ext3grep
Overview
섹션 제목: “Overview”ext3grep is a specialized tool for recovering deleted files from ext3 filesystems by analyzing the ext3 journal. It can restore deleted inodes, files, and complete directory structures without mounting the filesystem. Essential for digital forensics, incident response, and accidental data loss recovery.
Key Features:
- Journal-based recovery (no filesystem mount required)
- Recover single files or entire directory trees
- Restore deleted inodes directly
- Parallel processing for faster recovery
- Zero impact on filesystem integrity
Installation
섹션 제목: “Installation”Debian/Ubuntu
섹션 제목: “Debian/Ubuntu”# Install from repositories
sudo apt-get update
sudo apt-get install ext3grep
# Verify installation
ext3grep --versionRedHat/CentOS
섹션 제목: “RedHat/CentOS”# Install via package manager
sudo yum install ext3grep
# Or compile from source
wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/ext3grep/ext3grep-0.10.2.tar.gz
tar -xzf ext3grep-0.10.2.tar.gz
cd ext3grep-0.10.2
./configure && make && sudo make installmacOS (via Homebrew)
섹션 제목: “macOS (via Homebrew)”# Install using Homebrew
brew install ext3grep
# Verify
ext3grep --versionFrom Source
섹션 제목: “From Source”# Clone or download source
git clone https://github.com/ckane/ext3grep.git
cd ext3grep
# Build and install
./configure
make
sudo make install
# Verify
which ext3grepPrerequisite: Unmount Filesystem
섹션 제목: “Prerequisite: Unmount Filesystem”Critical: ext3grep must analyze an unmounted filesystem. Mounting the disk will update timestamps and potentially overwrite deleted data.
Unmount ext3 Partition
섹션 제목: “Unmount ext3 Partition”# Identify filesystem device
lsblk -f
df -h
# Unmount safely
sudo umount /dev/sda1
# For root filesystem, use rescue mode or live USB
sudo reboot # Boot into single-user mode or recovery environmentUsing Live USB/CD
섹션 제목: “Using Live USB/CD”# Boot from Kali Linux or Ubuntu Live USB
# Don't mount the target filesystem
# Use /dev/sda1 directly (unmounted)Create Raw Disk Image (Alternative)
섹션 제목: “Create Raw Disk Image (Alternative)”# If unable to unmount, create forensic image
sudo dd if=/dev/sda1 of=filesystem.img bs=4M
# Work with image instead of live disk
ext3grep filesystem.img --lsJournal Analysis Basics
섹션 제목: “Journal Analysis Basics”View Journal Contents
섹션 제목: “View Journal Contents”# List all journal blocks
ext3grep /dev/sda1 --journal
# Output shows journal transaction history
# Lists deleted files and recovery timestampsExamine Journal Entries
섹션 제목: “Examine Journal Entries”# Show journal summary
ext3grep /dev/sda1 --summary
# Detailed journal transactions
ext3grep /dev/sda1 --dump-namesRecovering Deleted Files
섹션 제목: “Recovering Deleted Files”List Deleted Files
섹션 제목: “List Deleted Files”# Show all deleted files found in journal
ext3grep /dev/sda1 --ls
# Output shows:
# - Inode numbers
# - File names
# - Original directory
# - File sizes
# - Deletion timestamps (approx.)Restore Specific File by Name
섹션 제목: “Restore Specific File by Name”# Restore single deleted file
ext3grep /dev/sda1 --restore-file documents/important.pdf
# File restored to: ./RESTORED_FILES/documents/important.pdf
ls -la RESTORED_FILES/documents/
# Check file integrity
file RESTORED_FILES/documents/important.pdf
md5sum RESTORED_FILES/documents/important.pdfRestore Multiple Files by Pattern
섹션 제목: “Restore Multiple Files by Pattern”# Restore all .txt files
ext3grep /dev/sda1 --restore-file "*.txt"
# Restore from specific directory
ext3grep /dev/sda1 --restore-file "home/user/Documents/*.pdf"
# View restored files
find RESTORED_FILES -type f -name "*.pdf"Restoring by Inode
섹션 제목: “Restoring by Inode”Find Inode of Deleted File
섹션 제목: “Find Inode of Deleted File”# List files with inode numbers
ext3grep /dev/sda1 --ls | grep -i "filename"
# Output shows: inode=12345 name=deleted_file.txt
# Extract inode number
ext3grep /dev/sda1 --ls | awk '/deleted_file/ {print $0}'Restore by Inode Number
섹션 제목: “Restore by Inode Number”# Restore specific inode
ext3grep /dev/sda1 --restore-inode 12345
# File restored with inode name: 12345
ls -la RESTORED_FILES/
# Rename to original name
mv RESTORED_FILES/12345 RESTORED_FILES/deleted_file.txtBatch Restore by Inode Range
섹션 제목: “Batch Restore by Inode Range”# Restore multiple inodes
ext3grep /dev/sda1 --restore-inode 12340 12345 12350
# Or restore all inodes in range (custom script)
for inode in {12340..12350}; do
ext3grep /dev/sda1 --restore-inode $inode
doneRestoring Directory Trees
섹션 제목: “Restoring Directory Trees”Restore Entire Directory
섹션 제목: “Restore Entire Directory”# Restore complete directory structure
ext3grep /dev/sda1 --restore-directory "home/user/Documents"
# All files and subdirectories restored
ls -la RESTORED_FILES/home/user/Documents/
# Verify directory tree
tree RESTORED_FILES/home/user/Documents/Restore to Different Output Location
섹션 제목: “Restore to Different Output Location”# Specify custom output directory
ext3grep /dev/sda1 --restore-directory "var/www/html" \
--output-dir /mnt/recovery_drive/
# Files restored to specified location
ls -la /mnt/recovery_drive/var/www/html/Restore All Deleted Files
섹션 제목: “Restore All Deleted Files”Full Recovery
섹션 제목: “Full Recovery”# Recover all deleted files and directories
ext3grep /dev/sda1 --restore-all
# All files restored to: RESTORED_FILES/
du -sh RESTORED_FILES/
find RESTORED_FILES -type f | wc -lParallel Processing (Faster Recovery)
섹션 제목: “Parallel Processing (Faster Recovery)”# Enable multi-threaded recovery (faster for large partitions)
ext3grep /dev/sda1 --restore-all --jobs 4
# Show progress
ext3grep /dev/sda1 --restore-all -v 3Verify Recovered Files
섹션 제목: “Verify Recovered Files”# Check total recovered
find RESTORED_FILES -type f | wc -l
# List large files
find RESTORED_FILES -type f -size +100M -exec ls -lh {} \;
# Check filesystem usage
du -sh RESTORED_FILES/Time-Based Recovery
섹션 제목: “Time-Based Recovery”Restore Files Deleted After Date
섹션 제목: “Restore Files Deleted After Date”# Recover files deleted after specific timestamp
# Note: Requires journal to contain transaction dates
# Alternative: Check journal timestamps
ext3grep /dev/sda1 --summary | grep -i "timestamp"
# Use --restore-all, then filter by modification time
ls -la RESTORED_FILES/ | awk '{print $6, $7, $8, $9}'Filter by File Modification Date
섹션 제목: “Filter by File Modification Date”# Find files modified after specific date
find RESTORED_FILES -type f -newer reference_file
# Compare with original backup date
find RESTORED_FILES -type f -mtime -30 # Last 30 daysCommon Recovery Workflows
섹션 제목: “Common Recovery Workflows”Workflow 1: Simple Document Recovery
섹션 제목: “Workflow 1: Simple Document Recovery”# User accidentally deleted important document
# Step 1: Boot from live USB, don't mount filesystem
# Step 2: List deleted files
ext3grep /dev/sda1 --ls | grep -i ".docx"
# Step 3: Restore by name
ext3grep /dev/sda1 --restore-file "report_2024.docx"
# Step 4: Verify integrity
file RESTORED_FILES/report_2024.docx
libreoffice RESTORED_FILES/report_2024.docxWorkflow 2: Directory-Level Recovery
섹션 제목: “Workflow 2: Directory-Level Recovery”# Recover entire project folder
# Step 1: List directory contents
ext3grep /dev/sda1 --ls | grep "src/"
# Step 2: Restore directory tree
ext3grep /dev/sda1 --restore-directory "home/dev/projects/src"
# Step 3: Verify file count
find RESTORED_FILES/home/dev/projects/src -type f | wc -l
# Step 4: Copy to safe location
cp -r RESTORED_FILES/home/dev/projects/src /mnt/backup/Workflow 3: Forensic Investigation
섹션 제목: “Workflow 3: Forensic Investigation”# Recover files for digital forensics
# Step 1: Create forensic image
sudo dd if=/dev/sda1 of=/mnt/forensics/evidence.img bs=4M
# Step 2: Mount image (read-only)
sudo mount -o ro,loop evidence.img /mnt/evidence
# Step 3: Run recovery
ext3grep /mnt/evidence --restore-all --output-dir /mnt/forensics/recovered/
# Step 4: Generate recovery report
find /mnt/forensics/recovered -type f > recovery_manifest.txt
du -sh /mnt/forensics/recovered/Workflow 4: Batch Inode Recovery
섹션 제목: “Workflow 4: Batch Inode Recovery”# Recover multiple specific files by inode
# Step 1: Identify inodes
ext3grep /dev/sda1 --ls | tee deleted_files.log
# Step 2: Create recovery script
cat > recover_inodes.sh << 'EOF'
#!/bin/bash
for inode in 12345 12346 12347; do
ext3grep /dev/sda1 --restore-inode $inode
echo "Recovered inode: $inode"
done
EOF
# Step 3: Execute recovery
bash recover_inodes.sh
# Step 4: Verify restored files
ls -la RESTORED_FILES/Output and Organization
섹션 제목: “Output and Organization”Default Recovery Location
섹션 제목: “Default Recovery Location”# Files restored to current working directory
pwd
ls -la RESTORED_FILES/
# Subdirectory structure preserved
ls -la RESTORED_FILES/home/user/Documents/Organize Recovered Files
섹션 제목: “Organize Recovered Files”# Sort by file type
mkdir -p recovered/{documents,images,code,other}
for file in RESTORED_FILES/**/*; do
case $file in
*.pdf|*.docx|*.txt) cp "$file" recovered/documents/ ;;
*.jpg|*.png|*.gif) cp "$file" recovered/images/ ;;
*.py|*.js|*.cpp) cp "$file" recovered/code/ ;;
*) cp "$file" recovered/other/ ;;
esac
doneBackup Recovery Results
섹션 제목: “Backup Recovery Results”# Archive recovered files
tar -czf recovered_files_backup.tar.gz RESTORED_FILES/
# Generate checksums for verification
find RESTORED_FILES -type f -exec md5sum {} \; > recovery_checksums.txt
# Store both archive and checksum list
cp -v recovered_files_backup.tar.gz /mnt/external_drive/
cp -v recovery_checksums.txt /mnt/external_drive/Limitations and Considerations
섹션 제목: “Limitations and Considerations”Journal Limitations
섹션 제목: “Journal Limitations”# Ext3 journal typically stores 30-90 days of transactions
# Very old deletions may not be recoverable
# Journal overwrites as new data is written
# Check journal size
tune2fs -l /dev/sda1 | grep -i journalFilesystem Overwriting
섹션 제목: “Filesystem Overwriting”# Deleted file blocks may be reused for new data
# Fragmented recovery possible but incomplete
# Minimize overwriting:
# 1. Don't mount filesystem after deletion
# 2. Shut down immediately after discovering deletion
# 3. Work with forensic image if possibleFile Corruption Risk
섹션 제목: “File Corruption Risk”# Some recovered files may be corrupted if:
# - Original data blocks were overwritten
# - File metadata is incomplete
# - Filesystem was damaged
# Test recovered files before relying on them
file RESTORED_FILES/*Troubleshooting
섹션 제목: “Troubleshooting”No Deleted Files Found
섹션 제목: “No Deleted Files Found”# Journal may be too old or overwritten
ext3grep /dev/sda1 --summary
# Verify journal size
tune2fs -l /dev/sda1 | grep "Journal size"
# Try ext3grep with aggressive journal parsing
ext3grep /dev/sda1 --ls --verboseSegmentation Fault
섹션 제목: “Segmentation Fault”# Corrupted filesystem or journal
# Use alternative recovery tool
# Try extundelete (alternative)
extundelete /dev/sda1 --restore-all
# Or use dd + photorec on forensic image
dd if=/dev/sda1 of=image.img
photorec image.imgIncomplete File Recovery
섹션 제목: “Incomplete File Recovery”# File may be fragmented or partially overwritten
# Attempt recovery anyway and verify
ext3grep /dev/sda1 --restore-file "document.pdf"
# Check file size vs expected size
ls -la RESTORED_FILES/document.pdf
file RESTORED_FILES/document.pdf
# Try recovery tools like `scalpel` or `foremost`References
섹션 제목: “References”| Resource | Purpose |
|---|---|
| ext3grep man page | Full command documentation |
| Ext3 filesystem docs | Journal recovery principles |
| Digital Forensics wiki | Recovery best practices |
| Linux Survival Guide | Filesystem recovery procedures |