e2image

Write metadata located on device to a specific file

$ e2image [/dev/sdXN] [path/to/image_file]

$ e2image [/dev/sdXN] -

$ e2image -I [/dev/sdXN] [path/to/image_file]

$ e2image -r [/dev/sdXN] [path/to/image_file]

$ e2image -Q [/dev/sdXN] [path/to/image_file]

e2image [-rP] [-O output_options] device image_file

-r
    Raw mode. Copies all blocks as they are, including unused and deleted blocks. This creates a larger image, similar to dd for the used portion of the filesystem, useful for advanced forensic analysis.

-P
    Parse-only mode. e2image will read the filesystem structure but will not write any output file. Useful for validating options or device integrity without creating an image.

-O output_options
    Specify output options to control what is written to the image file. Multiple options can be comma-separated. Common options include:
no_super: Do not write the superblock and block group descriptors.
super_only: Only write the superblock and block group descriptors.
all_inodes: Write all inode blocks, including those marked as unused.
all_blocks: Write all allocated data blocks (including metadata and file data), not just metadata structures.
journal: Include the filesystem journal blocks in the image (this is typically the default).
write_jnl_blocks: Write blocks referenced by the journal even if they are not part of an inode or directory.
write_blocks: Write all blocks referred to by inodes and directories (this is the default behavior for the metadata-only image).

device
    The path to the ext2/ext3/ext4 filesystem device (e.g., /dev/sda1).

image_file
    The path where the output image file will be created.

e2image is a utility from the e2fsprogs package designed to create a raw image of an ext2, ext3, or ext4 filesystem. Unlike generic block-level copying tools like dd, e2image intelligently copies only the filesystem metadata, such as superblocks, group descriptors, inode tables, directory blocks, and block bitmaps, making the resulting image significantly smaller than the original device. This 'metadata-only' image is invaluable for debugging corrupted filesystems, analyzing filesystem structures, or performing forensic investigations without altering the original device.

While its primary mode creates a compact metadata image, e2image can also be instructed to include all allocated data blocks, or even raw blocks including deleted data, via specific options. The generated image file is not directly mountable as a filesystem but is intended for use with other e2fsprogs utilities like debugfs for interactive exploration or e2fsck -D for advanced filesystem checking and debugging.

For a consistent image, the target filesystem should ideally be unmounted or mounted read-only. Creating an image of a live, mounted, writable filesystem can lead to an inconsistent or corrupted image reflecting an intermediate state. e2image is not a backup solution; it's primarily a diagnostic and forensic tool. The resulting image is not directly mountable by the Linux kernel.

The primary use case for an e2image output file is with tools like debugfs or e2fsck -D. For instance, to open an image for interactive debugging, you would use 'debugfs -i /path/to/your_image.e2i'. This allows filesystem administrators and developers to examine the internal structure of a potentially damaged filesystem safely, without risking further damage to the original device.

When used with the -r (raw) or -O all_blocks options, e2image can capture a more comprehensive snapshot of the filesystem, including all allocated data blocks. This capability is crucial in forensic investigations, enabling examiners to analyze filesystem structures and potentially recover deleted files or fragments from a copy rather than directly from the evidence source.

e2image is an integral part of the e2fsprogs project, a suite of utilities for managing the ext2, ext3, and ext4 filesystems on Linux. Developed by Theodore Ts'o, the primary maintainer of e2fsprogs and a key figure in Linux kernel development, e2image was created to provide a specialized, efficient way to capture the critical metadata of ext filesystems for analysis and debugging, avoiding the overhead of raw device copying when only structural information is needed. Its development paralleled the evolution and maintenance of the ext filesystem family itself.

e2fsck(8), debugfs(8), dumpe2fs(8), dd(1), mount(8)