ext3grep
Overview
Sezione intitolata “Overview”ext3grep is a specialized tool for recovering deleted files from ext3 filesystems by analyzing the ext3 journal. It can restore deleted inodes, files, and complete directory structures without mounting the filesystem. Essential for digital forensics, incident response, and accidental data loss recovery.
Key Features:
- Journal-based recovery (no filesystem mount required)
- Recover single files or entire directory trees
- Restore deleted inodes directly
- Parallel processing for faster recovery
- Zero impact on filesystem integrity
Installation
Sezione intitolata “Installation”Debian/Ubuntu
Sezione intitolata “Debian/Ubuntu”# Install from repositories
sudo apt-get update
sudo apt-get install ext3grep
# Verify installation
ext3grep --versionRedHat/CentOS
Sezione intitolata “RedHat/CentOS”# Install via package manager
sudo yum install ext3grep
# Or compile from source
wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/ext3grep/ext3grep-0.10.2.tar.gz
tar -xzf ext3grep-0.10.2.tar.gz
cd ext3grep-0.10.2
./configure && make && sudo make installmacOS (via Homebrew)
Sezione intitolata “macOS (via Homebrew)”# Install using Homebrew
brew install ext3grep
# Verify
ext3grep --versionFrom Source
Sezione intitolata “From Source”# Clone or download source
git clone https://github.com/ckane/ext3grep.git
cd ext3grep
# Build and install
./configure
make
sudo make install
# Verify
which ext3grepPrerequisite: Unmount Filesystem
Sezione intitolata “Prerequisite: Unmount Filesystem”Critical: ext3grep must analyze an unmounted filesystem. Mounting the disk will update timestamps and potentially overwrite deleted data.
Unmount ext3 Partition
Sezione intitolata “Unmount ext3 Partition”# Identify filesystem device
lsblk -f
df -h
# Unmount safely
sudo umount /dev/sda1
# For root filesystem, use rescue mode or live USB
sudo reboot # Boot into single-user mode or recovery environmentUsing Live USB/CD
Sezione intitolata “Using Live USB/CD”# Boot from Kali Linux or Ubuntu Live USB
# Don't mount the target filesystem
# Use /dev/sda1 directly (unmounted)Create Raw Disk Image (Alternative)
Sezione intitolata “Create Raw Disk Image (Alternative)”# If unable to unmount, create forensic image
sudo dd if=/dev/sda1 of=filesystem.img bs=4M
# Work with image instead of live disk
ext3grep filesystem.img --lsJournal Analysis Basics
Sezione intitolata “Journal Analysis Basics”View Journal Contents
Sezione intitolata “View Journal Contents”# List all journal blocks
ext3grep /dev/sda1 --journal
# Output shows journal transaction history
# Lists deleted files and recovery timestampsExamine Journal Entries
Sezione intitolata “Examine Journal Entries”# Show journal summary
ext3grep /dev/sda1 --summary
# Detailed journal transactions
ext3grep /dev/sda1 --dump-namesRecovering Deleted Files
Sezione intitolata “Recovering Deleted Files”List Deleted Files
Sezione intitolata “List Deleted Files”# Show all deleted files found in journal
ext3grep /dev/sda1 --ls
# Output shows:
# - Inode numbers
# - File names
# - Original directory
# - File sizes
# - Deletion timestamps (approx.)Restore Specific File by Name
Sezione intitolata “Restore Specific File by Name”# Restore single deleted file
ext3grep /dev/sda1 --restore-file documents/important.pdf
# File restored to: ./RESTORED_FILES/documents/important.pdf
ls -la RESTORED_FILES/documents/
# Check file integrity
file RESTORED_FILES/documents/important.pdf
md5sum RESTORED_FILES/documents/important.pdfRestore Multiple Files by Pattern
Sezione intitolata “Restore Multiple Files by Pattern”# Restore all .txt files
ext3grep /dev/sda1 --restore-file "*.txt"
# Restore from specific directory
ext3grep /dev/sda1 --restore-file "home/user/Documents/*.pdf"
# View restored files
find RESTORED_FILES -type f -name "*.pdf"Restoring by Inode
Sezione intitolata “Restoring by Inode”Find Inode of Deleted File
Sezione intitolata “Find Inode of Deleted File”# List files with inode numbers
ext3grep /dev/sda1 --ls | grep -i "filename"
# Output shows: inode=12345 name=deleted_file.txt
# Extract inode number
ext3grep /dev/sda1 --ls | awk '/deleted_file/ {print $0}'Restore by Inode Number
Sezione intitolata “Restore by Inode Number”# Restore specific inode
ext3grep /dev/sda1 --restore-inode 12345
# File restored with inode name: 12345
ls -la RESTORED_FILES/
# Rename to original name
mv RESTORED_FILES/12345 RESTORED_FILES/deleted_file.txtBatch Restore by Inode Range
Sezione intitolata “Batch Restore by Inode Range”# Restore multiple inodes
ext3grep /dev/sda1 --restore-inode 12340 12345 12350
# Or restore all inodes in range (custom script)
for inode in {12340..12350}; do
ext3grep /dev/sda1 --restore-inode $inode
doneRestoring Directory Trees
Sezione intitolata “Restoring Directory Trees”Restore Entire Directory
Sezione intitolata “Restore Entire Directory”# Restore complete directory structure
ext3grep /dev/sda1 --restore-directory "home/user/Documents"
# All files and subdirectories restored
ls -la RESTORED_FILES/home/user/Documents/
# Verify directory tree
tree RESTORED_FILES/home/user/Documents/Restore to Different Output Location
Sezione intitolata “Restore to Different Output Location”# Specify custom output directory
ext3grep /dev/sda1 --restore-directory "var/www/html" \
--output-dir /mnt/recovery_drive/
# Files restored to specified location
ls -la /mnt/recovery_drive/var/www/html/Restore All Deleted Files
Sezione intitolata “Restore All Deleted Files”Full Recovery
Sezione intitolata “Full Recovery”# Recover all deleted files and directories
ext3grep /dev/sda1 --restore-all
# All files restored to: RESTORED_FILES/
du -sh RESTORED_FILES/
find RESTORED_FILES -type f | wc -lParallel Processing (Faster Recovery)
Sezione intitolata “Parallel Processing (Faster Recovery)”# Enable multi-threaded recovery (faster for large partitions)
ext3grep /dev/sda1 --restore-all --jobs 4
# Show progress
ext3grep /dev/sda1 --restore-all -v 3Verify Recovered Files
Sezione intitolata “Verify Recovered Files”# Check total recovered
find RESTORED_FILES -type f | wc -l
# List large files
find RESTORED_FILES -type f -size +100M -exec ls -lh {} \;
# Check filesystem usage
du -sh RESTORED_FILES/Time-Based Recovery
Sezione intitolata “Time-Based Recovery”Restore Files Deleted After Date
Sezione intitolata “Restore Files Deleted After Date”# Recover files deleted after specific timestamp
# Note: Requires journal to contain transaction dates
# Alternative: Check journal timestamps
ext3grep /dev/sda1 --summary | grep -i "timestamp"
# Use --restore-all, then filter by modification time
ls -la RESTORED_FILES/ | awk '{print $6, $7, $8, $9}'Filter by File Modification Date
Sezione intitolata “Filter by File Modification Date”# Find files modified after specific date
find RESTORED_FILES -type f -newer reference_file
# Compare with original backup date
find RESTORED_FILES -type f -mtime -30 # Last 30 daysCommon Recovery Workflows
Sezione intitolata “Common Recovery Workflows”Workflow 1: Simple Document Recovery
Sezione intitolata “Workflow 1: Simple Document Recovery”# User accidentally deleted important document
# Step 1: Boot from live USB, don't mount filesystem
# Step 2: List deleted files
ext3grep /dev/sda1 --ls | grep -i ".docx"
# Step 3: Restore by name
ext3grep /dev/sda1 --restore-file "report_2024.docx"
# Step 4: Verify integrity
file RESTORED_FILES/report_2024.docx
libreoffice RESTORED_FILES/report_2024.docxWorkflow 2: Directory-Level Recovery
Sezione intitolata “Workflow 2: Directory-Level Recovery”# Recover entire project folder
# Step 1: List directory contents
ext3grep /dev/sda1 --ls | grep "src/"
# Step 2: Restore directory tree
ext3grep /dev/sda1 --restore-directory "home/dev/projects/src"
# Step 3: Verify file count
find RESTORED_FILES/home/dev/projects/src -type f | wc -l
# Step 4: Copy to safe location
cp -r RESTORED_FILES/home/dev/projects/src /mnt/backup/Workflow 3: Forensic Investigation
Sezione intitolata “Workflow 3: Forensic Investigation”# Recover files for digital forensics
# Step 1: Create forensic image
sudo dd if=/dev/sda1 of=/mnt/forensics/evidence.img bs=4M
# Step 2: Mount image (read-only)
sudo mount -o ro,loop evidence.img /mnt/evidence
# Step 3: Run recovery
ext3grep /mnt/evidence --restore-all --output-dir /mnt/forensics/recovered/
# Step 4: Generate recovery report
find /mnt/forensics/recovered -type f > recovery_manifest.txt
du -sh /mnt/forensics/recovered/Workflow 4: Batch Inode Recovery
Sezione intitolata “Workflow 4: Batch Inode Recovery”# Recover multiple specific files by inode
# Step 1: Identify inodes
ext3grep /dev/sda1 --ls | tee deleted_files.log
# Step 2: Create recovery script
cat > recover_inodes.sh << 'EOF'
#!/bin/bash
for inode in 12345 12346 12347; do
ext3grep /dev/sda1 --restore-inode $inode
echo "Recovered inode: $inode"
done
EOF
# Step 3: Execute recovery
bash recover_inodes.sh
# Step 4: Verify restored files
ls -la RESTORED_FILES/Output and Organization
Sezione intitolata “Output and Organization”Default Recovery Location
Sezione intitolata “Default Recovery Location”# Files restored to current working directory
pwd
ls -la RESTORED_FILES/
# Subdirectory structure preserved
ls -la RESTORED_FILES/home/user/Documents/Organize Recovered Files
Sezione intitolata “Organize Recovered Files”# Sort by file type
mkdir -p recovered/{documents,images,code,other}
for file in RESTORED_FILES/**/*; do
case $file in
*.pdf|*.docx|*.txt) cp "$file" recovered/documents/ ;;
*.jpg|*.png|*.gif) cp "$file" recovered/images/ ;;
*.py|*.js|*.cpp) cp "$file" recovered/code/ ;;
*) cp "$file" recovered/other/ ;;
esac
doneBackup Recovery Results
Sezione intitolata “Backup Recovery Results”# Archive recovered files
tar -czf recovered_files_backup.tar.gz RESTORED_FILES/
# Generate checksums for verification
find RESTORED_FILES -type f -exec md5sum {} \; > recovery_checksums.txt
# Store both archive and checksum list
cp -v recovered_files_backup.tar.gz /mnt/external_drive/
cp -v recovery_checksums.txt /mnt/external_drive/Limitations and Considerations
Sezione intitolata “Limitations and Considerations”Journal Limitations
Sezione intitolata “Journal Limitations”# Ext3 journal typically stores 30-90 days of transactions
# Very old deletions may not be recoverable
# Journal overwrites as new data is written
# Check journal size
tune2fs -l /dev/sda1 | grep -i journalFilesystem Overwriting
Sezione intitolata “Filesystem Overwriting”# Deleted file blocks may be reused for new data
# Fragmented recovery possible but incomplete
# Minimize overwriting:
# 1. Don't mount filesystem after deletion
# 2. Shut down immediately after discovering deletion
# 3. Work with forensic image if possibleFile Corruption Risk
Sezione intitolata “File Corruption Risk”# Some recovered files may be corrupted if:
# - Original data blocks were overwritten
# - File metadata is incomplete
# - Filesystem was damaged
# Test recovered files before relying on them
file RESTORED_FILES/*Troubleshooting
Sezione intitolata “Troubleshooting”No Deleted Files Found
Sezione intitolata “No Deleted Files Found”# Journal may be too old or overwritten
ext3grep /dev/sda1 --summary
# Verify journal size
tune2fs -l /dev/sda1 | grep "Journal size"
# Try ext3grep with aggressive journal parsing
ext3grep /dev/sda1 --ls --verboseSegmentation Fault
Sezione intitolata “Segmentation Fault”# Corrupted filesystem or journal
# Use alternative recovery tool
# Try extundelete (alternative)
extundelete /dev/sda1 --restore-all
# Or use dd + photorec on forensic image
dd if=/dev/sda1 of=image.img
photorec image.imgIncomplete File Recovery
Sezione intitolata “Incomplete File Recovery”# File may be fragmented or partially overwritten
# Attempt recovery anyway and verify
ext3grep /dev/sda1 --restore-file "document.pdf"
# Check file size vs expected size
ls -la RESTORED_FILES/document.pdf
file RESTORED_FILES/document.pdf
# Try recovery tools like `scalpel` or `foremost`References
Sezione intitolata “References”| Resource | Purpose |
|---|---|
| ext3grep man page | Full command documentation |
| Ext3 filesystem docs | Journal recovery principles |
| Digital Forensics wiki | Recovery best practices |
| Linux Survival Guide | Filesystem recovery procedures |