Provided by: ext4magic_0.3.2-14build2_amd64 
NAME
ext4magic - recover deleted files on ext3/4 filesystems
SYNOPSIS
ext4magic {-M|-m} [-j <journal_file>] [-d <target_dir>] <filesystem>
ext4magic [-S|-J|-H|-V|-T] [-x] [-j <journal_file>] [-B n|-I n|-f <file_name>|-i <input_list>] [-t n|[[-a
n][-b n]]] [-d <target_dir>] [-R|-r|-L|-l] [-Q] <filesystem>
DESCRIPTION
The deletion of files in ext3/4 filesystems can not be easily reversed. Zero out of the block references
in the Inodes makes that impossible. Experience with other programs have proved, it is often possible,
to restore sufficient information for a recover of many data files, directly from the filesystem Journal.
ext4magic can extract the information from the Journal, and can restore files in entire directory trees,
provided that the information in the Journal are sufficient. This tool can recover the most file types,
can recover large and sparse files, recovered files with original filename, with the original owner an
group, the original file mode bits, and also the old atime/mtime stamp.
The filesystem Journal has a very different purpose, and it will not be possible to recover any file at
any time. Many factors affects which data and how long the data store in the Journal. Read the ext4magic
documentation for more extensive information about the filesystem Journal.
OPTIONS
Magic Options: These options are for a mulit-stage recover especially for file restore after a recursiv
deletion of parts or the whole file system. (third step currently available for ext3 by versions 0.2.x ;
a for ext4 is included in version 0.3.x )
Umount the file system directly after an accidentally destroy and use these options with the umount file
system or with a copy of this file system. The program automatically determines the correct time options
if the deletion has only worked a short time (< 5 min) . For very large deletions, you must use the "
after time "
In the first and second step files restored by copies of inodes. The third step is trying to restore the
remaining files without inode copies. This may take a long time
-M Try to recover all files. This option should be used if the entire Filesystem was deleted.
-m Try to recover only all deleted files. Use this option with a partially deleted Filesystem.
Information Options: These options generate generic status information from the filesystem and the
Journal.
-S Print the filesystem superblock, the option. -x allows the additional display of content of the
group descriptor table.
-J Print the content of the Journal superblock. This option also can used to force loading the
Journal. This has a flow control effect in ext4magic with some other options.
-H Output a histogram of time stamps from all filesystem Inodes. Allows you to determine the exact
time of changes in the filesystem. In connection with a directory name or a directory Inode, only
the time stamps of this directory tree will be displayed. There are not evaluated any changes,
only one per Inode. either the last change or the deletion time per Inode arrives to display. If
present (ext4), it also create a histogram of create time stamps.
The optional option -x allows additional a better resolution of the time intervals.
-V Print the version of ext4magic and libext2fs
-T Display the entire transaction list of all copies of data blocks in the Journal. In conjunction
with the -B ; -I and -f , only display the corresponding data blocks for this data . The optional
option -x allows an additional transmission time of the transactions, but only if the block is a
Inode block. The print is in the same order as the data in journal. You can make conclusions from
the data received in the Journal. After the import of backups or after change of timestamps of
files, the additional transmission time will display not always the real transmission time. If
here absolutely incorrect time entries, then check if you using a journal of a read-write open
file system.
-x controls optional the output format and the information content of certain commands. Affects the
following options: -S ; -H ; -T ; -B ; -I ; -f ; -L ; -l Detailed description see there.
Selection Options: These options specify the exact files, directories, and data blocks. One hand, they
produce specific information, and on the other hand, be used to address the data for the Action Options.
ext4magic will accept only one of these options at command.
-B n n is the data block number of a filesystem datablock. Without further options it print a "one-
byte" hex+ASCII dump from the data block on the filesystem, like the "hexdump -C" command. The
optional option -x produced a "four byte" hex+ASCII output.
With the option -t n it print a copy of the filesystem data block with this transaction number
from the Journal.
# ext4magic /dir/filesystem.iso -B 97 -t 22
print a hexdump of the copy from filesystem block number 97, which has been writing to the Journal
with the transaction number 22. All copies of a particular data block in the Journal and the
associated transaction numbers you can find with the optional Option -T
# ext4magic /dir/filesystem.iso -B 97 -T
will print a list with all copies of filesystem block number 97 with the transaction numbers. If
this data block is a Inode block, print out the exact time for the transaction with the optional
option -x
-I n n is the Inode number. Without any other option, the output is the content of the real filesystem
Inode. With a optional -x additional output of a list of all data blocks addressed by this Inode.
If Inode is a directory Inode, the content of the directory entries also printed.
Together with one of the following option -T ; -J the output is not the content from the real
filesystem Inode. The content of all differend Inode copies found in the Journal are printed.
with the option -t n only the content of the Inode from transaction " n " are printed.
the option -I n can also be used in conjunction with the options -L ; -l ; -r or -R (show there)
-f <filename>
the function is the same as -I n only here is the <filename> given instead the Inode number.
ext4magic search the filesystem to find the Inode number. The filename can be a directory or a
filename and must be specified here from the root directory of this filesystem, and not from the
root directory of the LINUX system.
An example: the mount point for this filesystem is " /home " an the filename for Linux is "
/home/usr1/Document " you can use now
# ext4magic /dev/sda3 -f usr1/Document
The root directory of the filesystem you can use
-f /
or
-f ""
for ext4magic this is the same.
you should specify no leading "/" for all other filename. And directory names you should specify
without final "/" .
Expert Options: (new 0.2.1) The optional Expert-Mode must be enabled with the option
"--enable-expert-mode" by configure. This makes it possible to open and recover front corrupted file
systems. In the current version it is possible to address backup superblocks and the attempt to recover
of the Journal address from the data of the super block, and recover all undamaged files after the
filesystem was partially damaged or overwritten.
-s blocksize -n blocknumber
with this options you can select the backup superblock. blocksize can be 1024, 2048 or 4096.
blocknumber is the block number of the backup superblock this depends on the block size. Use the
same values as with "fsck" or "debugfs" or use the output of "mkfs -n .." to determine the
correct value.
Use the options necessarily in the order "-s ... -n ..."
-c This will attempt to find the journal using the data of the superblock. Can help if the first
inode blocks of the file system are damaged.
-D trying a restore of all files from a badly damaged file system. The combination of all these
Expert Options try a file system restore if the superblock broken and the beginning of the file
system is corrupted or overwritten. This can only work if e2fsck has not yet changed the faulty
file system.
Example : the first few megabytes of the file system are overwritten. The following tries a copy
of all undamaged files of the filesystem. Target directory is "/tmp/recoverdir"
# ext4magic /dev/sda1 -s 4096 -n 32768 -c -D -d /tmp/recoverdir
-Q This is a optional high quality Option for recover and only impact with " -r " and " -R ". Without
this option, any valid file name restored from the directories and you can set the " before " time
stamp to a time in which all files are deleted. So you will find the maximum possible number of
files. It need not necessarily be found old directory data blocks in the Journal. However, there
are some files found too much. In this mode, re-used file name and reused Inode can not be
noticed. As a result some file will be created with the extension " "#" or some files created with
wrong content. You have to check the files and find bad files and delete itself.
With option " -Q " works ext4magic more accurately, and can avoid such false and duplicate files.
This requires old data blocks of the directories in the Journal. You will not find of all
directories those old blocks in the Journal. Only directories in which files have been previously
created or deleted, but not of directories in which no change has been a long time. You should set
the time stamp " before " immediately before destruction time of the files. Are not sufficient
directory data available, may be, ext4magic can't found deleted files or entire directory content.
This option should be used very carefully and will achieve good results only in a few directories.
Time Options: With this options you specify a time window at which the program searches for matching time
stamps in the Journal data. ext4magic required for most internaly functions two times. A time "after"
and a time "before".
Found Inode only accepted, if not deleted and there time stamp less than "before". If the delete time is
less then "after", the Inode are also not used. ext4magic is still trying to find for valid directory
Inode also a time-matching directory data. For a recover action "before" set to a value at which the data
deleted, and "after" set to a value at which the data available. Inodes and directory data with other
timestamps will be skipped and not used.
Default, without any time option, ext4magic will search with "now" for the internal time "before", and
"now -24 hour" for the internal time "after". If you try to recover without any time option, so you
search only over the last 24 hours. If you wait a couple of days before you try to recover deleted data,
you must always use time options, or you find nothing
-a n with this option you can set the " after " time
-b n with this option you can set the " before " time
n is the number of seconds since 1970-01-01 00:00:00 UTC. This time information can you find in
many prints of ext4magic, and you can it produce on the console with the command "date" and also
insert directly in the ext4magic command line.
-a $(date -d "-3day" +%s) -b $(date -d "-2day" +%s)
this example set "after=now-36h" and "before=now-24h"
-t n is an indirect time option. you can use it with the options -B ; -I ; -f The value n is the
transaction number. With this option you can print, list, or recover the data from this
transaction number. you can find the transaction numbers with the option -T or in the print of
the Inode content.
File-, IN- and OUT-Options: With these options group, you select the filesystem, and other optional file
input and output for control of ext4magic.
<filesystem>
selects the filesystem and must always be set. <filesystem> can be a blockdevice with ext3/4
filesystem, it can also be a uncompressed file image of such a partition.
-j <journal_file>
optional you can select a external copy of the Journal file. Without this option, automatically
the internal Journal or, if configured, the external Journal on a block device will used.
-d <target_dir>
select the output directory. There, the recovered files were written. If it does not exist, it is
created. By default, created files are written to the subdirectory " RECOVERDIR " in the workpath
of the actual shell. This output directory can not be on the same filesystem to be tested
filesystem, and should have sufficient space to write the recovered files. The filesystem on this
directory should be also ext3/4, otherwise, not LINUX like filesystems generate some errors while
writing the file properties. Either you must first changed with the shell in such a suitable
filesystem, or you must specify the -d with a target to such a directory
-i <input_list>
input_list is a input file. Must contain a list with double-quoted filenames. The files from the
list will be restored with option -r or -R
Blank lines, not cleanly double quoted filenames and all areas before and after " will be ignored.
Such a double-quoted list of file names can create with options -l -x or -L -x by ext4magic and
edited by script or by hand.
Action Options: This option group includes list and recover options. All functions together, they work
recursiv controlled by the time options through directory trees. The starting point for search is
determined by a directory name or a directory Inode number. Default is root of this Filesystem. Matching
the time options, the filesystem data, inclusive directory data, taken from the Journal. If good data
from the file system sections available in Journal, it is possible to see or recover the state of the
filesystem at different times.
-L Prints the list of all filenames and Inode number of the selected directory tree. Included here
also are deleted files and deleted directory trees. With the additional option. -x the file
names are printed double-quoted. You can use it for a "Input list" with option -i
-l Prints a list of all filenames which have not allocated data blocks. At the beginning of the line
are the percentage of unallocated data blocks. After deletion you find here all the file names
you can recover with the Journal data. If you use a very old value for the "before" time, it is
possible there are files whose data blocks reused and these files in the interim also been
deleted. Also included in the list all files without data blocks, symbolic links, empty and other
special files.
Likewise double-quoted file names with optional -x
-r applied to directories, all files without conflicts with the occupied blocks will recovered. This
are all you can sea with the option -l and be 100% unallocated. This options only recover deleted
files and files without data blocks, in example: symbolic links or empty files.
The recovered files written to the RECOVERDIR/ This can also set to an alternate <target_dir> with
the option -d
All files become the old filename and if possible, also the old file properties. A subdirectory
tree can set with "-f dirname" oder "-I inodenumber" If use with a given Inode number, the
directory name is set to <inodenumber>
The Time options affect the search. If a file name already exists, or you recover again, it not
overwrite files, and a new filename by added a final "#" will created. The maximum ist the
extension " ##### " for a filename.
single files also can recovered, possible search with time-stamps or transaction number.
(new 0.2.1): Starts this function from the root directory the first stage of the magic functions
will follow.
This starts "lost directory search" and "lost file search" and recovers all the deleted inode that
can not be assigned to a file name. These files you can find in the directories MAGIC-1 and
MAGIC-2
-R recovers directory tree, is the same as -r
But two very important differences: Recover of all matched Inodes, even if the blocks allocated,
and recover if possible the old directory properties. Also empty directories will be restored.
This recovers all deleted and all undeleted files, and it's possible to recover older file
versions or directory versions.
In completely deleted directories the behavior " -R " and " -r " is identical. The difference is
there only the complete recover of all directories with option " -R ". You can also restore
individual files with time options or a transaction number.
For all recover cases ACL, SEL and other extended attribute can not recovered in the current version.
The output starts at line with a string "--------" before the recovered file name. This is a sign of
successful recover. Are not enough permissions to write the recovered files, then you will see there some
"x" in the string.
At the end of the process, possibly an issue comes from the hardlink database. A positive number before a
file name means : not found all hardlinks to this file. A negative number means : it created too many
hardlinks to this file (possible are, reused filenames or reused Inodes, and so, too many or wrong old
filenames for this hardlink. But also possible, all files for this hardlink are correct, the time options
was not set correct and because of that, the selected inode for the recover was not up to date. You
should check such reports.)
Re-used data blocks can't realize and so it's possible, it ends in some corrupted files. Check in any
case, all the recoverd files before you use them.
EXAMPLES
Print the content of a Inode, there are some possibilities.
# ext4magic /dev/sda3 -f /
# ext4magic /dev/sda3 -I 2
the output is the actual filesystem root Inode. In first example input the pathname, second
example Inode 2 is also the root directory
# ext4magic /tmp/filesystem.iso -f / -T -x
use filesystem image "/tmp/filesystem.iso", search and print all transactions of the Block which
included the root Inode, and print all differend Inode. Inclusiv the blocklist off the data
blocks. If it's a directory, then print also for each individual Inode the content of the
directory.
# ext4magic /tmp/filesystem.iso -j /tmp/journal.backup -I 8195 -t 182
Use filesystem image "/tmp/filesystem.iso" and read from external Journal in file
"/tmp/journal.backup" and print the content of the Inode number 8195 from the journal transaction
number 182
# ext4magic /dev/sda3 -f user1/Documents -a $(date -d "-3 day" +%s) -b $(date -d "-2 day" +%s)
print a undeleded Inode for pathname "user1/Documents" two to three days back. If it's a
directory, then also the content of this directory. If can not found the old directory blocks in
Journal, the directory content would be the actual from filesystem.
Examples of simple Recover
# ext4magic /dev/sda3 -r -f user1/picture/cim01234.jpg -d /tmp
Recover the file "/home/user1/picture/cim01234.jpg" which has just been deleted. The file system
is mounted normally under "/home". Note the file path is specified from the root directory of the
file system and not from the root of the entire Linux system. Whenever possible, umount the file
system for the recover. The file will be written as "/tmp/user1/picture/cim01234.jpg"
# ext4magic /dev/sda3 -r
try to restore all files deleted last 24 hours. Write to directory "./RECOVERDIR/"
# ext4magic /dev/sda3 -R -a $(date -d "-5day" +%s)
Attempts to recover all files, even if they are already partially overwritten, recover also all
not deleted files. The erase time is 4 days ago.
# ext4magic /dev/sda3 -M -d /home/recover
try multi-stage recover of all files after the filesystem is deleted with a "rm -rf *" . Write the
files to "/home/recover". (on ext4 : in this version skipped the last step.)
# ext4magic /dev/sda3 -RQ -f user1/Dokuments -a 1274210280 -b 1274211280 -d /mnt/testrecover
try to restore the directory tree "user1/Dokuments/". The "-b" timestamp you must set just before
deleting files, the "-a" timestamp prevents found old file versions. This will only work well, if
you've there created or deleted files bevor the "-b" timestamp. Write to the directory
"/mnt/testrecover/". If only a few files recovers, attempts the same without the option -Q
# ext4magic /home/filesystem.iso -Lx -f user1 | grep "jpg" > ./tmpfile
# ext4magic /home/filesystem.iso -i ./tmpfile -r -d /mnt/testrecover
try to restore only all deleted files from directory tree "user1/", and have "jpg" in filename.
(last 24 hour) and write to "/mnt/testrecover" - use a temporary file "./tmpfile" for a list of
filenames.
BUGS
Direct use of the Journal of a currently read-write open filesystem produce reading of bad blocks. Such
bad blocks provide program errors and false results. You shall therefore never use the Journal of such a
read-write open file system directly. Should it be necessary to use a mounted file system, create a copy
of the file system journal and used the option -j
AUTHOR
Roberto Maar
SEE ALSO
debugfs (8) , e2fsck (8)
version 0.3.2 Oct 2014 ext4magic(8)