ext3grep – Recover Deleted Files on Debian and Ubuntu
ext3grep is a simple program for recovering files on an EXT3 filesystem. It is an investigation and recovery tool that is useful in forensics investigations. It helps to show information about files that existed on a partition and also recover accidentally deleted files.
In this article, we will demonstrate a useful trick, that will help you to recover accidentally deleted files on ext3 filesystems using ext3grep in Debian and Ubuntu.
- Device name: /dev/sdb1
- Mount point: /mnt/TEST_DRIVE
- Filesystem type: EXT3
How to Recover Deleted Files Using ext3grep Tool
To recover deleted files, first you need to install ext3grep program on your Ubuntu or Debian system using APT package manager as shown.
$ sudo apt install ext3grep
Once installed, now we will demonstrate how to recover deleted files on a ext3 filesystem.
First, we will create some files for testing purpose in the mount point
/mnt/TEST_DRIVE of the ext3 partition/device i.e.
/dev/sdb1 in this case.
$ cd /mnt/TEST_DRIVE $ sudo touch files[1-5] $ ls -l
Create Files in Mount Point
Now we will remove one file called
file5 from the mount point
/mnt/TEST_DRIVE of the ext3 partition.
$ sudo rm file5
Remove a File in Linux
Now we will see how to recover deleted file using ext3grep program on the targeted partition. First, we need to unmount it from the mount point above (note that you have to use cd command to switch to another directory for the unmount operation to work, otherwise the umount command will show the error “that target is busy“).
$ cd $sudo umount /mnt/TEST_DRIVE
Now that we have deleted one of the files (which we’ll assume was
done accidentally), to view all the files that existed in the device,
--dump-name option (replace
/dev/sdb1 with the actual device name).
$ ext3grep --dump-name /dev/sdb1
View Files on Partition
To recover the above deleted file i.e.
file5, we use the
--restore-all option as shown.
$ ext3grep --restore-all /dev/sdb1
Once the recovery process is complete, all recovered files will be written to the directory RESTORED_FILES, you can check if the deleted file is recovered or not.
$ cd RESTORED_FILES $ ls
Recover a Deleted File
We may specify a particular file to recover, for example the file called
file5 (or specify the full path of the file within the ext3 device).
$ ext3grep --restore-file file5 /dev/sdb1 OR $ ext3grep --restore-file /path/to/some/file /dev/sdb1
In addition, we can also restore files within a given period of time. For example, simply specify the correct date and time frame as shown.
$ ext3grep --restore-all --after `date -d 'Jan 1 2019 9:00am' '+%s'` --before `date -d 'Jan 5 2019 00:00am' '+%s'` /dev/sdb1
For more information, see the ext3grep man page.
$ man ext3grep
That’s it! ext3grep is a simple and useful tool to investigate and recover deleted files on an ext3 filesystem. It is one of the the best programs to recover files on Linux.