| ext4magic(8) | Administrations Tool | ext4magic(8) |
ext4magic - recover deleted files on ext3/4 filesystems
ext4magic {-M|-m} [-j <journal_file>] [-d <target_dir>] <filesystem>
ext4magic [-S|-J|-H|-V|-T] [-x] [-j <journal_file>] [-B n|-I n|-f <file_name>|-i <input_list>] [-t n|[[-a n][-b n]]] [-d <target_dir>] [-R|-r|-L|-l] [-Q] <filesystem>
The deletion of files in ext3/4 filesystems can not be easily reversed. Zero out of the block references in the Inodes makes that impossible. Experience with other programs have proved, it is often possible, to restore sufficient information for a recover of many data files, directly from the filesystem Journal. ext4magic can extract the information from the Journal, and can restore files in entire directory trees, provided that the information in the Journal are sufficient. This tool can recover the most file types, can recover large and sparse files, recovered files with original filename, with the original owner an group, the original file mode bits, and also the old atime/mtime stamp.
The filesystem Journal has a very different purpose, and it will not be possible to recover any file at any time. Many factors affects which data and how long the data store in the Journal. Read the ext4magic documentation for more extensive information about the filesystem Journal.
Magic Options: These options are for a mulit-stage recover especially for file restore after a recursiv deletion of parts or the whole file system. (third step currently available for ext3 by versions 0.2.x ; a for ext4 is included in version 0.3.x )
Umount the file system directly after an accidentally destroy and use these options with the umount file system or with a copy of this file system. The program automatically determines the correct time options if the deletion has only worked a short time (< 5 min) . For very large deletions, you must use the " after time "
In the first and second step files restored by copies of inodes. The third step is trying to restore the remaining files without inode copies. This may take a long time
Information Options: These options generate generic status information from the filesystem and the Journal.
The optional option -x allows additional a better resolution of the time intervals.
Selection Options: These options specify the exact files, directories, and data blocks. One hand, they produce specific information, and on the other hand, be used to address the data for the Action Options. ext4magic will accept only one of these options at command.
With the option -t n it print a copy of the filesystem data block with this transaction number from the Journal.
# ext4magic /dir/filesystem.iso -B 97 -t 22
print a hexdump of the copy from filesystem block number 97, which has been writing to the Journal with the transaction number 22. All copies of a particular data block in the Journal and the associated transaction numbers you can find with the optional Option -T
# ext4magic /dir/filesystem.iso -B 97 -T
will print a list with all copies of filesystem block number 97 with the transaction numbers. If this data block is a Inode block, print out the exact time for the transaction with the optional option -x
Together with one of the following option -T ; -J the output is not the content from the real filesystem Inode. The content of all differend Inode copies found in the Journal are printed.
with the option -t n only the content of the Inode from transaction " n " are printed.
the option -I n can also be used in conjunction with the options -L ; -l ; -r or -R (show there)
An example: the mount point for this filesystem is "
/home " an the filename for Linux is "
/home/usr1/Document " you can use now
# ext4magic /dev/sda3 -f usr1/Document
The root directory of the filesystem you can use
-f /
or
-f ""
for ext4magic this is the same.
you should specify no leading "/" for all other filename. And directory names you should specify without final "/" .
Expert Options: (new 0.2.1) The optional Expert-Mode must be enabled with the option "--enable-expert-mode" by configure. This makes it possible to open and recover front corrupted file systems. In the current version it is possible to address backup superblocks and the attempt to recover of the Journal address from the data of the super block, and recover all undamaged files after the filesystem was partially damaged or overwritten.
Use the options necessarily in the order "-s ... -n ..."
Example : the first few megabytes of the file system are overwritten. The following tries a copy of all undamaged files of the filesystem. Target directory is "/tmp/recoverdir"
# ext4magic /dev/sda1 -s 4096 -n 32768 -c -D -d /tmp/recoverdir
With option " -Q " works ext4magic more accurately, and can avoid such false and duplicate files. This requires old data blocks of the directories in the Journal. You will not find of all directories those old blocks in the Journal. Only directories in which files have been previously created or deleted, but not of directories in which no change has been a long time. You should set the time stamp " before " immediately before destruction time of the files. Are not sufficient directory data available, may be, ext4magic can't found deleted files or entire directory content. This option should be used very carefully and will achieve good results only in a few directories.
Time Options: With this options you specify a time window at which the program searches for matching time stamps in the Journal data. ext4magic required for most internaly functions two times. A time "after" and a time "before".
Found Inode only accepted, if not deleted and there time stamp less than "before". If the delete time is less then "after", the Inode are also not used. ext4magic is still trying to find for valid directory Inode also a time-matching directory data. For a recover action "before" set to a value at which the data deleted, and "after" set to a value at which the data available. Inodes and directory data with other timestamps will be skipped and not used.
Default, without any time option, ext4magic will search with "now" for the internal time "before", and "now -24 hour" for the internal time "after". If you try to recover without any time option, so you search only over the last 24 hours. If you wait a couple of days before you try to recover deleted data, you must always use time options, or you find nothing
n is the number of seconds since 1970-01-01 00:00:00 UTC. This time information can you find in many prints of ext4magic, and you can it produce on the console with the command "date" and also insert directly in the ext4magic command line.
-a $(date -d "-3day" +%s) -b $(date -d "-2day" +%s)
this example set "after=now-36h" and "before=now-24h"
File-, IN- and OUT-Options: With these options group, you select the filesystem, and other optional file input and output for control of ext4magic.
Blank lines, not cleanly double quoted filenames and all areas before and after " will be ignored. Such a double-quoted list of file names can create with options -l -x or -L -x by ext4magic and edited by script or by hand.
Action Options: This option group includes list and recover options. All functions together, they work recursiv controlled by the time options through directory trees. The starting point for search is determined by a directory name or a directory Inode number. Default is root of this Filesystem. Matching the time options, the filesystem data, inclusive directory data, taken from the Journal. If good data from the file system sections available in Journal, it is possible to see or recover the state of the filesystem at different times.
Likewise double-quoted file names with optional -x
The recovered files written to the RECOVERDIR/ This can also set to an alternate <target_dir> with the option -d
All files become the old filename and if possible, also the old file properties. A subdirectory tree can set with "-f dirname" oder "-I inodenumber" If use with a given Inode number, the directory name is set to <inodenumber>
The Time options affect the search. If a file name already exists, or you recover again, it not overwrite files, and a new filename by added a final "#" will created. The maximum ist the extension " ##### " for a filename.
single files also can recovered, possible search with time-stamps or transaction number.
(new 0.2.1): Starts this function from the root directory the first stage of the magic functions will follow.
This starts "lost directory search" and "lost file search" and recovers all the deleted inode that can not be assigned to a file name. These files you can find in the directories MAGIC-1 and MAGIC-2
But two very important differences: Recover of all matched Inodes, even if the blocks allocated, and recover if possible the old directory properties. Also empty directories will be restored. This recovers all deleted and all undeleted files, and it's possible to recover older file versions or directory versions.
In completely deleted directories the behavior " -R " and " -r " is identical. The difference is there only the complete recover of all directories with option " -R ". You can also restore individual files with time options or a transaction number.
For all recover cases ACL, SEL and other extended attribute can not recovered in the current version.
The output starts at line with a string "--------" before the recovered file name. This is a sign of successful recover. Are not enough permissions to write the recovered files, then you will see there some "x" in the string.
At the end of the process, possibly an issue comes from the hardlink database. A positive number before a file name means : not found all hardlinks to this file. A negative number means : it created too many hardlinks to this file (possible are, reused filenames or reused Inodes, and so, too many or wrong old filenames for this hardlink. But also possible, all files for this hardlink are correct, the time options was not set correct and because of that, the selected inode for the recover was not up to date. You should check such reports.)
Re-used data blocks can't realize and so it's possible, it ends in some corrupted files. Check in any case, all the recoverd files before you use them.
# ext4magic /dev/sda3 -f /
# ext4magic /dev/sda3 -I 2
the output is the actual filesystem root Inode. In first example input the pathname, second example Inode 2 is also the root directory
# ext4magic /tmp/filesystem.iso -f / -T -x
use filesystem image "/tmp/filesystem.iso", search and print all transactions of the Block which included the root Inode, and print all differend Inode. Inclusiv the blocklist off the data blocks. If it's a directory, then print also for each individual Inode the content of the directory.
# ext4magic /tmp/filesystem.iso -j /tmp/journal.backup -I 8195 -t
182
Use filesystem image "/tmp/filesystem.iso" and read from external Journal in file "/tmp/journal.backup" and print the content of the Inode number 8195 from the journal transaction number 182
# ext4magic /dev/sda3 -f user1/Documents -a $(date -d "-3 day"
+%s) -b $(date -d "-2 day" +%s)
print a undeleded Inode for pathname "user1/Documents" two to three days back. If it's a directory, then also the content of this directory. If can not found the old directory blocks in Journal, the directory content would be the actual from filesystem.
# ext4magic /dev/sda3 -r -f user1/picture/cim01234.jpg -d /tmp
Recover the file "/home/user1/picture/cim01234.jpg" which has just been deleted. The file system is mounted normally under "/home". Note the file path is specified from the root directory of the file system and not from the root of the entire Linux system. Whenever possible, umount the file system for the recover. The file will be written as "/tmp/user1/picture/cim01234.jpg"
# ext4magic /dev/sda3 -r
try to restore all files deleted last 24 hours. Write to directory "./RECOVERDIR/"
# ext4magic /dev/sda3 -R -a $(date -d "-5day" +%s)
Attempts to recover all files, even if they are already partially overwritten, recover also all not deleted files. The erase time is 4 days ago.
# ext4magic /dev/sda3 -M -d /home/recover
try multi-stage recover of all files after the filesystem is deleted with a "rm -rf *" . Write the files to "/home/recover". (on ext4 : in this version skipped the last step.)
# ext4magic /dev/sda3 -RQ -f user1/Dokuments -a 1274210280 -b 1274211280
-d /mnt/testrecover
try to restore the directory tree "user1/Dokuments/". The "-b" timestamp you must set just before deleting files, the "-a" timestamp prevents found old file versions. This will only work well, if you've there created or deleted files bevor the "-b" timestamp. Write to the directory "/mnt/testrecover/". If only a few files recovers, attempts the same without the option -Q
# ext4magic /home/filesystem.iso -Lx -f user1 | grep "jpg" >
./tmpfile
# ext4magic /home/filesystem.iso -i ./tmpfile -r -d
/mnt/testrecover
try to restore only all deleted files from directory tree "user1/", and have "jpg" in filename. (last 24 hour) and write to "/mnt/testrecover" - use a temporary file "./tmpfile" for a list of filenames.
Direct use of the Journal of a currently read-write open filesystem produce reading of bad blocks. Such bad blocks provide program errors and false results. You shall therefore never use the Journal of such a read-write open file system directly. Should it be necessary to use a mounted file system, create a copy of the file system journal and used the option -j
Roberto Maar
debugfs (8) , e2fsck (8)
| Oct 2014 | version 0.3.2 |