Skip to content

bjangelo/ext4rewind

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
__init__.py
__init__.py
 
 
ext4dir.py
ext4dir.py
 
 
ext4extent.py
ext4extent.py
 
 
ext4fs.py
ext4fs.py
 
 
ext4inode.py
ext4inode.py
 
 
ext4rewind.py
ext4rewind.py
 
 

Repository files navigation

Ext4 Rewind

Ext4 Rewind is a crude attempt to automate deleted file analysis and recovery from ext4 file-systems.

The underlying logic is likely not that different from related tools.

However, going through the process manually is insightful for understanding how deleted files could be recovered.

This code is crude, uncommented, and relies on the output format of sleuthkit tools (which is far from a stable API).

  1. Requirements
  2. Commands
  3. References

Requirements

Ext4 Rewind is built on-top of sleuthkit command line tools.

A fork of sleuthkit is currently required until this issue is resolved upstream.

Commands

journal

The journal command will print journal commit blocks in reverse chronological order.

ext4rewind.py /dev/mapper/dvg-home journal

inode

The inode command will print an inode in reverse chronological order.

ext4rewind.py /dev/mapper/dvg-home inode 131074

dir

The dir command will print a directory entry in reverse chronological order.

ext4rewind.py /dev/mapper/dvg-home dir 131074

extent

The extent command will print an extent in reverse chronological order.

ext4rewind.py /dev/mapper/dvg-home extent 558590

blocks

The blocks command will print the content of data blocks.

ext4rewind.py /dev/mapper/dvg-home blocks 532513 532583-532584

References

About

Scripts for ext4 file-system analysis and deleted file recovery

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages