVERED_FILES/var/www/html/

Full Partition Recovery

Recover All Deleted Files

# Recover entire deleted filesystem content
extundelete /dev/sda1 --restore-all

# All recovered files in: RECOVERED_FILES/
du -sh RECOVERED_FILES/

# Count recovered items
find RECOVERED_FILES -type f | wc -l
find RECOVERED_FILES -type d | wc -l

Recovery with Progress Display

# Show verbose output during recovery
extundelete /dev/sda1 --restore-all -v

# Output shows:
# - Files being recovered
# - Current inode
# - Recovery progress

# For long operations, redirect to log
extundelete /dev/sda1 --restore-all -v 2>&1 | tee recovery.log &

After-Date Recovery

Recover Files Deleted After Timestamp

# Recover files deleted after specific date
# Note: Requires journal to contain timestamp data

# Check partition journal
extundelete /dev/sda1 --show-journal-blocks

# Alternatively, recover all then filter by date
extundelete /dev/sda1 --restore-all

# Filter by access time
find RECOVERED_FILES -type f -atime -30  # Last 30 days
find RECOVERED_FILES -type f -mtime -7   # Last 7 days

Filter Recovered Files by Modification Time

# Find recently modified files in recovered set
ls -lart RECOVERED_FILES/**/* | tail -20

# Or use find with time stamps
find RECOVERED_FILES -type f -newermt "2024-01-01"

# Compare against backup date
find RECOVERED_FILES -type f -newer reference_checkpoint_file

Common Recovery Workflows

Workflow 1: Accidental File Deletion

# User accidentally deleted single file

# Step 1: Unmount filesystem immediately
sudo umount /dev/sda1

# Step 2: List deleted files
extundelete /dev/sda1 --ls | grep "filename"

# Step 3: Restore specific file
extundelete /dev/sda1 --restore-file "path/to/deleted_file.txt"

# Step 4: Verify and validate
file RECOVERED_FILES/path/to/deleted_file.txt
cat RECOVERED_FILES/path/to/deleted_file.txt

# Step 5: Copy to safe location
cp RECOVERED_FILES/path/to/deleted_file.txt /mnt/safe_backup/

Workflow 2: Directory Deletion Recovery

# Entire project directory deleted

# Step 1: Unmount and analyze
sudo umount /dev/sda1
extundelete /dev/sda1 --ls | head -50

# Step 2: Locate directory inode
extundelete /dev/sda1 --ls | grep "project_folder"

# Step 3: Restore complete directory
extundelete /dev/sda1 --restore-directory "home/dev/projects"

# Step 4: Verify file count and integrity
find RECOVERED_FILES -type f | wc -l
du -sh RECOVERED_FILES/home/dev/projects/

# Step 5: Archive recovered content
tar -czf projects_recovered.tar.gz RECOVERED_FILES/home/dev/projects/

Workflow 3: Multi-Partition Forensic Recovery

# Recover from multiple partitions in sequence

# Identify partitions
lsblk -f

# Recovery script
#!/bin/bash
partitions=("/dev/sda1" "/dev/sda2" "/dev/sda3")
for part in "${partitions[@]}"; do
  echo "Recovering from $part..."
  extundelete "$part" --restore-all --output-dir "RECOVERED_$part/"
  du -sh "RECOVERED_$part/"
done

# Consolidate recovered files
mkdir -p CONSOLIDATED_RECOVERY
cp -r RECOVERED_*/RECOVERED_FILES/* CONSOLIDATED_RECOVERY/

Workflow 4: Forensic Evidence Collection

# Professional digital forensics recovery

# Step 1: Create forensic image with checksums
sudo dd if=/dev/sda1 of=evidence.img bs=4M
md5sum evidence.img > evidence.img.md5

# Step 2: Mount image read-only
sudo mount -o ro,loop evidence.img /mnt/evidence

# Step 3: Run extundelete on image
extundelete /mnt/evidence --restore-all --output-dir ./FORENSIC_RECOVERY/

# Step 4: Generate recovery manifest
find ./FORENSIC_RECOVERY -type f > recovery_manifest.txt
du -sh ./FORENSIC_RECOVERY/ >> recovery_manifest.txt
md5sum ./FORENSIC_RECOVERY -r >> recovery_checksums.txt

# Step 5: Archive evidence
tar -czf forensic_evidence.tar.gz FORENSIC_RECOVERY/ recovery_manifest.txt recovery_checksums.txt

Output Directory Management

Default Recovery Location

# Recovered files placed in current directory
pwd
ls -la RECOVERED_FILES/

# Original directory structure preserved
ls -la RECOVERED_FILES/home/user/Documents/
ls -la RECOVERED_FILES/var/www/html/

Specify Custom Output Directory

# Use -o flag (if supported by version) or move after recovery
extundelete /dev/sda1 --restore-all

# Move to specified location
mkdir -p /mnt/recovery_drive/ext4_recovery
mv RECOVERED_FILES/* /mnt/recovery_drive/ext4_recovery/

# Verify at new location
ls -la /mnt/recovery_drive/ext4_recovery/

Organize Recovered Files

# Sort recovered files by type
mkdir -p sorted_recovery/{documents,media,code,other}

for file in RECOVERED_FILES/**/*; do
  case $file in
    *.pdf|*.docx|*.xlsx|*.txt)
      cp "$file" sorted_recovery/documents/ ;;
    *.jpg|*.png|*.mp4|*.mp3)
      cp "$file" sorted_recovery/media/ ;;
    *.py|*.js|*.cpp|*.java)
      cp "$file" sorted_recovery/code/ ;;
    *)
      cp "$file" sorted_recovery/other/ ;;
  esac
done

Verification and Integrity Checking

Verify Recovered File Integrity

# Check if files are complete
file RECOVERED_FILES/document.pdf

# Validate archive files
tar -tzf RECOVERED_FILES/backup.tar.gz > /dev/null
unzip -t RECOVERED_FILES/archive.zip

# Run checksums if original available
md5sum RECOVERED_FILES/document.pdf
# Compare with known hash

Generate Recovery Report

# Summary statistics
echo "=== Recovery Report ===" > recovery_report.txt
echo "Total files recovered: $(find RECOVERED_FILES -type f | wc -l)" >> recovery_report.txt
echo "Total directories: $(find RECOVERED_FILES -type d | wc -l)" >> recovery_report.txt
echo "Total size: $(du -sh RECOVERED_FILES | awk '{print $1}')" >> recovery_report.txt

# List all recovered files
find RECOVERED_FILES -type f -exec ls -lh {} \; >> recovery_report.txt

# Show file checksums
find RECOVERED_FILES -type f -exec md5sum {} \; > recovery_checksums.txt

cat recovery_report.txt

Filesystem Support

Verify Filesystem Type

# Check if ext3 or ext4
sudo blkid /dev/sda1
# Output: UUID="..." TYPE="ext4"

# Or use tune2fs
sudo tune2fs -l /dev/sda1 | grep -i "filesystem features"

ext3 vs ext4 Recovery

# Both use similar recovery mechanisms
# ext4 has additional features (extents, journal checksums)

# extundelete handles both transparently
extundelete /dev/sda1 --ls

# For ext3 with journaling enabled
extundelete /dev/sda1 --restore-all

Troubleshooting

No Files Found to Recover

# Verify partition is correct
extundelete /dev/sda1 --inode 2

# Check if filesystem is actually ext3/ext4
blkid /dev/sda1

# Filesystem may be too heavily overwritten
# Journal may not contain deletion data

# Try alternative recovery: photorec, scalpel, or testdisk

Corrupted/Incomplete File Recovery

# File may be fragmented or partially overwritten
# Still worth attempting recovery

extundelete /dev/sda1 --restore-file "document.pdf"

# Check file size
ls -la RECOVERED_FILES/document.pdf

# Attempt to open and verify
file RECOVERED_FILES/document.pdf

Segmentation Fault or Crash

# May indicate corrupted filesystem
# Try with diagnostic image copy

sudo dd if=/dev/sda1 of=image.img bs=1M
extundelete ./image.img --ls

# Or try alternative tool
sudo photorec /dev/sda1

Out of Memory on Large Partitions

# Process files in batches
# Recover by inode range instead of all-at-once

# Single inode recovery
for i in {2000..3000}; do
  extundelete /dev/sda1 --restore-inode $i
  echo "Recovered inode: $i"
done

Limitations and Best Practices

Journal Limitations

# Ext3 journal typically stores 30-90 days of transactions
# Very old deletions become unrecoverable

# Check journal details
tune2fs -l /dev/sda1 | grep -i journal

Data Overwriting

# Once deleted file blocks are reused, recovery is partial/impossible
# Best practice: Shut down immediately after data loss

# Minimize risk:
# 1. Power down system immediately
# 2. Don't boot normally from affected partition
# 3. Use read-only recovery tools
# 4. Work with forensic image

Performance Optimization

# Large partition recovery takes time
# Monitor progress

time extundelete /dev/sda1 --restore-all 2>&1 | tee recovery.log &

# Check progress in another terminal
tail -f recovery.log

Comparison: ext3grep vs extundelete

Feature	ext3grep	extundelete
ext3 support	Yes	Yes
ext4 support	No	Yes
Journal analysis	Primary	Secondary
Batch recovery	Good	Excellent
Directory restore	Yes	Yes
Inode recovery	Yes	Yes
Speed	Fast	Moderate
Availability	Less common	More common

References

Resource	Purpose
extundelete man page	Full documentation
Ext4 filesystem spec	Technical details
Linux Forensics Guide	Recovery best practices
Digital Evidence wiki	Forensic procedures