extundelete

Restore all deleted files inside partition N on device X

$ sudo extundelete [/dev/sdXN] --restore-all

$ extundelete [/dev/sdXN] --restore-file [path/to/file]

$ extundelete [/dev/sdXN] --restore-directory [path/to/directory]

$ extundelete [/dev/sdXN] --restore-all --after [1577840400]

extundelete [options] /dev/partition

--undelete
    Recover all deleted files in the filesystem.

--undelete-file
    Recover a specific deleted file by name.

--undelete-inode
    Recover a specific deleted file by inode number.

--output-dir
    Specify the directory where recovered files will be saved.

--restore-all
    Alternative command to recover all deleted files.

--restore-file
    Alternative command to recover a specific deleted file by name.

--restore-inode
    Alternative command to recover a specific deleted file by inode number.

--version
    Display version information.

--journal
    Use only the journal to find and recover files.

--superblock
    Specify a location for superblock from backup copies.

extundelete is a command-line utility for recovering deleted files from ext3 and ext4 file systems. It works by analyzing the file system's journal and inode information to identify and restore deleted files. Unlike some other recovery tools, extundelete can often recover files even after they have been partially overwritten, though the success rate depends on the extent of the overwriting.

It's important to stop writing to the file system after data loss to maximize the chances of successful recovery. This includes unmounting the partition containing the deleted files or mounting it read-only. extundelete provides several options to specify the target partition, the files to be recovered, and the location where the recovered files should be saved. The utility supports recovering files by name, inode number, or all deleted files. While powerful, extundelete is not a guaranteed solution and success depends on filesystem activity after deletion.

Recovery success is highly dependent on filesystem activity after the file deletion. Overwriting greatly reduces the chance of recovery. It is highly recommended to use it on a read-only or unmounted partition. Requires root privileges.

extundelete works by examining the filesystem's journal. Thus, the longer the journal history and the less activity on the filesystem after the deletion, the higher the chance of successful recovery. Always try to mount the partition read-only or boot from a live CD/USB to avoid further overwriting of data.

extundelete may not be able to recover files if the filesystem has been heavily fragmented or if the data blocks have been overwritten by other files. Also, recovery of files deleted a long time ago may be difficult if the journal entries have been overwritten.

extundelete was developed to address the need for a relatively simple and efficient tool to recover deleted files from ext3 and ext4 file systems. It gained popularity as a go-to solution for users who accidentally deleted files and needed a way to retrieve them without resorting to more complex or expensive data recovery software. The development focused on leveraging filesystem journaling to locate and restore deleted inodes.

debugfs(8), photorec(1), testdisk(1)