Forensicsfile-recoveryext3ext4journalcarvingforensics

ext4magic

ext4magic recovers deleted files from ext3 or ext4 partitions using file carving techniques. It extracts data directly from the filesystem journal to restore files with original filenames, owners, groups, modes, and timestamps.

Description

ext4magic is a file carver designed for recovering deleted files from ext3 or ext4 filesystems. It is particularly useful in disaster recovery scenarios or digital forensics investigations where standard file deletion has zeroed out block references in inodes, making traditional recovery impossible.

The tool leverages the filesystem journal to reconstruct sufficient information for recovering many data files, including entire directory trees when journal data is adequate. It supports recovery of most file types while preserving original metadata such as filenames, owner and group information, file mode bits, and atime/mtime stamps.

ext4magic is installed via apt on Kali Linux and depends on libraries like libblkid1, libbz2-1.0, libc6, libext2fs2t64, libmagic1t64, libuuid1, and zlib1g.

How It Works

ext4magic operates by parsing the ext3/ext4 filesystem journal to extract information about deleted files. Since file deletion zeros block references in inodes, the tool recovers data directly from journal entries, enabling restoration of files, directory structures, and metadata without relying on inode data alone.

Installation

bash

sudo apt install ext4magic

Flags

-MUsed with [-j <journal_file>] [-d <target_dir>] <filesystem> for recovery

-mUsed with [-j <journal_file>] [-d <target_dir>] <filesystem> for recovery

-SScan mode option

-JJournal mode option

-HMode option

-VMode option

-TMode option

-xOption used with scan/journal modes

-j <journal_file>Specify journal file

-d <target_dir>Specify target directory for recovery

-B nBlock option

-I nInode option

-f <file_name>Specify file name

-i <input_list>Specify input list

-t nTime option

-a nTime range start

-b nTime range end

-RRecovery option

-rRecovery option

-LList option

-lList option

-QQuiet option

Examples

Display help and usage information, shows error for missing device name and options

ext4magic -h

Major recovery mode using journal and target directory

ext4magic -M [-j <journal_file>] [-d <target_dir>] <filesystem>

Minor recovery mode using journal and target directory

ext4magic -m [-j <journal_file>] [-d <target_dir>] <filesystem>

Advanced scan or recovery with various modes, filters, time ranges, and output options

ext4magic [-S|-J|-H|-V|-T] [-x] [-j <journal_file>] [-B n|-I n|-f <file_name>|-i <input_list>] [-t n|[[-a n][-b n]]] [-d <target_dir>] [-R|-r|-L|-l] [-Q] <filesystem>

Scan mode to recover files to target directory

ext4magic -S -d /recover <filesystem>

Journal mode recovery using specified journal file

ext4magic -J -j journal.img -R <filesystem>

Recover files based on specific time stamp

ext4magic -t 1234567890 -d /output <filesystem>

Updated 2026-04-16kali.org ↗