Thursday, January 31, 2013

Backtrack Forensics: EXT3/4 file recovery with extundelete

Menu: Forensics -> Forensic Carving Tools
Directory: /usr/local/bin/extundelete
Official Website: http://extundelete.sourceforge.net/
License: GNU GLP v2

extundelete is a file recovery tool for EXT3 / EXT4 journaling file system. It can recover files by reading the journal log, and the inode tables. The drive where we are recovering files from, should be unmounted in order to work. The restored files will be placed in the "RECOVERED_FILES" directory.

Usage:

It's quite simple. I created a new virtual hard disk for the test, formatted it, and placed 3 files there. I also created an MD5 sum for all.


Then I unmounted it, and restored one file, with:

extundelete --restore-file 'a.txt' /dev/sdc1
and rechecked the MD5 hash, which is matching.


We can restore all files on a drive with:
extundelete --restore-all /dev/sdc1

We can also restore based on the inode number:
extundelete --restore-inode inode_number /dev/sdc1
The restored files, will have an extension of the inode number.

No comments: