extundelete

Restore all deleted files inside partition N on device X

$ sudo extundelete [/dev/sdXN] --restore-all

$ extundelete [/dev/sdXN] --restore-file [path/to/file]

$ extundelete [/dev/sdXN] --restore-directory [path/to/directory]

$ extundelete [/dev/sdXN] --restore-all --after [1577840400]

extundelete [options] [--] [path]

-h, --help
    Display help message and exit.

-v, --verbose
    Enable verbose output.

-d DEVICE, --device=DEVICE
    Specify the target block device or image file (e.g., /dev/sda1).

-b BLOCK, --superblock=BLOCK
    Use alternative superblock at block number.

-B, --block-device
    Treat input as a raw block device.

-m MIN_BLOCK, --min-block=MIN_BLOCK
    Start scanning inodes from specified block number.

-j JOURNAL, --journal=JOURNAL
    Use external journal file or device.

-o DUMPFILE, --dumpfile=DUMPFILE
    Dump inode and block bitmap data to file for analysis.

-r, --restore-all
    Restore all deleted files to RECOVERED_FILES directory.

-p PATH, --path=PATH
    Restore deleted files matching the path (repeatable).

-f FILENAME, --file=FILENAME
    Restore file by name (saved as RECOVERED_FILES/FILENAME).

--inode NUM
    Restore files from specific inode number.

--after DATE
    Restore files deleted after DATE (YYYY-MM-DD hh:mm:ss).

--before DATE
    Restore files deleted before DATE (YYYY-MM-DD hh:mm:ss).

extundelete is a powerful utility designed to recover deleted files from ext2, ext3, and ext4 filesystems on Linux. It operates by analyzing the filesystem's journal, inode tables, and block bitmaps to locate inodes marked as deleted but whose data blocks have not yet been overwritten. This makes it particularly effective for data recovery shortly after accidental deletion, before significant write operations reuse the blocks.

The tool scans for deleted inodes and reconstructs file trees or individual files, dumping recovered data into a RECOVERED_FILES directory by default. It supports restoring entire directory structures, specific paths, filenames, or even individual inodes. Users must specify the target block device or image file, and it's strongly recommended to run it on an unmounted filesystem to prevent further data corruption.

extundelete stands out for its speed and specificity compared to carving tools, as it leverages filesystem metadata rather than blindly scanning for file signatures. However, recovery success depends on timely intervention and minimal filesystem activity post-deletion. It's an essential tool for system administrators and users facing data loss scenarios on native Linux filesystems.

Best on unmounted filesystems to avoid overwrites.
Recovery not guaranteed if blocks reused.
Only supports ext2/3/4; ineffective on remounted or heavily written volumes.
May produce partial or duplicate files.

extundelete --restore-all /dev/sdb1
Recovers all possible deleted files from partition.

Recovered data placed in RECOVERED_FILES; subdirs mirror original structure where possible.

Developed by Jason Cases, first released in 2007 as open-source under GPL. Gained popularity for ext3 recovery before ext4 maturity; maintained sporadically with updates for newer kernels.

debugfs(8), dumpe2fs(8), testdisk(1), photorec(1), foremost(1)