extundelete is a command-line tool that can be used to recover deleted files from ext3 or ext4 file systems. It works by parsing the file system’s journal, which is a record of all the changes made to the file system, including file deletions. By analyzing the journal, extundelete can determine which blocks of the file system were allocated to a file before it was deleted, and can then reconstruct the file from those blocks.
extundelete can recover both files and directories, and it can recover them even if the file system has been modified or if the journal has been overwritten.
If you encounter the below error while running the command extundelete:
extundelete: command not found
you may try installing the below package as per your choice of distribution:
| Distribution | Command |
|---|---|
| Debian | apt-get install extundelete |
| Ubuntu | apt-get install extundelete |
| Arch Linux | pacman -S extundelete |
| Kali Linux | apt-get install extundelete |
| Fedora | dnf install extundelete |
| Raspbian | apt-get install extundelete |
extundelete Command Examples
1. Restore all deleted files inside partition N on device X:
# sudo extundelete /dev/sdXN --restore-all
2. Restore a file from a path relative to root (Do not start the path with `/`):
# extundelete /dev/sdXN --restore-file path/to/file
3. Restore a directory from a path relative to root (Do not start the path with `/`):
# extundelete /dev/sdXN --restore-directory path/to/directory
4. Restore all files deleted after January 1st, 2020 (in Unix time):
# extundelete /dev/sdXN --restore-all --after 1577840400