extundelete is a command-line tool that can be used to recover deleted files from ext3 or ext4 file systems. It works by parsing the file system’s journal, which is a record of all the changes made to the file system, including file deletions. By analyzing the journal, extundelete can determine which blocks of the file system were allocated to a file before it was deleted, and can then reconstruct the file from those blocks.
extundelete can recover both files and directories, and it can recover them even if the file system has been modified or if the journal has been overwritten.
To recover a deleted file, you will need to specify the partition where the deleted files were located. For example, you can use the command extundelete –restore-file /path/to/file /dev/sda1 to recover the file located at /path/to/file from the partition /dev/sda1. You can also use extundelete –restore-all /dev/sda1 to recover all deleted files from that partition.
It’s important to note that extundelete only works on ext3 and ext4 file systems, and that it can only recover files that were deleted after the last file system check or after the last time the journal was cleared. Additionally, if you are trying to recover a file from a partition that is currently in use, you will need to run extundelete in a live CD or USB environment in order to avoid any conflicts.
extundelete Command Examples
1. Restore all deleted files inside partition N on device X:
# sudo extundelete /dev/sdXN --restore-all
2. Restore a file from a path relative to root (Do not start the path with `/`):
# extundelete /dev/sdXN --restore-file path/to/file
3. Restore a directory from a path relative to root (Do not start the path with `/`):
# extundelete /dev/sdXN --restore-directory path/to/directory
4. Restore all files deleted after January 1st, 2020 (in Unix time):
# extundelete /dev/sdXN --restore-all --after 1577840400