Forensicsforensicsfile-recoveryext3deleted-filesinode

ext3grep

Tool to help recover deleted files on ext3 filesystems. Useful in forensics investigations.

Description

ext3grep is a simple tool intended to aid anyone who accidentally deletes a file on an ext3 filesystem, only to find that they wanted it shortly thereafter. This package is useful in forensics investigations where recovering deleted data is critical.

The tool analyzes ext3 filesystem structures to locate and extract information about deleted files, inodes, and blocks. It supports filtering by deletion time, allocation status, groups, and directories to focus on relevant data.

ext3grep provides actions to inspect superblocks, inodes, blocks, and directory contents, making it valuable for both accidental data loss recovery and detailed forensic analysis.

How It Works

ext3grep parses ext3 filesystem metadata including superblocks, inodes, and directory blocks to identify deleted but potentially recoverable files. It applies filters for time ranges, allocation status, and inode types, then performs actions like printing inode/block contents or listing directory entries. The tool processes unallocated inodes/blocks while optionally handling reallocated ones.

Installation

bash

sudo apt install ext3grep

Flags

--version, -[vV]Print version and exit successfully.

--helpPrint this help and exit successfully.

--superblockPrint contents of superblock in addition to the rest. If no action is specified then this option is implied.

--printPrint content of block or inode, if any.

--lsPrint directories with only one line per entry. This option is often needed to turn on filtering.

--accept filenAccept 'filen' as a legal filename. Can be used multiple times.

--group grpOnly process group 'grp'.

--directoryOnly process directory inodes.

--after dtimeOnly entries deleted on or after 'dtime'.

--before dtimeOnly entries deleted before 'dtime'.

--deletedOnly show/process deleted entries.

--allocatedOnly show/process allocated inodes/blocks.

--unallocatedOnly show/process unallocated inodes/blocks.

--reallocatedDo not suppress entries with reallocated inodes.

--inode-to-block inoPrint the block that contains inode 'ino'.

--inode inoShow info on inode 'ino'. If --ls is used and the inode is a directory, then the filters apply to the entries of the directory. If you do not use --ls then --print is implied.

--block blkShow info on block 'blk'. If --ls is used and the block is the first block of a directory, then the filters apply to entries.

Examples

Display help information and available options for ext3grep.

ext3grep --help

Print the version of ext3grep (0.10.2) and exit.

ext3grep --version

Analyze the ext3 filesystem on /dev/sda1 device (superblock implied).

ext3grep /dev/sda1

Print contents of superblock from the ext3 filesystem on /dev/sda1.

ext3grep --superblock /dev/sda1

List only deleted entries from the ext3 filesystem on /dev/sda1.

ext3grep --deleted --ls /dev/sda1

Show information on inode 12345 from /dev/sda1 (print implied).

ext3grep --inode 12345 /dev/sda1

List directory entries of inode 12345 on /dev/sda1 with filters applied.

ext3grep --inode 12345 --ls /dev/sda1

Process only entries deleted on or after 2023-01-01 from /dev/sda1.

ext3grep --after 2023-01-01 --deleted /dev/sda1

Updated 2026-04-16kali.org ↗