ext4magic - recover deleted files on ext3/4 filesystems
[-j <journal_file>] [-d <target_dir>]
[-S|-J|-H|-V|-T] [-x] [-j <journal_file>] [-B n|-I n|-f
<file_name>|-i <input_list>] [-t n|[[-a n][-b n]]] [-d
<target_dir>] [-R|-r|-L|-l] [-Q] <filesystem>
The deletion of files in ext3/4 filesystems can not be easily reversed. Zero out
of the block references in the Inodes makes that impossible. Experience with
other programs have proved, it is often possible, to restore sufficient
information for a recover of many data files, directly from the filesystem
Journal. ext4magic can extract the information from the Journal, and can
restore files in entire directory trees, provided that the information in the
Journal are sufficient. This tool can recover the most file types, can recover
large and sparse files, recovered files with original filename, with the
original owner an group, the original file mode bits, and also the old
The filesystem Journal has a very different purpose, and it will not be possible
to recover any file at any time. Many factors affects which data and how long
the data store in the Journal. Read the ext4magic documentation for more
extensive information about the filesystem Journal.
These options are for a mulit-stage recover especially for
file restore after a recursiv deletion of parts or the whole file system.
(third step currently available for ext3 by versions 0.2.x ; a for ext4 is
included in version 0.3.x )
Umount the file system directly after an accidentally destroy and use these
options with the umount file system or with a copy of this file system. The
program automatically determines the correct time options if the deletion has
only worked a short time (< 5 min) . For very large deletions, you must use
the " after time
In the first and second step files restored by copies of inodes. The third step
is trying to restore the remaining files without inode copies. This may take a
- Try to recover all files. This option should be used if the
entire Filessytem was deleted.
- Try to recover only all deleted files. Use this option with
a partially deleted Filesystem.
These options generate generic status information
from the filesystem and the Journal.
- Print the filesystem superblock, the option. -x
allows the additional display of content of the group descriptor
- Print the content of the Journal superblock. This option
also can used to force loading the Journal. This has a flow control effect
in ext4magic with some other options.
- Output a histogram of time stamps from all filesystem
Inodes. Allows you to determine the exact time of changes in the
filesystem. In connection with a directory name or a directory Inode, only
the time stamps of this directory tree will be displayed. There are not
evaluated any changes, only one per Inode. either the last change or the
deletion time per Inode arrives to display. If present (ext4), it also
create a histogram of create time stamps.
The optional option -x allows additional a better resolution of the
- Print the version of ext4magic and libext2fs
- Display the entire transaction list of all copies of data
blocks in the Journal. In conjunction with the -B ; -I and
-f , only display the corresponding data blocks for this data . The
optional option -x allows an additional transmission time of the
transactions, but only if the block is a Inode block. The print is in the
same order as the data in journal. You can make conclusions from the data
received in the Journal. After the import of backups or after change of
timestamps of files, the additional transmission time will display not
always the real transmission time. If here absolutely incorrect time
entries, then check if you using a journal of a read-write open file
- controls optional the output format and the information
content of certain commands. Affects the following options: -S ; -H ;
-T ; -B ; -I ; -f ; -L ; -l Detailed description see there.
These options specify the exact files, directories,
and data blocks. One hand, they produce specific information, and on the other
hand, be used to address the data for the Action Options.
will accept only one of these options at command.
- -B n
- n is the data block number of a filesystem
datablock. Without further options it print a "one-byte"
hex+ASCII dump from the data block on the filesystem, like the
"hexdump -C" command. The optional option -x
produced a "four byte" hex+ASCII output.
With the option -t n it print a copy of the filesystem data block
with this transaction number from the Journal.
# ext4magic /dir/filesystem.iso -B 97 -t 22
print a hexdump of the copy from filesystem block number 97, which has been
writing to the Journal with the transaction number 22. All copies of a
particular data block in the Journal and the associated transaction
numbers you can find with the optional Option -T
# ext4magic /dir/filesystem.iso -B 97 -T
will print a list with all copies of filesystem block number 97 with the
transaction numbers. If this data block is a Inode block, print out the
exact time for the transaction with the optional option -x
- -I n
- n is the Inode number. Without any other option, the
output is the content of the real filesystem Inode. With a optional
-x additional output of a list of all data blocks addressed by this
Inode. If Inode is a directory Inode, the content of the directory entries
Together with one of the following option -T ; -J the output is not
the content from the real filesystem Inode. The content of all differend
Inode copies found in the Journal are printed.
with the option -t n only the content of the Inode from transaction
" n " are printed.
the option -I n can also be used in conjunction with the options
-L ; -l ; -r or -R (show there)
- -f <filename>
- the function is the same as -I n only here is the
<filename> given instead the Inode number. ext4magic search
the filesystem to find the Inode number. The filename can be a directory
or a filename and must be specified here from the root directory of this
filesystem, and not from the root directory of the LINUX system.
An example: the mount point for this filesystem is " /home
" an the filename for Linux is " /home/usr1/Document
" you can use now
# ext4magic /dev/sda3 -f usr1/Document
The root directory of the filesystem you can use
for ext4magic this is the same.
you should specify no leading "/" for all other filename. And
directory names you should specify without final "/" .
(new 0.2.1) The optional Expert-Mode must be enabled with
the option "--enable-expert-mode"
by configure. This makes it
possible to open and recover front corrupted file systems. In the current
version it is possible to address backup superblocks and the attempt to
recover of the Journal address from the data of the super block, and recover
all undamaged files after the filesystem was partially damaged or overwritten.
- -s blocksize -n blocknumber
- with this options you can select the backup superblock.
blocksize can be 1024, 2048 or 4096. blocknumber is the
block number of the backup superblock this depends on the block size. Use
the same values as with "fsck" or "debugfs" or use the
output of "mkfs -n .." to determine the correct value.
Use the options necessarily in the order "-s ... -n ..."
- This will attempt to find the journal using the data of the
superblock. Can help if the first inode blocks of the file system are
- trying a restore of all files from a badly damaged file
system. The combination of all these Expert Options try a file system
restore if the superblock broken and the beginning of the file system is
corrupted or overwritten. This can only work if e2fsck has not yet
changed the faulty file system.
Example : the first few megabytes of the file system are overwritten. The
following tries a copy of all undamaged files of the filesystem. Target
directory is "/tmp/recoverdir"
# ext4magic /dev/sda1 -s 4096 -n 32768 -c -D -d /tmp/recoverdir
- This is a optional high quality Option for recover and only
impact with " -r " and " -R ". Without
this option, any valid file name restored from the directories and you can
set the " before " time stamp to a time in which all
files are deleted. So you will find the maximum possible number of files.
It need not necessarily be found old directory data blocks in the Journal.
However, there are some files found too much. In this mode, re-used file
name and reused Inode can not be noticed. As a result some file will be
created with the extension " "#" or some files
created with wrong content. You have to check the files and find bad files
and delete itself.
With option " -Q " works ext4magic more accurately, and can
avoid such false and duplicate files. This requires old data blocks of the
directories in the Journal. You will not find of all directories those old
blocks in the Journal. Only directories in which files have been
previously created or deleted, but not of directories in which no change
has been a long time. You should set the time stamp " before
" immediately before destruction time of the files. Are not
sufficient directory data available, may be, ext4magic can't found deleted
files or entire directory content. This option should be used very
carefully and will achieve good results only in a few directories.
With this options you specify a time window at which the
program searches for matching time stamps in the Journal data. ext4magic
required for most internaly functions two times. A time "after" and
a time "before".
Found Inode only accepted, if not deleted and there time stamp less than
"before". If the delete time is less then "after", the
Inode are also not used. ext4magic is still trying to find for valid directory
Inode also a time-matching directory data. For a recover action
"before" set to a value at which the data deleted, and
"after" set to a value at which the data available. Inodes and
directory data with other timestamps will be skipped and not used.
Default, without any time option, ext4magic will search with "now" for
the internal time "before", and "now -24 hour" for the
internal time "after". If you try to recover without any time
option, so you search only over the last 24 hours. If you wait a couple of
days before you try to recover deleted data, you must always use time options,
or you find nothing
- -a n
- with this option you can set the " after "
- -b n
- with this option you can set the " before
n is the number of seconds since 1970-01-01 00:00:00 UTC. This time
information can you find in many prints of ext4magic, and you can it
produce on the console with the command "date" and also insert
directly in the ext4magic command line.
-a $(date -d "-3day" +%s) -b $(date -d "-2day"
this example set "after=now-36h" and "before=now-24h"
File-, IN- and OUT-Options:
- -t n
- is an indirect time option. you can use it with the options
-B ; -I ; -f The value n is the transaction number. With
this option you can print, list, or recover the data from this transaction
number. you can find the transaction numbers with the option -T or
in the print of the Inode content.
With these options group, you select the
filesystem, and other optional file input and output for control of ext4magic.
- selects the filesystem and must always be set.
<filesystem> can be a blockdevice with ext3/4 filesystem, it
can also be a uncompressed file image of such a partition.
- -j <journal_file>
- optional you can select a external copy of the Journal
file. Without this option, automatically the internal Journal or, if
configured, the external Journal on a block device will used.
- -d <target_dir>
- select the output directory. There, the recovered files
were written. If it does not exist, it is created. By default, created
files are written to the subdirectory " RECOVERDIR " in
the workpath of the actual shell. This output directory can not be on the
same filesystem to be tested filesystem, and should have sufficient space
to write the recovered files. The filesystem on this directory should be
also ext3/4, otherwise, not LINUX like filesystems generate some errors
while writing the file properties. Either you must first changed with the
shell in such a suitable filesystem, or you must specify the -d
with a target to such a directory
- -i <input_list>
- input_list is a input file. Must contain a list with
double-quoted filenames. The files from the list will be restored with
option -r or -R
Blank lines, not cleanly double quoted filenames and all areas before and
after " will be ignored. Such a double-quoted list of file
names can create with options -l -x or -L -x by ext4magic
and edited by script or by hand.
This option group includes list and recover options. All
functions together, they work recursiv controlled by the time options through
directory trees. The starting point for search is determined by a directory
name or a directory Inode number. Default is root of this Filesystem. Matching
the time options, the filesystem data, inclusive directory data, taken from
the Journal. If good data from the file system sections available in Journal,
it is possible to see or recover the state of the filesystem at different
- Prints the list of all filenames and Inode number of the
selected directory tree. Included here also are deleted files and deleted
directory trees. With the additional option. -x the file names are
printed double-quoted. You can use it for a "Input list" with
- Prints a list of all filenames which have not allocated
data blocks. At the beginning of the line are the percentage of
unallocated data blocks. After deletion you find here all the file names
you can recover with the Journal data. If you use a very old value for the
"before" time, it is possible there are files whose data blocks
reused and these files in the interim also been deleted. Also included in
the list all files without data blocks, symbolic links, empty and other
Likewise double-quoted file names with optional -x
- applied to directories, all files without conflicts with
the occupied blocks will recovered. This are all you can sea with the
option -l and be 100% unallocated. This options only recover
deleted files and files without data blocks, in example: symbolic links or
The recovered files written to the RECOVERDIR/ This can also set to
an alternate <target_dir> with the option -d
All files become the old filename and if possible, also the old file
properties. A subdirectory tree can set with "-f dirname"
oder "-I inodenumber" If use with a given Inode number,
the directory name is set to <inodenumber>
The Time options affect the search. If a file name already exists, or you
recover again, it not overwrite files, and a new filename by added a final
"#" will created. The maximum ist the extension "
##### " for a filename.
single files also can recovered, possible search with time-stamps or
(new 0.2.1): Starts this function from the root directory the first
stage of the magic functions will follow.
This starts "lost directory search" and "lost file
search" and recovers all the deleted inode that can not be
assigned to a file name. These files you can find in the directories
MAGIC-1 and MAGIC-2
For all recover cases
- recovers directory tree, is the same as -r
But two very important differences: Recover of all matched Inodes, even if
the blocks allocated, and recover if possible the old directory
properties. Also empty directories will be restored. This recovers all
deleted and all undeleted files, and it's possible to recover older file
versions or directory versions.
In completely deleted directories the behavior " -R " and
" -r " is identical. The difference is there only the
complete recover of all directories with option " -R ".
You can also restore individual files with time options or a transaction
ACL, SEL and other extended attribute can not
recovered in the current version.
The output starts at line with a string "--------" before the
recovered file name. This is a sign of successful recover. Are not enough
permissions to write the recovered files, then you will see there some
"x" in the string.
At the end of the process, possibly an issue comes from the hardlink database. A
positive number before a file name means : not found all hardlinks to this
file. A negative number means : it created too many hardlinks to this file
(possible are, reused filenames or reused Inodes, and so, too many or wrong
old filenames for this hardlink. But also possible, all files for this
hardlink are correct, the time options was not set correct and because of
that, the selected inode for the recover was not up to date. You should check
Re-used data blocks can't realize and so it's possible, it ends in some
corrupted files. Check in any case, all the recoverd files before you use
- Print the content of a Inode, there are some
# ext4magic /dev/sda3 -f /
# ext4magic /dev/sda3 -I 2
the output is the actual filesystem root Inode. In first example input the
pathname, second example Inode 2 is also the root directory
# ext4magic /tmp/filesystem.iso -f / -T -x
use filesystem image "/tmp/filesystem.iso", search and print all
transactions of the Block which included the root Inode, and print all
differend Inode. Inclusiv the blocklist off the data blocks. If it's a
directory, then print also for each individual Inode the content of the
# ext4magic /tmp/filesystem.iso -j /tmp/journal.backup -I 8195 -t 182
Use filesystem image "/tmp/filesystem.iso" and read from external
Journal in file "/tmp/journal.backup" and print the content of
the Inode number 8195 from the journal transaction number 182
# ext4magic /dev/sda3 -f user1/Documents -a $(date -d "-3 day"
+%s) -b $(date -d "-2 day" +%s)
print a undeleded Inode for pathname "user1/Documents" two to
three days back. If it's a directory, then also the content of this
directory. If can not found the old directory blocks in Journal, the
directory content would be the actual from filesystem.
- Examples of simple Recover
# ext4magic /dev/sda3 -r -f user1/picture/cim01234.jpg -d /tmp
Recover the file "/home/user1/picture/cim01234.jpg" which has just
been deleted. The file system is mounted normally under "/home".
Note the file path is specified from the root directory of the file system
and not from the root of the entire Linux system. Whenever possible,
umount the file system for the recover. The file will be written as
# ext4magic /dev/sda3 -r
try to restore all files deleted last 24 hours. Write to directory
# ext4magic /dev/sda3 -R -a $(date -d "-5day" +%s)
Attempts to recover all files, even if they are already partially
overwritten, recover also all not deleted files. The erase time is 4 days
# ext4magic /dev/sda3 -M -d /home/recover
try multi-stage recover of all files after the filesystem is deleted with a
"rm -rf *" . Write the files to "/home/recover". (on
ext4 : in this version skipped the last step.)
# ext4magic /dev/sda3 -RQ -f user1/Dokuments -a 1274210280 -b 1274211280 -d
try to restore the directory tree "user1/Dokuments/". The
"-b" timestamp you must set just before deleting files, the
"-a" timestamp prevents found old file versions. This will only
work well, if you've there created or deleted files bevor the
"-b" timestamp. Write to the directory
"/mnt/testrecover/". If only a few files recovers, attempts the
same without the option -Q
# ext4magic /home/filesystem.iso -Lx -f user1 | grep "jpg" >
# ext4magic /home/filesystem.iso -i ./tmpfile -r -d /mnt/testrecover
try to restore only all deleted files from directory tree
"user1/", and have "jpg" in filename. (last 24 hour)
and write to "/mnt/testrecover" - use a temporary file
"./tmpfile" for a list of filenames.
Direct use of the Journal of a currently read-write open filesystem produce
reading of bad blocks. Such bad blocks provide program errors and false
results. You shall therefore never use the Journal of such a read-write open
file system directly. Should it be necessary to use a mounted file system,
create a copy of the file system journal and used the option -j
(8) , e2fsck