Provided by:
ext4magic_0.3.1-2_i386 
NAME
ext4magic - recover deleted files on ext3/4 filesystems
SYNOPSIS
ext4magic {-M|-m} [-j <journal_file>] [-d <target_dir>] <filesystem>
ext4magic [-S|-J|-H|-V|-T] [-x] [-j <journal_file>] [-B n|-I n|-f
<file_name>|-i <input_list>] [-t n|[[-a n][-b n]]] [-d <target_dir>]
[-R|-r|-L|-l] [-Q] <filesystem>
DESCRIPTION
The deletion of files in ext3/4 filesystems can not be easily reversed.
Zero out of the block references in the Inodes makes that impossible.
Experience with other programs have proved, it is often possible, to
restore sufficient information for a recover of many data files,
directly from the filesystem Journal. ext4magic can extract the
information from the Journal, and can restore files in entire directory
trees, provided that the information in the Journal are sufficient.
This tool can recover the most file types, can recover large and sparse
files, recovered files with orginal filename, with the orginal owner an
group, the orginal file mode bits, and also the old atime/mtime stamp.
The filesystem Journal has a very different purpose, and it will not be
possible to recover any file at any time. Many factors affects which
data and how long the data store in the Journal. Read the ext4magic
documentation for more extensive information about the filesytem
Journal.
OPTIONS
Magic Options: (new in version 0.2.0) These options are for a mulit-
stage recover especially for file restore after a recursiv deletion of
parts or the whole file system. (third step currently available for
ext3 by versions 0.2.x ; a new experimental function for ext4 is
included in version 0.3.0-pv0.)
Umount the file system directly after an accidentally destroy and use
these options with the umount file system or with a copy of this file
system. The program automatically determines the correct time options
if the deletion has only worked a short time (< 5 min) . For very
large deletions, you must use the " after time "
In the first and second step files restored by copies of inodes. The
third step is trying to restore the remaining files without inode
copies. This may take a long time
-M Try to recover all files. This option should be used if the
entire Filessytem was deleted.
-m Try to recover only all deleted files. Use this option with a
partially deleted Filesystem.
Information Options: These options generate generic status information
from the filesystem and the Journal.
-S Print the filesystem superblock, the option. -x allows the
additional display of content of the group descriptor table.
-J Print the content of the Journal superblock. This option also
can used to force loading the Journal. This has a flow control
effect in ext4magic with some other options.
-H Output a histogram of time stamps from all filesystem Inodes.
Allows you to determine the exact time of changes in the
filesystem. In connection with a directory name or a directory
Inode, only the time stamps of this directory tree will be
displayed. There are not evaluated any changes, only one per
Inode. either the last change or the deletion time per Inode
arrives to display. If present (ext4), it also create a
histogram of create time stamps.
The optional option -x allows additional a better resolution of
the time intervals.
-V Print the version of ext4magic and libext2fs
-T Display the entire transaction list of all copies of data blocks
in the Journal. In conjunction with the -B ; -I and -f , only
display the corresponding data blocks for this data . The
optional option -x allows an additional transmission time of the
transactions, but only if the block is a Inode block. The print
is in the same order as the data in journal. You can make
conclusions from the data received in the Journal. After the
import of backups or after change of timestamps of files, the
additional transmission time will display not always the real
transmission time. If here absolutely incorrect time entries,
then check if you using a journal of a read-write open file
system.
-x controls optional the output format and the information content
of certain commands. Affects the following options: -S ; -H ; -T
; -B ; -I ; -f ; -L ; -l Detailed description see there.
Selection Options: These options specify the exact files, directories,
and data blocks. One hand, they produce specific information, and on
the other hand, be used to address the data for the Action Options.
ext4magic will accept only one of these options at command.
-B n n is the data block number of a filesystem datablock. Without
further options it print a "one-byte" hex+ASCII dump from the
data block on the filesystem, like the "hexdump -C" command. The
optional option -x produced a "four byte" hex+ASCII output.
With the option -t n it print a copy of the filesystem data
block with this transaction number from the Journal.
# ext4magic /dir/filesytem.iso -B 97 -t 22
print a hexdump of the copy from filesystem block number 97,
which has been writing to the Journal with the transaction
number 22. All copies of a particular data block in the Journal
and the associated transaction numbers you can find with the
optional Option -T
# ext4magic /dir/filesystem.iso -B 97 -T
will print a list with all copies of filesystem block number 97
with the transaction numbers. If this data block is a Inode
block, print out the exact time for the transaction with the
optional option -x
-I n n is the Inode number. Without any other option, the output is
the content of the real filesystem Inode. With a optional -x
additional output of a list of all data blocks addressed by this
Inode. If Inode is a directory Inode, the content of the
directory entrys also printed.
Together with one of the following option -T ; -J the output is
not the content from the real filesystem Inode. The content of
all differend Inode copies found in the Journal are printed.
with the option -t n only the content of the Inode from
transaction " n " are printed.
the option -I n can also be used in conjunction with the options
-L ; -l ; -r or -R (show there)
-f <filename>
the function is the same as -I n only here is the <filename>
given instead the Inode number. ext4magic search the filesystem
to find the Inode number. The filename can be a directory or a
filename and must be specified here from the root directory of
this filesystem, and not from the root directory of the LINUX
system.
An example: the mount point for this filesystem is " /home " an
the filename for Linux is " /home/usr1/Document " you can use
now
# ext4magic /dev/sda3 -f usr1/Document
The root directory of the filesystem you can use
-f /
or
-f ""
for ext4magic this is the same.
you should specify no leading "/" for all other filename. And
directory names you should specify without final "/" .
Expert Options: (new 0.2.1) The optional Expert-Mode must be enabled
with the option "--enable-expert-mode" by configure. This makes it
possible to open and recover front corrupted file systems. In the
current version it is possible to address backup superblocks and the
attempt to recover of the Journal address from the data of the super
block, and recover all undamaged files after the filesytem was
partially damaged or overwritten.
-s blocksize -n blocknumber
with this options you can select the backup superblock.
blocksize can be 1024, 2048 or 4096. blocknumber is the block
number of the backup superblock this depends on the block size.
Use the same values as with "fsck" or "debugfs" or use the
output of "mkfs -n .." to determine the correct value.
Use the options necessarily in the order "-s ... -n ..."
-c This will attempt to find the journal using the data of the
superblock. Can help if the first inode blocks of the file
system are damaged.
-D trying a restore of all files from a badly damaged file system.
The combination of all these Expert Options try a file system
restore if the superblock broken and the beginning of the file
system is corrupted or overwritten. This can only work if
e2fsck has not yet changed the faulty file system.
Example : the first few megabytes of the file system are
overwritten. The following tries a copy of all undamaged files
of the filesystem. Target directory is "/tmp/recoverdir"
# ext4magic /dev/sda1 -s 4096 -n 32768 -c -D -d /tmp/recoverdir
-Q This is a optional high quality Option for recover and only
impact with " -r " and " -R ". Without this option, any valid
file name restored from the directories and you can set the "
before " time stamp to a time in which all files are deleted. So
you will find the maximum possible number of files. It need not
necessarily be found old directory data blocks in the Journal.
However, there are some files found too much. In this mode, re-
used file name and reused Inode can not be noticed. As a result
some file will be created with the extension " "#" or some files
created with wrong content. You have to check the files and find
bad files and delete itself.
With option " -Q " works ext4magic more accurately, and can
avoid such false and duplicate files. This requires old data
blocks of the directories in the Journal. You will not find of
all directories those old blocks in the Journal. Only
directories in which files have been previously created or
deleted, but not of directories in which no change has been a
long time. You should set the time stamp " before " immediately
before destruction time of the files. Are not sufficient
directory data available, may be, ext4magic can't found deleted
files or entire directory content. This option should be used
very carefully and will achieve good results only in a few
directories.
Time Options: With this options you specify a time window at which the
program searches for matching time stamps in the Journal data.
ext4magic required for most internaly functions two times. A time
"after" and a time "before".
Found Inode only accepted, if not deleted and there time stamp less
than "before". If the delete time is less then "after", the Inode are
also not used. ext4magic is still trying to find for valid directory
Inode also a time-matching directory data. For a recover action
"before" set to a value at which the data deleted, and "after" set to a
value at which the data available. Inodes and directory data with other
timestamps will be skipped and not used.
Default, without any time option, ext4magic will search with "now" for
the internal time "before", and "now -24 hour" for the internal time
"after". If you try to recover without any time option, so you search
only over the last 24 hours. If you wait a couple of days before you
try to recover deleted data, you must always use time options, or you
find nothing
-a n with this option you can set the " after " time
-b n with this option you can set the " before " time
n is the number of seconds since 1970-01-01 00:00:00 UTC. This
time information can you find in many prints of ext4magic, and
you can it produce on the console with the command "date" and
also insert directly in the ext4magic command line.
-a $(date -d "-3day" +%s) -b $(date -d "-2day" +%s)
this example set "after=now-36h" and "before=now-24h"
-t n is an indirect time option. you can use it with the options -B ;
-I ; -f The value n is the transaction number. With this option
you can print, list, or recover the data from this transaction
number. you can find the transaction numbers with the option -T
or in the print of the Inode content.
File-, IN- and OUT-Options: With these options group, you select the
filesystem, and other optional file input and output for control of
ext4magic.
<filesystem>
selects the filesystem and must always be set. <filesystem> can
be a blockdevice with ext3/4 filesystem, it can also be a
uncompressed file image of such a partition.
-j <journal_file>
optional you can select a external copy of the Journal file.
Without this option, automatically the internal Journal or, if
configured, the external Journal on a block device will used.
-d <target_dir>
select the output directory. There, the recovered files were
written. If it does not exist, it is created. By default,
created files are written to the subdirectory " RECOVERDIR " in
the workpath of the actual shell. This output directory can not
be on the same filesystem to be tested filesytem, and should
have sufficient space to write the recovered files. The
filesystem on this directory should be also ext3/4, otherwise,
not LINUX like filesytems generate some errors while writing the
file properties. Either you must first changed with the shell
in such a suitable filesystem, or you must specify the -d with a
target to such a directory
-i <input_list>
input_list is a input file. Must contain a list with double-
quoted filenames. The files from the list will be restored with
option -r or -R
Blank lines, not cleanly double quoted filenames and all areas
before and after " will be ignored. Such a double-quoted list
of file names can create with options -l -x or -L -x by
ext4magic and edited by script or by hand.
Action Options: This option group includes list and recover options.
All functions together, they work recursiv controlled by the time
options through directory trees. The starting point for search is
determined by a directory name or a directory Inode number. Default is
root of this Filesystem. Matching the time options, the filesystem
data, inclusive directory data, taken from the Journal. If good data
from the file system sections available in Journal, it is possible to
see or recover the state of the filesystem at different times.
-L Prints the list of all filenames and Inode number of the
selected directory tree. Included here also are deleted files
and deleted directory trees. With the additional option. -x
the file names are printed double-quoted. You can use it for a
"Input list" with option -i
-l Prints a list of all filenames which have not allocated data
blocks. At the beginning of the line are the percentage of
unallocated data blocks. After deletion you find here all the
file names you can recover with the Journal data. If you use a
very old value for the "before" time, it is possible there are
files whose data blocks reused and these files in the interim
also been deleted. Also included in the list all files without
data blocks, symbolic links, empty and other special files.
Likewise double-quoted file names with optional -x
-r applied to directories, all files without conflicts with the
occupied blocks will recovered. This are all you can sea with
the option -l and be 100% unallocated. This options only recover
deleted files and files without data blocks, in example:
symbolic links or empty files.
The recovered files written to the RECOVERDIR/ This can also set
to an alternate <target_dir> with the option -d
All files become the old filename and if possible, also the old
file properties. A subdirectory tree can set with "-f dirname"
oder "-I inodenumber" If use with a given Inode number, the
directory name is set to <inodenumber>
The Time options affect the search. If a file name already
exists, or you recover again, it not overwrite files, and a new
filename by added a final "#" will created. The maximum ist the
extension " ##### " for a filename.
single files also can recovered, possible search with time-
stamps or transaction number.
(new 0.2.1): Starts this function from the root directory the
first stage of the magic functions will follow.
This starts "lost directory search" and "lost file search" and
recovers all the deleted inode that can not be assigned to a
file name. These files you can find in the directories MAGIC-1
and MAGIC-2
-R recovers directory tree, is the same as -r
But two very important differences: Recover of all matched
Inodes, even if the blocks allocated, and recover if possible
the old directory properties. Also empty dirctories will be
restored. This recovers all deleted and all undeleted files,
and it's possible to recover older file versions or directory
versions.
In completely deleted directories the behavior " -R " and " -r "
is identical. The difference is there only the complete recover
of all directories with option " -R ". You can also restore
individual files with time options or a transaction number.
For all recover cases ACL, SEL and other extended attribute can not
recovered in the current version.
The output starts at line with a string "--------" before the recovered
file name. This is a sign of successful recover. Are not enough
permissions to write the recovered files, then you will see there some
"x" in the string.
At the end of the process, possibly an issue comes from the hardlink
database. A positive number before a file name means : not found all
hardlinks to this file. A negative number means : it created too many
hardlinks to this file (possible are, reused filenames or reused
Inodes, and so, too many or wrong old filenames for this hardlink. -
But also possible - all files for this hardlink are correct, the time-
options was not set correct and because of that, the selected inode for
the recover was not up to date. You should check such reports.)
Re-used data blocks can't realize and so it's possible, it ends in some
corrupted files. Check in any case, all the recoverd files before you
use them.
EXAMPLES
Print the content of a Inode, there are some possibilities.
# ext4magic /dev/sda3 -f /
# ext4magic /dev/sda3 -I 2
the output is the actual filesystem root Inode. In first example
input the pathname, second example Inode 2 is also the root
directory
# ext4magic /tmp/filesystem.iso -f / -T -x
use filesystem image "/tmp/filesystem.iso", search and print all
transactions of the Block which included the root Inode, and
print all differend Inode. Inclusiv the blocklist off the data
blocks. If it's a directory, then print also for each individual
Inode the content of the directory.
# ext4magic /tmp/filesystem.iso -j /tmp/journal.backup -I 8195
-t 182
Use filesystem image "/tmp/filesystem.iso" and read from
external Journal in file "/tmp/journal.backup" and print the
content of the Inode number 8195 from the journal transaction
number 182
# ext4magic /dev/sda3 -f user1/Documents -a $(date -d "-3 day"
+%s) -b $(date -d "-2 day" +%s)
print a undeleded Inode for pathname "user1/Documents" two to
three days back. If it's a directory, then also the content of
this directory. If can not found the old directory blocks in
Journal, the directory content would be the actual from
filesystem.
Examples of simple Recover
# ext4magic /dev/sda3 -r -f user1/picture/cim01234.jpg -d /tmp
Recover the file "/home/user1/picture/cim01234.jpg" which has
just been deleted. The file system is mounted normally under
"/home". Note the file path is specified from the root
directory of the file system and not from the root of the entire
Linux system. Whenever possible, umount the file system for the
recover. The file will be written as
"/tmp/user1/picture/cim01234.jpg"
# ext4magic /dev/sda3 -r
try to restore all files deleted last 24 hours. Write to
directory "./RECOVERDIR/"
# ext4magic /dev/sda3 -R -a $(date -d "-5day" +%s)
Attempts to recover all files, even if they are already
partially overwritten, recover also all not deleted files. The
erase time is 4 days ago.
# ext4magic /dev/sda3 -M -d /home/recover
try multi-stage recover of all files after the filesystem is
deleted with a "rm -rf *" . Write the files to "/home/recover".
(on ext4 : in this version skipped the last step.)
# ext4magic /dev/sda3 -RQ -f user1/Dokuments -a 1274210280 -b
1274211280 -d /mnt/testrecover
try to restore the directory tree "user1/Dokuments/". The "-b"
timestamp you must set just before deleting files, the "-a"
timestamp prevents found old file versions. This will only work
well, if you've there created or deleted files bevor the "-b"
timestamp. Write to the directory "/mnt/testrecover/". If only a
few files recovers, attempts the same without the option -Q
# ext4magic /home/filesystem.iso -Lx -f user1 | grep "jpg" >
./tmpfile
# ext4magic /home/filesystem.iso -i ./tmpfile -r -d
/mnt/testrecover
try to restore only all deleted files from directory tree
"user1/", and have "jpg" in filename. (last 24 hour) and write
to "/mnt/testrecover" - use a temporary file "./tmpfile" for a
list of filenames.
BUGS
Direct use of the Journal of a currently read-write open filesystem
produce reading of bad blocks. Such bad blocks provide program errors
and false results. You shall therefore never use the Journal of such a
read-write open file system directly. Should it be necessary to use a
mounted file system, create a copy of the file system journal and used
the option -j
AUTHOR
Roberto Maar
SEE ALSO
debugfs (8) , e2fsck (8)