Provided by: ext4magic_0.3.2-3_amd64 bug

NAME

       ext4magic - recover deleted files on ext3/4 filesystems

SYNOPSIS

       ext4magic {-M|-m} [-j <journal_file>] [-d <target_dir>] <filesystem>

       ext4magic   [-S|-J|-H|-V|-T]   [-x]  [-j  <journal_file>]  [-B  n|-I  n|-f  <file_name>|-i
       <input_list>] [-t n|[[-a n][-b n]]] [-d <target_dir>] [-R|-r|-L|-l] [-Q] <filesystem>

DESCRIPTION

       The deletion of files in ext3/4 filesystems can not be easily reversed.  Zero out  of  the
       block references in the Inodes makes that impossible.  Experience with other programs have
       proved, it is often possible, to restore sufficient information for a recover of many data
       files,  directly  from  the filesystem Journal. ext4magic can extract the information from
       the Journal,  and  can  restore  files  in  entire  directory  trees,  provided  that  the
       information  in the Journal are sufficient. This tool can recover the most file types, can
       recover large and sparse files, recovered files with orginal filename,  with  the  orginal
       owner an group, the orginal file mode bits, and also the old atime/mtime stamp.

       The  filesystem  Journal  has  a  very  different  purpose, and it will not be possible to
       recover any file at any time. Many factors affects which data and how long the data  store
       in  the Journal. Read the ext4magic documentation for more extensive information about the
       filesytem Journal.

OPTIONS

       Magic Options: These options are for a mulit-stage recover  especially  for  file  restore
       after  a  recursiv  deletion  of  parts  or  the whole file system.  (third step currently
       available for ext3 by versions 0.2.x ; a for ext4 is included in version 0.3.x )

       Umount the file system directly after an accidentally destroy and use these  options  with
       the  umount  file  system  or  with a copy of this file system.  The program automatically
       determines the correct time options if the deletion has only worked a short time (< 5 min)
       .  For very large deletions, you must use the " after time "

       In the first and second step files restored by copies of inodes.  The third step is trying
       to restore the remaining files without inode copies. This may take a long time

       -M     Try to recover all files. This option should be used if the entire  Filessytem  was
              deleted.

       -m     Try  to  recover  only  all deleted files. Use this option with a partially deleted
              Filesystem.

       Information Options: These options generate generic status information from the filesystem
       and the Journal.

       -S     Print  the  filesystem superblock, the option.  -x allows the additional display of
              content of the group descriptor table.

       -J     Print the content of the Journal superblock.  This option also can  used  to  force
              loading  the  Journal.  This has a flow control effect in ext4magic with some other
              options.

       -H     Output a histogram of time  stamps  from  all  filesystem  Inodes.  Allows  you  to
              determine  the  exact  time  of  changes  in  the  filesystem. In connection with a
              directory name or a directory Inode, only the time stamps of  this  directory  tree
              will  be displayed. There are not evaluated any changes, only one per Inode. either
              the last change or the deletion time per  Inode  arrives  to  display.  If  present
              (ext4), it also create a histogram of create time stamps.

              The optional option -x allows additional a better resolution of the time intervals.

       -V     Print the version of ext4magic and libext2fs

       -T     Display the entire transaction list of all copies of data blocks in the Journal. In
              conjunction with the -B ; -I and -f , only display the  corresponding  data  blocks
              for  this  data  . The optional option -x allows an additional transmission time of
              the transactions, but only if the block is a Inode block. The print is in the  same
              order  as  the  data in journal. You can make conclusions from the data received in
              the Journal.  After the import of backups or after change of timestamps  of  files,
              the  additional  transmission  time  will  display not always the real transmission
              time.  If here absolutely incorrect time entries, then check if you using a journal
              of a read-write open file system.

       -x     controls  optional  the  output  format  and  the  information  content  of certain
              commands. Affects the following options: -S ; -H ; -T ; -B ; -I ;  -f  ;  -L  ;  -l
              Detailed description see there.

       Selection  Options:  These  options specify the exact files, directories, and data blocks.
       One hand, they produce specific information, and on the other hand, be used to address the
       data for the Action Options.  ext4magic will accept only one of these options at command.

       -B n   n  is  the  data block number of a filesystem datablock. Without further options it
              print a "one-byte" hex+ASCII dump from the data block on the filesystem,  like  the
              "hexdump  -C"  command.  The  optional  option  -x produced a "four byte" hex+ASCII
              output.

              With the option -t n it print a  copy  of  the  filesystem  data  block  with  this
              transaction number from the Journal.

              # ext4magic /dir/filesytem.iso -B 97 -t 22

              print a hexdump of the copy from filesystem block number 97, which has been writing
              to the Journal with the transaction number 22. All  copies  of  a  particular  data
              block  in  the Journal and the associated transaction numbers you can find with the
              optional Option -T

              # ext4magic /dir/filesystem.iso -B 97  -T

              will print a  list  with  all  copies  of  filesystem  block  number  97  with  the
              transaction  numbers. If this data block is a Inode block, print out the exact time
              for the transaction with the optional option -x

       -I n   n is the Inode number. Without any other option, the output is the content  of  the
              real  filesystem  Inode. With a optional -x additional output of a list of all data
              blocks addressed by this Inode. If Inode is a directory Inode, the content  of  the
              directory entrys also printed.

              Together  with  one  of  the following option -T ; -J the output is not the content
              from the real filesystem Inode. The content of all differend Inode copies found  in
              the Journal are printed.

              with  the  option  -t  n  only  the content of the Inode from transaction " n " are
              printed.

              the option -I n can also be used in conjunction with the options -L ; -l ; -r or -R
              (show there)

       -f <filename>
              the  function  is  the  same  as -I n only here is the <filename> given instead the
              Inode number. ext4magic search the  filesystem  to  find  the  Inode  number.   The
              filename  can be a directory or a filename and must be specified here from the root
              directory of this filesystem, and not from the root directory of the LINUX system.

              An example: the mount point for this filesystem is " /home " an  the  filename  for
              Linux is " /home/usr1/Document " you can use now
               # ext4magic /dev/sda3 -f usr1/Document

              The root directory of the filesystem you can use

              -f /
               or

              -f ""
               for ext4magic this is the same.

              you  should  specify no leading "/" for all other filename. And directory names you
              should specify without final "/" .

       Expert Options: (new 0.2.1) The optional Expert-Mode  must  be  enabled  with  the  option
       "--enable-expert-mode"  by  configure.  This  makes  it possible to open and recover front
       corrupted file systems.   In  the  current  version  it  is  possible  to  address  backup
       superblocks  and  the attempt to recover of the Journal address from the data of the super
       block, and recover all undamaged files  after  the  filesytem  was  partially  damaged  or
       overwritten.

       -s blocksize -n blocknumber
              with  this  options  you  can select the backup superblock.  blocksize can be 1024,
              2048 or 4096.  blocknumber is the  block  number  of  the  backup  superblock  this
              depends  on  the block size. Use the same values as with "fsck" or "debugfs" or use
              the output of "mkfs -n .."  to determine the correct value.

              Use the options necessarily in the order "-s ... -n ..."

       -c     This will attempt to find the journal using the data of the superblock.   Can  help
              if the first inode blocks of the file system are damaged.

       -D     trying  a restore of all files from a badly damaged file system. The combination of
              all these Expert Options try a file system restore if the superblock broken and the
              beginning  of  the  file system is corrupted or overwritten.  This can only work if
              e2fsck has not yet changed the faulty file system.

              Example : the first few megabytes of the file system are overwritten. The following
              tries  a  copy  of  all  undamaged  files  of  the  filesystem. Target directory is
              "/tmp/recoverdir"

              # ext4magic /dev/sda1 -s 4096 -n 32768 -c -D -d /tmp/recoverdir

       -Q     This is a optional high quality Option for recover and only impact with " -r "  and
              "  -R ". Without this option, any valid file name restored from the directories and
              you can set the " before " time stamp to a time in which all files are deleted.  So
              you  will  find  the  maximum possible number of files.  It need not necessarily be
              found old directory data blocks in the Journal.   However,  there  are  some  files
              found  too  much.  In  this  mode,  re-used  file  name and reused Inode can not be
              noticed. As a result some file will be created with the extension  "  "#"  or  some
              files  created  with  wrong content. You have to check the files and find bad files
              and delete itself.

              With option " -Q " works ext4magic more accurately, and can avoid  such  false  and
              duplicate  files.  This requires old data blocks of the directories in the Journal.
              You will not find of  all  directories  those  old  blocks  in  the  Journal.  Only
              directories  in  which  files  have  been previously created or deleted, but not of
              directories in which no change has been a long time. You should set the time  stamp
              "  before  "  immediately  before destruction time of the files. Are not sufficient
              directory data available, may be, ext4magic can't found  deleted  files  or  entire
              directory  content. This option should be used very carefully and will achieve good
              results only in a few directories.

       Time Options: With this options you specify a time window at which  the  program  searches
       for  matching  time  stamps  in  the  Journal data.  ext4magic required for most internaly
       functions two times. A time "after" and a time "before".

       Found Inode only accepted, if not deleted and there time stamp less than "before". If  the
       delete  time  is less then "after", the Inode are also not used. ext4magic is still trying
       to find for valid directory Inode also a  time-matching  directory  data.  For  a  recover
       action  "before"  set  to a value at which the data deleted, and "after" set to a value at
       which the data available. Inodes and directory data with other timestamps will be  skipped
       and not used.

       Default,  without  any time option, ext4magic will search with "now" for the internal time
       "before", and "now -24 hour" for the internal time "after". If you try to recover  without
       any  time  option, so you search only over the last 24 hours. If you wait a couple of days
       before you try to recover deleted data, you must always use  time  options,  or  you  find
       nothing

       -a n   with this option you can set the " after " time

       -b n   with this option you can set the " before " time

              n is the number of seconds since 1970-01-01 00:00:00 UTC. This time information can
              you find in many prints of ext4magic, and you can it produce on  the  console  with
              the command "date" and also insert directly in the ext4magic command line.

              -a $(date -d "-3day" +%s) -b $(date -d "-2day" +%s)

              this example set "after=now-36h" and "before=now-24h"

       -t n   is  an indirect time option. you can use it with the options -B ; -I ; -f The value
              n is the transaction number. With this option you can print, list, or  recover  the
              data  from  this transaction number.  you can find the transaction numbers with the
              option -T or in the print of the Inode content.

       File-, IN- and OUT-Options: With these options group, you select the filesystem, and other
       optional file input and output for control of ext4magic.

       <filesystem>
              selects  the  filesystem and must always be set.  <filesystem> can be a blockdevice
              with ext3/4 filesystem, it can  also  be  a  uncompressed  file  image  of  such  a
              partition.

       -j <journal_file>
              optional  you  can select a external copy of the Journal file. Without this option,
              automatically the internal Journal or, if configured, the  external  Journal  on  a
              block device will used.

       -d <target_dir>
              select  the  output  directory. There, the recovered files were written. If it does
              not exist, it is created. By default, created files are written to the subdirectory
              "  RECOVERDIR  " in the workpath of the actual shell. This output directory can not
              be on the same filesystem to be tested filesytem, and should have sufficient  space
              to  write  the  recovered  files.  The  filesystem on this directory should be also
              ext3/4, otherwise, not LINUX like filesytems generate some errors while writing the
              file  properties.   Either you must first changed with the shell in such a suitable
              filesystem, or you must specify the -d with a target to such a directory

       -i <input_list>
              input_list is a input file. Must contain a list with double-quoted  filenames.  The
              files from the list will be restored with option -r or -R

              Blank  lines,  not cleanly double quoted filenames and all areas before and after "
              will be ignored.  Such a double-quoted list of file names can create  with  options
              -l -x or -L -x by ext4magic and edited by script or by hand.

       Action  Options:  This  option  group  includes  list  and  recover options. All functions
       together, they work recursiv controlled by the time options through directory  trees.  The
       starting  point  for search is determined by a directory name or a directory Inode number.
       Default is root of this Filesystem.  Matching  the  time  options,  the  filesystem  data,
       inclusive  directory  data,  taken  from  the  Journal.  If good data from the file system
       sections available in Journal, it  is  possible  to  see  or  recover  the  state  of  the
       filesystem at different times.

       -L     Prints  the  list of all filenames and Inode number of the selected directory tree.
              Included here also are  deleted  files  and  deleted  directory  trees.   With  the
              additional option.  -x the file names are printed double-quoted. You can use it for
              a "Input list" with option -i

       -l     Prints a list of all filenames  which  have  not  allocated  data  blocks.  At  the
              beginning  of  the  line  are  the  percentage  of  unallocated data blocks.  After
              deletion you find here all the file names you can recover with the Journal data. If
              you  use  a  very  old  value for the "before" time, it is possible there are files
              whose data blocks reused and these files in the interim  also  been  deleted.  Also
              included in the list all files without data blocks, symbolic links, empty and other
              special files.

              Likewise double-quoted file names with optional -x

       -r     applied to directories, all files without conflicts with the occupied  blocks  will
              recovered.  This  are  all  you can sea with the option -l and be 100% unallocated.
              This options only recover deleted files and files without data blocks, in  example:
              symbolic links or empty files.

              The  recovered  files  written to the RECOVERDIR/ This can also set to an alternate
              <target_dir> with the option -d

              All files become the old filename and if possible, also the old file properties.  A
              subdirectory  tree  can  set  with "-f dirname" oder "-I inodenumber" If use with a
              given Inode number, the directory name is set to <inodenumber>

              The Time options affect the search. If a file name already exists, or  you  recover
              again,  it  not  overwrite  files,  and  a  new  filename by added a final "#" will
              created. The maximum ist the extension " ##### " for a filename.

              single files also can recovered, possible search with  time-stamps  or  transaction
              number.

              (new  0.2.1):  Starts  this function from the root directory the first stage of the
              magic functions will follow.

              This starts "lost directory search" and "lost file search"  and  recovers  all  the
              deleted inode that can not be assigned to a file name.  These files you can find in
              the directories MAGIC-1 and MAGIC-2

       -R     recovers directory tree, is the same as -r

              But two very important differences: Recover of all  matched  Inodes,  even  if  the
              blocks  allocated, and recover if possible the old directory properties. Also empty
              dirctories will be restored.  This recovers all deleted and  all  undeleted  files,
              and it's possible to recover older file versions or directory versions.

              In  completely deleted directories the behavior " -R " and " -r " is identical. The
              difference is there only the complete recover of all directories with option  "  -R
              ".   You  can  also  restore  individual  files  with time options or a transaction
              number.

       For all recover cases ACL, SEL and other extended  attribute  can  not  recovered  in  the
       current version.

       The output starts at line with a string "--------" before the recovered file name. This is
       a sign of successful recover. Are not enough permissions to  write  the  recovered  files,
       then you will see there some "x" in the string.

       At  the end of the process, possibly an issue comes from the hardlink database. A positive
       number before a file name means : not found all hardlinks to this file. A negative  number
       means  :  it  created  too  many hardlinks to this file (possible are, reused filenames or
       reused Inodes, and so, too many or  wrong  old  filenames  for  this  hardlink.  But  also
       possible,  all  files  for this hardlink are correct, the time options was not set correct
       and because of that, the selected inode for the recover was not up to  date.   You  should
       check such reports.)

       Re-used  data  blocks can't realize and so it's possible, it ends in some corrupted files.
       Check in any case, all the recoverd files before you use them.

EXAMPLES

       Print the content of a Inode, there are some possibilities.

               # ext4magic /dev/sda3 -f /

               # ext4magic /dev/sda3 -I 2

              the output is the  actual  filesystem  root  Inode.  In  first  example  input  the
              pathname, second example Inode 2 is also the root directory

               # ext4magic /tmp/filesystem.iso -f / -T -x

              use  filesystem  image  "/tmp/filesystem.iso", search and print all transactions of
              the Block which included the root Inode, and print all  differend  Inode.  Inclusiv
              the  blocklist  off  the data blocks. If it's a directory, then print also for each
              individual Inode the content of the directory.

               # ext4magic /tmp/filesystem.iso -j /tmp/journal.backup -I 8195 -t 182

              Use filesystem image "/tmp/filesystem.iso" and read from external Journal  in  file
              "/tmp/journal.backup"  and  print  the  content  of  the Inode number 8195 from the
              journal transaction number 182

               # ext4magic /dev/sda3 -f user1/Documents -a $(date -d "-3 day" +%s) -b  $(date  -d
              "-2 day" +%s)

              print  a  undeleded Inode for pathname "user1/Documents" two to three days back. If
              it's a directory, then also the content of this directory.  If can  not  found  the
              old  directory  blocks  in  Journal, the directory content would be the actual from
              filesystem.

       Examples of simple Recover

               # ext4magic /dev/sda3 -r -f user1/picture/cim01234.jpg -d /tmp

              Recover the file "/home/user1/picture/cim01234.jpg" which has  just  been  deleted.
              The file system is mounted normally under "/home".  Note the file path is specified
              from the root directory of the file system and not from  the  root  of  the  entire
              Linux  system. Whenever possible, umount the file system for the recover.  The file
              will be written as  "/tmp/user1/picture/cim01234.jpg"

               # ext4magic /dev/sda3 -r

              try to restore all files deleted last 24 hours. Write to directory "./RECOVERDIR/"

               # ext4magic /dev/sda3 -R -a $(date -d "-5day" +%s)

              Attempts to recover all files, even if  they  are  already  partially  overwritten,
              recover also all not deleted files.  The erase time is 4 days ago.

               # ext4magic /dev/sda3 -M -d /home/recover

              try multi-stage recover of all files after the filesystem is deleted with a "rm -rf
              *" . Write the files to "/home/recover". (on ext4 : in  this  version  skipped  the
              last step.)

               #  ext4magic  /dev/sda3  -RQ  -f  user1/Dokuments  -a  1274210280 -b 1274211280 -d
              /mnt/testrecover

              try to restore the directory tree "user1/Dokuments/". The "-b" timestamp  you  must
              set  just  before  deleting  files,  the  "-a"  timestamp  prevents  found old file
              versions. This will only work well, if you've there created or deleted files  bevor
              the "-b" timestamp. Write to the directory "/mnt/testrecover/". If only a few files
              recovers, attempts the same without the option -Q

               # ext4magic /home/filesystem.iso -Lx  -f user1 | grep "jpg" > ./tmpfile

               # ext4magic /home/filesystem.iso -i ./tmpfile -r -d /mnt/testrecover

              try to restore only all deleted files from directory tree "user1/", and have  "jpg"
              in  filename. (last 24 hour) and write to "/mnt/testrecover" - use a temporary file
              "./tmpfile" for a list of filenames.

BUGS

       Direct use of the Journal of a currently read-write open filesystem produce reading of bad
       blocks.  Such  bad  blocks  provide  program errors and false results. You shall therefore
       never use the Journal of such a read-write  open  file  system  directly.   Should  it  be
       necessary  to use a mounted file system, create a copy of the file system journal and used
       the option -j

AUTHOR

       Roberto Maar

SEE ALSO

       debugfs (8) , e2fsck (8)