Provided by: ext4magic_0.3.1-2_amd64 
NAME
ext4magic - recover deleted files on ext3/4 filesystems
SYNOPSIS
ext4magic {-M|-m} [-j <journal_file>] [-d <target_dir>] <filesystem>
ext4magic [-S|-J|-H|-V|-T] [-x] [-j <journal_file>] [-B n|-I n|-f <file_name>|-i
<input_list>] [-t n|[[-a n][-b n]]] [-d <target_dir>] [-R|-r|-L|-l] [-Q] <filesystem>
DESCRIPTION
The deletion of files in ext3/4 filesystems can not be easily reversed. Zero out of the
block references in the Inodes makes that impossible. Experience with other programs have
proved, it is often possible, to restore sufficient information for a recover of many data
files, directly from the filesystem Journal. ext4magic can extract the information from
the Journal, and can restore files in entire directory trees, provided that the
information in the Journal are sufficient. This tool can recover the most file types, can
recover large and sparse files, recovered files with orginal filename, with the orginal
owner an group, the orginal file mode bits, and also the old atime/mtime stamp.
The filesystem Journal has a very different purpose, and it will not be possible to
recover any file at any time. Many factors affects which data and how long the data store
in the Journal. Read the ext4magic documentation for more extensive information about the
filesytem Journal.
OPTIONS
Magic Options: (new in version 0.2.0) These options are for a mulit-stage recover
especially for file restore after a recursiv deletion of parts or the whole file system.
(third step currently available for ext3 by versions 0.2.x ; a new experimental function
for ext4 is included in version 0.3.0-pv0.)
Umount the file system directly after an accidentally destroy and use these options with
the umount file system or with a copy of this file system. The program automatically
determines the correct time options if the deletion has only worked a short time (< 5 min)
. For very large deletions, you must use the " after time "
In the first and second step files restored by copies of inodes. The third step is trying
to restore the remaining files without inode copies. This may take a long time
-M Try to recover all files. This option should be used if the entire Filessytem was
deleted.
-m Try to recover only all deleted files. Use this option with a partially deleted
Filesystem.
Information Options: These options generate generic status information from the filesystem
and the Journal.
-S Print the filesystem superblock, the option. -x allows the additional display of
content of the group descriptor table.
-J Print the content of the Journal superblock. This option also can used to force
loading the Journal. This has a flow control effect in ext4magic with some other
options.
-H Output a histogram of time stamps from all filesystem Inodes. Allows you to
determine the exact time of changes in the filesystem. In connection with a
directory name or a directory Inode, only the time stamps of this directory tree
will be displayed. There are not evaluated any changes, only one per Inode. either
the last change or the deletion time per Inode arrives to display. If present
(ext4), it also create a histogram of create time stamps.
The optional option -x allows additional a better resolution of the time intervals.
-V Print the version of ext4magic and libext2fs
-T Display the entire transaction list of all copies of data blocks in the Journal. In
conjunction with the -B ; -I and -f , only display the corresponding data blocks
for this data . The optional option -x allows an additional transmission time of
the transactions, but only if the block is a Inode block. The print is in the same
order as the data in journal. You can make conclusions from the data received in
the Journal. After the import of backups or after change of timestamps of files,
the additional transmission time will display not always the real transmission
time. If here absolutely incorrect time entries, then check if you using a journal
of a read-write open file system.
-x controls optional the output format and the information content of certain
commands. Affects the following options: -S ; -H ; -T ; -B ; -I ; -f ; -L ; -l
Detailed description see there.
Selection Options: These options specify the exact files, directories, and data blocks.
One hand, they produce specific information, and on the other hand, be used to address the
data for the Action Options. ext4magic will accept only one of these options at command.
-B n n is the data block number of a filesystem datablock. Without further options it
print a "one-byte" hex+ASCII dump from the data block on the filesystem, like the
"hexdump -C" command. The optional option -x produced a "four byte" hex+ASCII
output.
With the option -t n it print a copy of the filesystem data block with this
transaction number from the Journal.
# ext4magic /dir/filesytem.iso -B 97 -t 22
print a hexdump of the copy from filesystem block number 97, which has been writing
to the Journal with the transaction number 22. All copies of a particular data
block in the Journal and the associated transaction numbers you can find with the
optional Option -T
# ext4magic /dir/filesystem.iso -B 97 -T
will print a list with all copies of filesystem block number 97 with the
transaction numbers. If this data block is a Inode block, print out the exact time
for the transaction with the optional option -x
-I n n is the Inode number. Without any other option, the output is the content of the
real filesystem Inode. With a optional -x additional output of a list of all data
blocks addressed by this Inode. If Inode is a directory Inode, the content of the
directory entrys also printed.
Together with one of the following option -T ; -J the output is not the content
from the real filesystem Inode. The content of all differend Inode copies found in
the Journal are printed.
with the option -t n only the content of the Inode from transaction " n " are
printed.
the option -I n can also be used in conjunction with the options -L ; -l ; -r or -R
(show there)
-f <filename>
the function is the same as -I n only here is the <filename> given instead the
Inode number. ext4magic search the filesystem to find the Inode number. The
filename can be a directory or a filename and must be specified here from the root
directory of this filesystem, and not from the root directory of the LINUX system.
An example: the mount point for this filesystem is " /home " an the filename for
Linux is " /home/usr1/Document " you can use now
# ext4magic /dev/sda3 -f usr1/Document
The root directory of the filesystem you can use
-f /
or
-f ""
for ext4magic this is the same.
you should specify no leading "/" for all other filename. And directory names you
should specify without final "/" .
Expert Options: (new 0.2.1) The optional Expert-Mode must be enabled with the option
"--enable-expert-mode" by configure. This makes it possible to open and recover front
corrupted file systems. In the current version it is possible to address backup
superblocks and the attempt to recover of the Journal address from the data of the super
block, and recover all undamaged files after the filesytem was partially damaged or
overwritten.
-s blocksize -n blocknumber
with this options you can select the backup superblock. blocksize can be 1024,
2048 or 4096. blocknumber is the block number of the backup superblock this
depends on the block size. Use the same values as with "fsck" or "debugfs" or use
the output of "mkfs -n .." to determine the correct value.
Use the options necessarily in the order "-s ... -n ..."
-c This will attempt to find the journal using the data of the superblock. Can help
if the first inode blocks of the file system are damaged.
-D trying a restore of all files from a badly damaged file system. The combination of
all these Expert Options try a file system restore if the superblock broken and the
beginning of the file system is corrupted or overwritten. This can only work if
e2fsck has not yet changed the faulty file system.
Example : the first few megabytes of the file system are overwritten. The following
tries a copy of all undamaged files of the filesystem. Target directory is
"/tmp/recoverdir"
# ext4magic /dev/sda1 -s 4096 -n 32768 -c -D -d /tmp/recoverdir
-Q This is a optional high quality Option for recover and only impact with " -r " and
" -R ". Without this option, any valid file name restored from the directories and
you can set the " before " time stamp to a time in which all files are deleted. So
you will find the maximum possible number of files. It need not necessarily be
found old directory data blocks in the Journal. However, there are some files
found too much. In this mode, re-used file name and reused Inode can not be
noticed. As a result some file will be created with the extension " "#" or some
files created with wrong content. You have to check the files and find bad files
and delete itself.
With option " -Q " works ext4magic more accurately, and can avoid such false and
duplicate files. This requires old data blocks of the directories in the Journal.
You will not find of all directories those old blocks in the Journal. Only
directories in which files have been previously created or deleted, but not of
directories in which no change has been a long time. You should set the time stamp
" before " immediately before destruction time of the files. Are not sufficient
directory data available, may be, ext4magic can't found deleted files or entire
directory content. This option should be used very carefully and will achieve good
results only in a few directories.
Time Options: With this options you specify a time window at which the program searches
for matching time stamps in the Journal data. ext4magic required for most internaly
functions two times. A time "after" and a time "before".
Found Inode only accepted, if not deleted and there time stamp less than "before". If the
delete time is less then "after", the Inode are also not used. ext4magic is still trying
to find for valid directory Inode also a time-matching directory data. For a recover
action "before" set to a value at which the data deleted, and "after" set to a value at
which the data available. Inodes and directory data with other timestamps will be skipped
and not used.
Default, without any time option, ext4magic will search with "now" for the internal time
"before", and "now -24 hour" for the internal time "after". If you try to recover without
any time option, so you search only over the last 24 hours. If you wait a couple of days
before you try to recover deleted data, you must always use time options, or you find
nothing
-a n with this option you can set the " after " time
-b n with this option you can set the " before " time
n is the number of seconds since 1970-01-01 00:00:00 UTC. This time information can
you find in many prints of ext4magic, and you can it produce on the console with
the command "date" and also insert directly in the ext4magic command line.
-a $(date -d "-3day" +%s) -b $(date -d "-2day" +%s)
this example set "after=now-36h" and "before=now-24h"
-t n is an indirect time option. you can use it with the options -B ; -I ; -f The value
n is the transaction number. With this option you can print, list, or recover the
data from this transaction number. you can find the transaction numbers with the
option -T or in the print of the Inode content.
File-, IN- and OUT-Options: With these options group, you select the filesystem, and other
optional file input and output for control of ext4magic.
<filesystem>
selects the filesystem and must always be set. <filesystem> can be a blockdevice
with ext3/4 filesystem, it can also be a uncompressed file image of such a
partition.
-j <journal_file>
optional you can select a external copy of the Journal file. Without this option,
automatically the internal Journal or, if configured, the external Journal on a
block device will used.
-d <target_dir>
select the output directory. There, the recovered files were written. If it does
not exist, it is created. By default, created files are written to the subdirectory
" RECOVERDIR " in the workpath of the actual shell. This output directory can not
be on the same filesystem to be tested filesytem, and should have sufficient space
to write the recovered files. The filesystem on this directory should be also
ext3/4, otherwise, not LINUX like filesytems generate some errors while writing the
file properties. Either you must first changed with the shell in such a suitable
filesystem, or you must specify the -d with a target to such a directory
-i <input_list>
input_list is a input file. Must contain a list with double-quoted filenames. The
files from the list will be restored with option -r or -R
Blank lines, not cleanly double quoted filenames and all areas before and after "
will be ignored. Such a double-quoted list of file names can create with options
-l -x or -L -x by ext4magic and edited by script or by hand.
Action Options: This option group includes list and recover options. All functions
together, they work recursiv controlled by the time options through directory trees. The
starting point for search is determined by a directory name or a directory Inode number.
Default is root of this Filesystem. Matching the time options, the filesystem data,
inclusive directory data, taken from the Journal. If good data from the file system
sections available in Journal, it is possible to see or recover the state of the
filesystem at different times.
-L Prints the list of all filenames and Inode number of the selected directory tree.
Included here also are deleted files and deleted directory trees. With the
additional option. -x the file names are printed double-quoted. You can use it for
a "Input list" with option -i
-l Prints a list of all filenames which have not allocated data blocks. At the
beginning of the line are the percentage of unallocated data blocks. After
deletion you find here all the file names you can recover with the Journal data. If
you use a very old value for the "before" time, it is possible there are files
whose data blocks reused and these files in the interim also been deleted. Also
included in the list all files without data blocks, symbolic links, empty and other
special files.
Likewise double-quoted file names with optional -x
-r applied to directories, all files without conflicts with the occupied blocks will
recovered. This are all you can sea with the option -l and be 100% unallocated.
This options only recover deleted files and files without data blocks, in example:
symbolic links or empty files.
The recovered files written to the RECOVERDIR/ This can also set to an alternate
<target_dir> with the option -d
All files become the old filename and if possible, also the old file properties. A
subdirectory tree can set with "-f dirname" oder "-I inodenumber" If use with a
given Inode number, the directory name is set to <inodenumber>
The Time options affect the search. If a file name already exists, or you recover
again, it not overwrite files, and a new filename by added a final "#" will
created. The maximum ist the extension " ##### " for a filename.
single files also can recovered, possible search with time-stamps or transaction
number.
(new 0.2.1): Starts this function from the root directory the first stage of the
magic functions will follow.
This starts "lost directory search" and "lost file search" and recovers all the
deleted inode that can not be assigned to a file name. These files you can find in
the directories MAGIC-1 and MAGIC-2
-R recovers directory tree, is the same as -r
But two very important differences: Recover of all matched Inodes, even if the
blocks allocated, and recover if possible the old directory properties. Also empty
dirctories will be restored. This recovers all deleted and all undeleted files,
and it's possible to recover older file versions or directory versions.
In completely deleted directories the behavior " -R " and " -r " is identical. The
difference is there only the complete recover of all directories with option " -R
". You can also restore individual files with time options or a transaction
number.
For all recover cases ACL, SEL and other extended attribute can not recovered in the
current version.
The output starts at line with a string "--------" before the recovered file name. This is
a sign of successful recover. Are not enough permissions to write the recovered files,
then you will see there some "x" in the string.
At the end of the process, possibly an issue comes from the hardlink database. A positive
number before a file name means : not found all hardlinks to this file. A negative number
means : it created too many hardlinks to this file (possible are, reused filenames or
reused Inodes, and so, too many or wrong old filenames for this hardlink. - But also
possible - all files for this hardlink are correct, the time-options was not set correct
and because of that, the selected inode for the recover was not up to date. You should
check such reports.)
Re-used data blocks can't realize and so it's possible, it ends in some corrupted files.
Check in any case, all the recoverd files before you use them.
EXAMPLES
Print the content of a Inode, there are some possibilities.
# ext4magic /dev/sda3 -f /
# ext4magic /dev/sda3 -I 2
the output is the actual filesystem root Inode. In first example input the
pathname, second example Inode 2 is also the root directory
# ext4magic /tmp/filesystem.iso -f / -T -x
use filesystem image "/tmp/filesystem.iso", search and print all transactions of
the Block which included the root Inode, and print all differend Inode. Inclusiv
the blocklist off the data blocks. If it's a directory, then print also for each
individual Inode the content of the directory.
# ext4magic /tmp/filesystem.iso -j /tmp/journal.backup -I 8195 -t 182
Use filesystem image "/tmp/filesystem.iso" and read from external Journal in file
"/tmp/journal.backup" and print the content of the Inode number 8195 from the
journal transaction number 182
# ext4magic /dev/sda3 -f user1/Documents -a $(date -d "-3 day" +%s) -b $(date -d
"-2 day" +%s)
print a undeleded Inode for pathname "user1/Documents" two to three days back. If
it's a directory, then also the content of this directory. If can not found the
old directory blocks in Journal, the directory content would be the actual from
filesystem.
Examples of simple Recover
# ext4magic /dev/sda3 -r -f user1/picture/cim01234.jpg -d /tmp
Recover the file "/home/user1/picture/cim01234.jpg" which has just been deleted.
The file system is mounted normally under "/home". Note the file path is specified
from the root directory of the file system and not from the root of the entire
Linux system. Whenever possible, umount the file system for the recover. The file
will be written as "/tmp/user1/picture/cim01234.jpg"
# ext4magic /dev/sda3 -r
try to restore all files deleted last 24 hours. Write to directory "./RECOVERDIR/"
# ext4magic /dev/sda3 -R -a $(date -d "-5day" +%s)
Attempts to recover all files, even if they are already partially overwritten,
recover also all not deleted files. The erase time is 4 days ago.
# ext4magic /dev/sda3 -M -d /home/recover
try multi-stage recover of all files after the filesystem is deleted with a "rm -rf
*" . Write the files to "/home/recover". (on ext4 : in this version skipped the
last step.)
# ext4magic /dev/sda3 -RQ -f user1/Dokuments -a 1274210280 -b 1274211280 -d
/mnt/testrecover
try to restore the directory tree "user1/Dokuments/". The "-b" timestamp you must
set just before deleting files, the "-a" timestamp prevents found old file
versions. This will only work well, if you've there created or deleted files bevor
the "-b" timestamp. Write to the directory "/mnt/testrecover/". If only a few files
recovers, attempts the same without the option -Q
# ext4magic /home/filesystem.iso -Lx -f user1 | grep "jpg" > ./tmpfile
# ext4magic /home/filesystem.iso -i ./tmpfile -r -d /mnt/testrecover
try to restore only all deleted files from directory tree "user1/", and have "jpg"
in filename. (last 24 hour) and write to "/mnt/testrecover" - use a temporary file
"./tmpfile" for a list of filenames.
BUGS
Direct use of the Journal of a currently read-write open filesystem produce reading of bad
blocks. Such bad blocks provide program errors and false results. You shall therefore
never use the Journal of such a read-write open file system directly. Should it be
necessary to use a mounted file system, create a copy of the file system journal and used
the option -j
AUTHOR
Roberto Maar
SEE ALSO
debugfs (8) , e2fsck (8)