Extundelete

From Notes_Wiki

Home > CentOS > CentOS 6.x > Recovery tools > Extundelete

We can recover files deleted on ext3 or ext4 partition using extundelete program. The tool is available pre-installed on Kali Linux. For other distributions it can be downloaded from https://sourceforge.net/project/platformdownload.php?group_id=260221 extundelete requires e2fsprogs support which is available at http://prdownloads.sourceforge.net/e2fsprogs/e2fsprogs-1.41.14.tar.gz or http://prdownloads.sourceforge.net/e2fsprogs/e2fsprogs-1.41.14.tar.gz

extundelete man page at http://extundelete.sourceforge.net/ says that both e2fslibs and e2fsprogs are required for extundelete. But practical experiences suggest that only e2fsprogs is enough, some separate program with name e2fslibs is not required.

Typical use of extundelete is to restore all files using:

extundelete /dev/sda4 --restore-all

More advanced and efficient use of extundelete can be by use of option '--after <date>' where date is number of seconds since epoch (1 January, 1970). We can use 'date -d "Aug 1 9:02" +%s ' to convert date from human readable format to seconds. Similarly we can use 'date -d@1234567890' to convert date given in seconds to human readable format.

ext3grep is another tool which claims to be very good. But ext3grep has been found to fail with some assertion on most uses. extundelete is more stable and has always worked. ext3grep also takes considerable time scanning all ext3 groups, but then final results are not so good as it does not restores files properly and crashes.


Home > CentOS > CentOS 6.x > Recovery tools > Extundelete