Forensicsforensicsfile-recoveryext3ext4undeletejournal

extundelete

Utility to recover deleted files from ext3/ext4 partitions using journal information. There is no guarantee that any particular file will be able to be undeleted.

Description

extundelete is a tool designed to recover deleted files from ext3 or ext4 partitions. It leverages the information stored in the partition's journal to attempt recovery of deleted files. The tool is particularly useful in forensic scenarios where data recovery is needed from improperly unmounted or damaged filesystems.

Use cases include recovering important files after accidental deletion, forensic investigations requiring retrieval of deleted data, and analysis of ext3/ext4 partitions. The partition should be unmounted to avoid further data loss, and running fsck is recommended if it was improperly unmounted. Warnings are issued about extended attributes not being restored and potential overwriting of deleted files if proceeding without proper preparation.

The tool outputs recovered files to a RECOVERED_FILES directory by default, or a custom directory specified with -o. It provides options for filtering deletions by time and inspecting inodes, blocks, superblocks, and journals.

How It Works

extundelete uses the information stored in the ext3/ext4 partition's journal to locate and reconstruct deleted files. It loads filesystem metadata and journal descriptors to process deletion entries. Files are restored based on inode numbers or paths relative to the partition root, with output written to a RECOVERED_FILES directory. It handles warnings for features like EXT3_FEATURE_INCOMPAT_RECOVER and does not restore extended attributes.

Installation

bash

sudo apt install extundelete

Flags

--version, -[vV]Print version and exit successfully.

--helpPrint this help and exit successfully.

--superblockPrint contents of superblock in addition to the rest. If no action is specified then this option is implied.

--journalShow content of journal.

--after dtimeOnly process entries deleted on or after 'dtime'.

--before dtimeOnly process entries deleted before 'dtime'.

--inode inoShow info on inode 'ino'.

--block blkShow info on block 'blk'.

--restore-inode ino[,ino,...]Restore the file(s) with known inode number 'ino'. The restored files are created in ./RECOVERED_FILES with their inode number as extension (ie, file.12345).

--restore-file 'path'Will restore file 'path'. 'path' is relative to root of the partition and does not start with a '/'

--log D1=0,D2=filenameCustom control of log messages with comma-separated list of options. Dn must be one of info, warn, or error. Examples: --log info,error --log warn=0 --log error=filename

-o directorySave the recovered files to the named directory.

Examples

Read the partition (/dev/sda1) and restore the given file name (root/importantfile). Outputs to RECOVERED_FILES/ after loading metadata and journal.

extundelete /dev/sda1 --restore-file root/importantfile

Print usage help and available options.

extundelete --help

Print contents of superblock for the device.

extundelete /dev/sda1 --superblock

Show content of journal for the partition.

extundelete /dev/sda1 --journal

Show info on specific inode '12345'.

extundelete /dev/sda1 --inode 12345

Restore file(s) with inode 12345 to RECOVERED_FILES with inode extension.

extundelete /dev/sda1 --restore-inode 12345

Process only entries deleted on or after specified dtime.

extundelete /dev/sda1 --after 1640995200

Updated 2026-04-16kali.org ↗