This repository has been archived by the owner. It is now read-only.
Izzy edited this page Aug 16, 2017 · 1 revision

Documentation

This is a short and probably incomplete documentation. Its intention is to get you started with ext3undel – and it is incomplete in regard to the fact that not all details will be mentioned. For a more complete reference, you may use the man pages shipped with the distribution, by typing e.g. man ext3undel, man ralf or man gabi at the command line – after you successfully installed the application.

Requirements

I must admit: The scripts from the ext3undel collection are nothing compared with the tools they utilize – they are more or less fullfil organizational tasks only. So for the real recovery, they depend on some bigger companions:

Sleuthkit

Sleuthkit is a complete forensic framework. Using its command line components requires some knowledge of the facts behind, plus some time to figure out how they work. Sleuthkit also provides a graphical frontend to be operated in your web browser - but since it is targeted at forensics, this bears some overhead (e.g. you need first to create a "case", assign a team to it, and the like). ext3undel utilizes the command line tools of this package.

foremost

The first four digits of the name foremost also indicate forensic use. foremost is intended to recover everything found on a given partition. It is completely command line driven, and recognizes a range of file types.

PhotoRec

PhotoRec is designed to recover everything it finds on a given partition. The name already suggests it has its origin in recovering photos – which is usually "everything you find on the cameras memory card". But it has grown a lot: It recognizes about 150 different file types, which is much more than foremost does. Moreover, it ships with a built-in interactive shell, so it should be easy to run it stand-alone even without ext3undel – if you intend to recover all files (of a given type). You will probably do so if you want to restrict the result to multiple (but not all) file types – a task not (yet) integrated in ext3undel.

What is really needed?

For sure you will need Sleuthkit – but you can decide whether you want to use PhotoRec or foremost. We recommend PhotoRec – but for which you decide may depend on what is available for your system, and the decision is up to you.

Installation

This part of the documentation shall help you to get the application installed and ready to use.

Installation methods

Depending on your system, there are several installation methods available. First and preferred over all others is the installation from the provided packages: In the IzzySoft Apt Repository, you will find both RPM and Debian packages. They should be generic and not dependent on a specific Linux distribution – i.e. the RPM packages should install fine not only in RedHat, but also on SuSE and other distributions using the RedHat packaging system, and the Debian packages should be fine for any distribution using Debian packages (in fact, they were tested only with Ubuntu).

If you cannot use any of those packages, the next alternative is to use make install. As a last resort, you can try a manual install by copy the sources to the right place. Details follow:

Installation from packages

This is the most easy and also most convenient way. Best is to include the IzzySoft Apt Repository directly in your packaging system – which should work for APT (Debian) and YUM (RPM). Details on how to do this can be found on the Repository Site. One of the big advantages will be that all dependencies should be resolved automatically, and you will never need to check for updates manually – they will be monitored by your packaging system then, and updates would be installed automatically if any became available. First-time installation then is as easy as entering "yum install ext3undel" for RPMs, or "apt-get install ext3undel" for the Debian package. Similarly a clean uninstallation can be handled, if necessary, using "yum remove ext3undel" resp. "apt-get remove ext3undel" (or even "apt-get remove --purge ext3undel" to also remove the configuration files).

If you cannot include the repository into your packaging system, you still can download the RPM/Debian package from there and install it manually, e.g. by issuing the command "rpm -ivh ext3undel*.rpm" resp. "dpkg -i ext3undel*.deb". This will however require you to also download and install the packages ext3undel depends on – i.e. Sleuthkit plus PhotoRec or foremost (these packages are usually contained in the repositories of most distributions, and available as sleuthkit, photorec (on RPM based systems) / testdisk (Debian/Ubuntu) and foremost – so you can install them straight ahead). Updates then can be handled the same way. A clean uninstallation can be handled by those tools as well then: "rpm -e ext3undel" resp. "dpkg -r ext3undel" or "dpkg --purge ext3undel".

Installation using make

A first precondition is to have sleuthkit and photorec or foremost installed.

As soon as those preconditions are met, download and unpack the .tar.gz archive. After changing into the directory where you unpacked the tarball, you should find a file named Makefile there. In that directory, issue the command "make install" (which will install ext3undel into the /usr/local hierarchy) or "make prefix=/usr install" (to install directly below /usr). Similarly, uninstallation can be done replacing "install" by "uninstall".

Manual installation

Only if none of the above methods work for you, you should do a manual installation. The crux with this is, that lateron a uninstallation also has to be done manually – and you may forget some things then. However, here's what you need to do for a manual installation - after you solved the dependencies (i.e. installed sleuthkit and photorec/foremost correctly:

Variant 1

Simply unpack the .tar.gz archive to where you want the application to be. Optionally, copy the executables to something like /usr/local/bin (or link them there), since it probably will not be in your $PATH otherwise.

This is the most simple way, and uninstallation is as easy as removing the installation directory. However, the man pages won't be found if you call "man ext3undel", and some other simple things maybe missing. So this method may be suited for a "first try" only.

Variant 2

Basically you will do what make install would have done for you, after unpacking the .tar.gz archive:

  • copy the executables to /usr/local/bin (or any other directory contained in your $PATH)
  • copy the manpage files (man/* to the corresponding manpage directories (/usr/man/man?/ or /usr/local/man/man?/, replace the question mark by the number the manfile carries)

This is a complete installation, so all things should work as intended – so this variant should be preferred over the first one (but not over the package or "make" installation!).

Configuration

There is not much to do – the scripts don't really need to be configured. If you really want to configure something, you can either edit /etc/ext3undel/ext3undelrc (system wide configuration) directly, or copy it to $HOME/.ext3undel/ext3undelrc (user specific configuration) and edit there. The scripts will read the system wide configuration first, and then overwrite these settings with those defined in the user specific file (if it exists).

The settings are commented in the configuration file itself, so please see there for details.

Usage

Again, there is not that much to explain: The command line switches are few.

Basically, the package consists of three scripts:

  • ralf: used to recover a file you know the name and path of (R.A.L.F. stands for Recover A Lost File)
  • gabi: used to recover all deleted files possible to undelete on a given partition (Get All Back Immediately)
  • ext3undel: the only one you really need to remember (or forget about, if you remember the other two)

All of them support the parameter "--help" in the first place, to display their basic usage.

R.A.L.F.

ralf has one (and only one) mandatory parameter: The name of the file you want to recover. If that name starts with a slash (i.e. it reflects an absolute path, as e.g. /etc/passwd), the name is taken as-is – otherwise it is expected to be relative to the current working directory. ralf will then try to recover the file specified – for details, see here.

You may use wildcards in the file name: ? stands for a single character, * for none, one, or multiple characters (as you are used from the shell). To give an example: r?lf.* would match "ralf.txt", "rolf.doc", etc. – but due to the dot, not "rolf".

If you called R.A.L.F. with a given file name, and it failed to find the iNode, you may try to call it again with the directory name only. Sometimes the iNode itself is reused while the data blocks are still not – and you may be as lucky as have all files of the directory (been) using the same iNode group. It's worth a try; G.A.B.I. (or PhotoRec/foremost themselves) are still available as a last resort, to recover all possible data of the partition.

G.A.B.I.

gabi has no additional parameters – so the only thing you can pass to it is --help.

ext3undel

As for now, it is easy to decide which of the scripts you intended to run: If there is a parameter, it must be the filename – so ext3undel simply calls rolf and passes this parameter. If there is none, you meant gabi, so this will be called. Only exception: There is a parameter, but it is --help – so ext3undel simply displays some basic help.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.