debugfs

Open the filesystem in read only mode

$ debugfs [/dev/sdXN]

$ debugfs -w [/dev/sdXN]

$ debugfs -f [path/to/cmd_file] [/dev/sdXN]

$ stats

$ close -a

$ lr

debugfs [ options ] device

device
    The path to the block device containing the filesystem (e.g., /dev/sda1) or a filesystem image file.

-V
    Print the version number of debugfs and exit.

-b blocksize
    Specify the block size of the filesystem. This is rarely needed as debugfs can usually determine it automatically.

-s superblock
    Specify the block number of an alternative superblock to use. Useful for corrupted filesystems.

-f cmd_file
    Read commands from the specified file instead of standard input (non-interactive mode).

-R command
    Execute a single command and then exit. Useful for scripting specific queries.

-w
    Open the filesystem in read-write mode. Use with extreme caution! This allows modifications to the filesystem.

-D directory
    Set the current working directory within debugfs. This can simplify path specification for interactive commands.

debugfs is a powerful interactive command-line utility used to examine and modify the internal structures of an ext2, ext3, or ext4 filesystem. It's an integral part of the e2fsprogs suite of tools. Unlike standard filesystem utilities like ls or cp, debugfs operates at a much lower level, allowing users to directly inspect and manipulate inodes, directory entries, block maps, and superblock information.

This makes it invaluable for filesystem forensics, recovery of lost or deleted files (though success is not guaranteed), and advanced debugging of filesystem issues. While it can be used for non-destructive operations like viewing filesystem metadata, it also provides commands to modify the filesystem, which can be extremely dangerous if not used with extreme caution, potentially leading to irreversible data corruption.

It supports both an interactive mode, where users type commands at a prompt, and a non-interactive mode, where a script of commands can be executed against a specified device. Typically, debugfs requires root privileges to operate on a raw block device.

High Risk of Data Loss: Using debugfs, especially with the -w option, can lead to severe data corruption if commands are executed incorrectly. Always back up critical data before attempting modifications.
Root Privileges: Typically requires root privileges to access raw block devices.
Unmounted Filesystems: For any modifying operations, it is strongly recommended to use debugfs on an unmounted filesystem to prevent inconsistencies.

Once inside debugfs, numerous commands are available. Common examples include:
ls: List files and directories.
stat file: Display inode information for a file.
cat file: Display the contents of a file.
dump file: Dump a file's contents to an operating system file.
icheck inode_number: List blocks allocated to an inode.
bmap file logical_block: Find the physical block number of a logical block.
rm file: Remove a file (can be used to recover 'deleted' inodes by relinking).

debugfs is often used in attempts to recover accidentally deleted files. By finding the inode of a deleted file and potentially relinking it, it's sometimes possible to restore the file, provided its data blocks have not been overwritten. This process requires a deep understanding of filesystem internals.

debugfs is a foundational component of the e2fsprogs project, which was primarily developed by Theodore Ts'o. It has been a key utility for managing and debugging ext2, ext3, and ext4 filesystems since their early development, evolving alongside the filesystem standards.

e2fsck(8), tune2fs(8), dumpe2fs(8), mke2fs(8), fsck(8)