extundelete

Restore all deleted files inside partition N on device X

$ sudo extundelete [/dev/sdXN] --restore-all

$ extundelete [/dev/sdXN] --restore-file [path/to/file]

$ extundelete [/dev/sdXN] --restore-directory [path/to/directory]

$ extundelete [/dev/sdXN] --restore-all --after [1577840400]

extundelete [options] <device> [-- ]

Common usage examples:
extundelete --restore-all </dev/sdb1>
extundelete --restore-file </path/to/deleted/file.txt> </dev/sdb1>
extundelete --restore-directory </path/to/deleted/dir/> </dev/sdb1>
extundelete --output-dir </tmp/recovered> --restore-all </dev/sdb1>

--restore-all
    Attempts to restore all possible deleted files and directories found on the specified filesystem device.

--restore-file <path>
    Restores a specific deleted file identified by its original path relative to the root of the filesystem.

--restore-directory <path>
    Restores a specific deleted directory and its contents, identified by its original path.

--output-dir <directory>, -o <directory>
    Specifies the directory where recovered files will be placed. Defaults to RECOVERED_FILES/ in the current working directory.

--inode <inode_number>
    Restores the file or directory associated with the specified inode number.

-j <journal_device>
    Specifies an external journal device to use for recovery, if the journal is not on the same device as the filesystem.

-b <block_size>
    Forces the use of a specific block size for the filesystem, overriding auto-detection.

-d <block_group>
    Scans only a specific block group for deleted files, which can speed up the process.

-c <config_file>
    Uses a specified configuration file for advanced options.

--log <logfile>
    Redirects verbose log output to the specified file.

--debug
    Enables additional debug messages for troubleshooting.

--version
    Displays the program version information.

--help
    Displays a help message with command usage and options.

extundelete is a powerful open-source utility designed for recovering deleted files from ext3 and ext4 filesystems. When a file is "deleted" on Linux, its inode is marked as unallocated, and the data blocks it pointed to are freed. However, the data itself often remains on the disk until it is overwritten by new data. extundelete works by scanning the filesystem's journal (if available and enabled) for entries that still point to the deleted file's inode and data blocks. It can also inspect the filesystem's inode tables for unallocated inodes that might still contain valid information about deleted files. This tool is particularly useful for accidental deletions, providing a chance to restore lost data, especially if the filesystem was unmounted quickly after the deletion. It reconstructs the directory structure and file contents into a specified output directory, typically named RECOVERED_FILES. Success depends heavily on how much disk activity has occurred since deletion.

1. Time Sensitivity: The success rate of extundelete decreases drastically the longer the time between deletion and recovery attempt. Any new writes to the disk can overwrite the deleted file's data blocks, making recovery impossible.

2. Filesystem State: For best results, the filesystem from which you are trying to recover files should be unmounted immediately after deletion. If unmounting is not an option (e.g., it's the root filesystem), mount it read-only. Continuing to write to the filesystem can lead to permanent data loss.

3. Partial Recovery: It's common for extundelete to recover files partially or with corruption, especially if the file was fragmented or its blocks have been partially overwritten.

4. Inode Re-use: If the deleted file's inode has been re-used by a new file, extundelete may not be able to identify or recover the original file.

5. Ext2/Other Filesystems: extundelete is specifically designed for ext3 and ext4 filesystems and will not work on other filesystem types like ext2, XFS, Btrfs, or NTFS.

6. Device Path: Always specify the raw device path (e.g., /dev/sdb1), not a mounted directory.

1. Act Quickly: The moment you realize a file is deleted, stop all activity on the affected filesystem.
2. Unmount or Mount Read-Only: The best practice is to unmount the filesystem (e.g., sudo umount /dev/sdb1). If it's the root filesystem or cannot be unmounted, mount it read-only (e.g., sudo mount -o remount,ro /dev/sdb1 /mnt/point). This prevents any new data from overwriting the deleted files.
3. Recover to a Different Disk: Always recover files to a different physical disk or partition than the one from which you are recovering. Recovering to the same disk can overwrite the very data you are trying to restore.
4. Identify the Device: Ensure you know the correct device path (e.g., /dev/sda1, /dev/sdb2) of the partition where the file was deleted. Using the wrong device can lead to data loss on another partition.
5. Backup First (If Possible): If the data is critically important and the filesystem is stable, consider creating a disk image (e.g., using dd) before attempting recovery, as a safety measure.

extundelete emerged as a dedicated open-source solution to address the common problem of accidental file deletion on Linux systems utilizing the widely adopted ext3 and ext4 filesystems. Unlike some general-purpose data recovery tools, extundelete was specifically engineered to leverage the journaling capabilities of these filesystems, which record changes to the metadata. Its development filled a niche for a command-line utility focused solely on this task, providing a lighter and more direct approach compared to full forensic suites. It has been maintained by its community and often included in various Linux distribution repositories and data recovery live environments, becoming a go-to tool for quick recovery attempts by system administrators and users.

debugfs(8): A filesystem debugger for the ext2/ext3/ext4 filesystems, which can sometimes be used for manual inode recovery., testdisk(8): A powerful free data recovery software primarily designed to recover lost partitions and/or make non-booting disks bootable again, but also offers file undeletion capabilities., photorec(8): A companion program to TestDisk, PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from Hard Disks, CD-ROMs, and Digital Camera Memory. It recovers files by signature., e2fsck(8): Used to check and repair ext2/ext3/ext4 filesystems. While not for undeletion, a healthy filesystem is a prerequisite for recovery., foremost(1): Another console-based tool for carving files based on headers, footers, and internal data structures, often used for forensic data recovery.