ext3grep
Overview
Abschnitt betitelt „Overview“ext3grep is a specialized tool for recovering deleted files from ext3 filesystems by analyzing the ext3 journal. It can restore deleted inodes, files, and complete directory structures without mounting the filesystem. Essential for digital forensics, incident response, and accidental data loss recovery.
Key Features:
- Journal-based recovery (no filesystem mount required)
- Recover single files or entire directory trees
- Restore deleted inodes directly
- Parallel processing for faster recovery
- Zero impact on filesystem integrity
Installation
Abschnitt betitelt „Installation“Debian/Ubuntu
Abschnitt betitelt „Debian/Ubuntu“# Install from repositories
sudo apt-get update
sudo apt-get install ext3grep
# Verify installation
ext3grep --versionRedHat/CentOS
Abschnitt betitelt „RedHat/CentOS“# Install via package manager
sudo yum install ext3grep
# Or compile from source
wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/ext3grep/ext3grep-0.10.2.tar.gz
tar -xzf ext3grep-0.10.2.tar.gz
cd ext3grep-0.10.2
./configure && make && sudo make installmacOS (via Homebrew)
Abschnitt betitelt „macOS (via Homebrew)“# Install using Homebrew
brew install ext3grep
# Verify
ext3grep --versionFrom Source
Abschnitt betitelt „From Source“# Clone or download source
git clone https://github.com/ckane/ext3grep.git
cd ext3grep
# Build and install
./configure
make
sudo make install
# Verify
which ext3grepPrerequisite: Unmount Filesystem
Abschnitt betitelt „Prerequisite: Unmount Filesystem“Critical: ext3grep must analyze an unmounted filesystem. Mounting the disk will update timestamps and potentially overwrite deleted data.
Unmount ext3 Partition
Abschnitt betitelt „Unmount ext3 Partition“# Identify filesystem device
lsblk -f
df -h
# Unmount safely
sudo umount /dev/sda1
# For root filesystem, use rescue mode or live USB
sudo reboot # Boot into single-user mode or recovery environmentUsing Live USB/CD
Abschnitt betitelt „Using Live USB/CD“# Boot from Kali Linux or Ubuntu Live USB
# Don't mount the target filesystem
# Use /dev/sda1 directly (unmounted)Create Raw Disk Image (Alternative)
Abschnitt betitelt „Create Raw Disk Image (Alternative)“# If unable to unmount, create forensic image
sudo dd if=/dev/sda1 of=filesystem.img bs=4M
# Work with image instead of live disk
ext3grep filesystem.img --lsJournal Analysis Basics
Abschnitt betitelt „Journal Analysis Basics“View Journal Contents
Abschnitt betitelt „View Journal Contents“# List all journal blocks
ext3grep /dev/sda1 --journal
# Output shows journal transaction history
# Lists deleted files and recovery timestampsExamine Journal Entries
Abschnitt betitelt „Examine Journal Entries“# Show journal summary
ext3grep /dev/sda1 --summary
# Detailed journal transactions
ext3grep /dev/sda1 --dump-namesRecovering Deleted Files
Abschnitt betitelt „Recovering Deleted Files“List Deleted Files
Abschnitt betitelt „List Deleted Files“# Show all deleted files found in journal
ext3grep /dev/sda1 --ls
# Output shows:
# - Inode numbers
# - File names
# - Original directory
# - File sizes
# - Deletion timestamps (approx.)Restore Specific File by Name
Abschnitt betitelt „Restore Specific File by Name“# Restore single deleted file
ext3grep /dev/sda1 --restore-file documents/important.pdf
# File restored to: ./RESTORED_FILES/documents/important.pdf
ls -la RESTORED_FILES/documents/
# Check file integrity
file RESTORED_FILES/documents/important.pdf
md5sum RESTORED_FILES/documents/important.pdfRestore Multiple Files by Pattern
Abschnitt betitelt „Restore Multiple Files by Pattern“# Restore all .txt files
ext3grep /dev/sda1 --restore-file "*.txt"
# Restore from specific directory
ext3grep /dev/sda1 --restore-file "home/user/Documents/*.pdf"
# View restored files
find RESTORED_FILES -type f -name "*.pdf"Restoring by Inode
Abschnitt betitelt „Restoring by Inode“Find Inode of Deleted File
Abschnitt betitelt „Find Inode of Deleted File“# List files with inode numbers
ext3grep /dev/sda1 --ls | grep -i "filename"
# Output shows: inode=12345 name=deleted_file.txt
# Extract inode number
ext3grep /dev/sda1 --ls | awk '/deleted_file/ {print $0}'Restore by Inode Number
Abschnitt betitelt „Restore by Inode Number“# Restore specific inode
ext3grep /dev/sda1 --restore-inode 12345
# File restored with inode name: 12345
ls -la RESTORED_FILES/
# Rename to original name
mv RESTORED_FILES/12345 RESTORED_FILES/deleted_file.txtBatch Restore by Inode Range
Abschnitt betitelt „Batch Restore by Inode Range“# Restore multiple inodes
ext3grep /dev/sda1 --restore-inode 12340 12345 12350
# Or restore all inodes in range (custom script)
for inode in {12340..12350}; do
ext3grep /dev/sda1 --restore-inode $inode
doneRestoring Directory Trees
Abschnitt betitelt „Restoring Directory Trees“Restore Entire Directory
Abschnitt betitelt „Restore Entire Directory“# Restore complete directory structure
ext3grep /dev/sda1 --restore-directory "home/user/Documents"
# All files and subdirectories restored
ls -la RESTORED_FILES/home/user/Documents/
# Verify directory tree
tree RESTORED_FILES/home/user/Documents/Restore to Different Output Location
Abschnitt betitelt „Restore to Different Output Location“# Specify custom output directory
ext3grep /dev/sda1 --restore-directory "var/www/html" \
--output-dir /mnt/recovery_drive/
# Files restored to specified location
ls -la /mnt/recovery_drive/var/www/html/Restore All Deleted Files
Abschnitt betitelt „Restore All Deleted Files“Full Recovery
Abschnitt betitelt „Full Recovery“# Recover all deleted files and directories
ext3grep /dev/sda1 --restore-all
# All files restored to: RESTORED_FILES/
du -sh RESTORED_FILES/
find RESTORED_FILES -type f | wc -lParallel Processing (Faster Recovery)
Abschnitt betitelt „Parallel Processing (Faster Recovery)“# Enable multi-threaded recovery (faster for large partitions)
ext3grep /dev/sda1 --restore-all --jobs 4
# Show progress
ext3grep /dev/sda1 --restore-all -v 3Verify Recovered Files
Abschnitt betitelt „Verify Recovered Files“# Check total recovered
find RESTORED_FILES -type f | wc -l
# List large files
find RESTORED_FILES -type f -size +100M -exec ls -lh {} \;
# Check filesystem usage
du -sh RESTORED_FILES/Time-Based Recovery
Abschnitt betitelt „Time-Based Recovery“Restore Files Deleted After Date
Abschnitt betitelt „Restore Files Deleted After Date“# Recover files deleted after specific timestamp
# Note: Requires journal to contain transaction dates
# Alternative: Check journal timestamps
ext3grep /dev/sda1 --summary | grep -i "timestamp"
# Use --restore-all, then filter by modification time
ls -la RESTORED_FILES/ | awk '{print $6, $7, $8, $9}'Filter by File Modification Date
Abschnitt betitelt „Filter by File Modification Date“# Find files modified after specific date
find RESTORED_FILES -type f -newer reference_file
# Compare with original backup date
find RESTORED_FILES -type f -mtime -30 # Last 30 daysCommon Recovery Workflows
Abschnitt betitelt „Common Recovery Workflows“Workflow 1: Simple Document Recovery
Abschnitt betitelt „Workflow 1: Simple Document Recovery“# User accidentally deleted important document
# Step 1: Boot from live USB, don't mount filesystem
# Step 2: List deleted files
ext3grep /dev/sda1 --ls | grep -i ".docx"
# Step 3: Restore by name
ext3grep /dev/sda1 --restore-file "report_2024.docx"
# Step 4: Verify integrity
file RESTORED_FILES/report_2024.docx
libreoffice RESTORED_FILES/report_2024.docxWorkflow 2: Directory-Level Recovery
Abschnitt betitelt „Workflow 2: Directory-Level Recovery“# Recover entire project folder
# Step 1: List directory contents
ext3grep /dev/sda1 --ls | grep "src/"
# Step 2: Restore directory tree
ext3grep /dev/sda1 --restore-directory "home/dev/projects/src"
# Step 3: Verify file count
find RESTORED_FILES/home/dev/projects/src -type f | wc -l
# Step 4: Copy to safe location
cp -r RESTORED_FILES/home/dev/projects/src /mnt/backup/Workflow 3: Forensic Investigation
Abschnitt betitelt „Workflow 3: Forensic Investigation“# Recover files for digital forensics
# Step 1: Create forensic image
sudo dd if=/dev/sda1 of=/mnt/forensics/evidence.img bs=4M
# Step 2: Mount image (read-only)
sudo mount -o ro,loop evidence.img /mnt/evidence
# Step 3: Run recovery
ext3grep /mnt/evidence --restore-all --output-dir /mnt/forensics/recovered/
# Step 4: Generate recovery report
find /mnt/forensics/recovered -type f > recovery_manifest.txt
du -sh /mnt/forensics/recovered/Workflow 4: Batch Inode Recovery
Abschnitt betitelt „Workflow 4: Batch Inode Recovery“# Recover multiple specific files by inode
# Step 1: Identify inodes
ext3grep /dev/sda1 --ls | tee deleted_files.log
# Step 2: Create recovery script
cat > recover_inodes.sh << 'EOF'
#!/bin/bash
for inode in 12345 12346 12347; do
ext3grep /dev/sda1 --restore-inode $inode
echo "Recovered inode: $inode"
done
EOF
# Step 3: Execute recovery
bash recover_inodes.sh
# Step 4: Verify restored files
ls -la RESTORED_FILES/Output and Organization
Abschnitt betitelt „Output and Organization“Default Recovery Location
Abschnitt betitelt „Default Recovery Location“# Files restored to current working directory
pwd
ls -la RESTORED_FILES/
# Subdirectory structure preserved
ls -la RESTORED_FILES/home/user/Documents/Organize Recovered Files
Abschnitt betitelt „Organize Recovered Files“# Sort by file type
mkdir -p recovered/{documents,images,code,other}
for file in RESTORED_FILES/**/*; do
case $file in
*.pdf|*.docx|*.txt) cp "$file" recovered/documents/ ;;
*.jpg|*.png|*.gif) cp "$file" recovered/images/ ;;
*.py|*.js|*.cpp) cp "$file" recovered/code/ ;;
*) cp "$file" recovered/other/ ;;
esac
doneBackup Recovery Results
Abschnitt betitelt „Backup Recovery Results“# Archive recovered files
tar -czf recovered_files_backup.tar.gz RESTORED_FILES/
# Generate checksums for verification
find RESTORED_FILES -type f -exec md5sum {} \; > recovery_checksums.txt
# Store both archive and checksum list
cp -v recovered_files_backup.tar.gz /mnt/external_drive/
cp -v recovery_checksums.txt /mnt/external_drive/Limitations and Considerations
Abschnitt betitelt „Limitations and Considerations“Journal Limitations
Abschnitt betitelt „Journal Limitations“# Ext3 journal typically stores 30-90 days of transactions
# Very old deletions may not be recoverable
# Journal overwrites as new data is written
# Check journal size
tune2fs -l /dev/sda1 | grep -i journalFilesystem Overwriting
Abschnitt betitelt „Filesystem Overwriting“# Deleted file blocks may be reused for new data
# Fragmented recovery possible but incomplete
# Minimize overwriting:
# 1. Don't mount filesystem after deletion
# 2. Shut down immediately after discovering deletion
# 3. Work with forensic image if possibleFile Corruption Risk
Abschnitt betitelt „File Corruption Risk“# Some recovered files may be corrupted if:
# - Original data blocks were overwritten
# - File metadata is incomplete
# - Filesystem was damaged
# Test recovered files before relying on them
file RESTORED_FILES/*Troubleshooting
Abschnitt betitelt „Troubleshooting“No Deleted Files Found
Abschnitt betitelt „No Deleted Files Found“# Journal may be too old or overwritten
ext3grep /dev/sda1 --summary
# Verify journal size
tune2fs -l /dev/sda1 | grep "Journal size"
# Try ext3grep with aggressive journal parsing
ext3grep /dev/sda1 --ls --verboseSegmentation Fault
Abschnitt betitelt „Segmentation Fault“# Corrupted filesystem or journal
# Use alternative recovery tool
# Try extundelete (alternative)
extundelete /dev/sda1 --restore-all
# Or use dd + photorec on forensic image
dd if=/dev/sda1 of=image.img
photorec image.imgIncomplete File Recovery
Abschnitt betitelt „Incomplete File Recovery“# File may be fragmented or partially overwritten
# Attempt recovery anyway and verify
ext3grep /dev/sda1 --restore-file "document.pdf"
# Check file size vs expected size
ls -la RESTORED_FILES/document.pdf
file RESTORED_FILES/document.pdf
# Try recovery tools like `scalpel` or `foremost`References
Abschnitt betitelt „References“| Resource | Purpose |
|---|---|
| ext3grep man page | Full command documentation |
| Ext3 filesystem docs | Journal recovery principles |
| Digital Forensics wiki | Recovery best practices |
| Linux Survival Guide | Filesystem recovery procedures |