Skip to content

bjangelo/ext4rewind

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
README.md
README.md
 
 
__init__.py
__init__.py
 
 
carve-tar.py
carve-tar.py
 
 
ext4dir.py
ext4dir.py
 
 
ext4extent.py
ext4extent.py
 
 
ext4inode.py
ext4inode.py
 
 
ext4rewind.py
ext4rewind.py
 
 

Repository files navigation

Ext4 Rewind

Ext4 Rewind is a crude attempt to automate deleted file analysis and recovery from ext4 file-systems.

The underlying logic is likely not that different from related tools.

However, going through the process manually is insightful for understanding how deleted files could be recovered.

  1. Requirements
  2. Disclaimer
  3. Commands
  4. References

Requirements

Ext4 Rewind is built on-top of sleuthkit command line tools.

A fork of sleuthkit is currently required until this issue is resolved upstream.

Disclaimer

This code is crude, uncommented, makes a variety of assumptions about ext4 features/flags, and relies on the output format of sleuthkit tools (which is far from a stable API).

Commands

journal

The journal command will print journal commit blocks in chronological order.

$ ./ext4rewind.py image.ext4 journal

The journal command is similar to the sleuthkit jls command.

inode

The inode command will print the inode block for the specified inode number.

$ ./ext4rewind.py image.ext4 inode 131074  | hexdump -Cv

The ext4inode.py script will display an inode in a human-readable format.

$ ./ext4rewind.py image.ext4 inode 131074  | ./ext4inode.py

The inode command with ext4inode.py is similar to the sleuthkit istat command.

The --timestamp option will print the inode block for the specified inode number at the specified timestamp based on the content of the journal.

$ ./ext4rewind.py image.ext4 --timestamp 2020-08-12T18:20:20Z inode 131074 | ./ext4inode.py

This works by iterating over the journal chronologically looking for entries that match the inode block number.

blocks

The blocks command will print the content of the specified data block numbers.

$ ./ext4rewind.py image.ext4 blocks 532513 532583-532584 | hexdump -Cv

The ext4dir.py script will display directory entries in a human-readable format.

$ ./ext4rewind.py image.ext4 blocks 532513 532583-532584 | ./ext4dir.py

The blocks command with ext4dir.py is similar to the sleuthkit fls command.

The --timestamp option will print the content of the specified data block numbers at the specified timestamp based on the content of the journal.

$ ./ext4rewind.py image.ext4 --timestamp 2020-08-12T18:20:20Z blocks 532513 532583-532584 | ./ext4dir.py

This works by iterating over the journal chronologically looking for entries that match the block numbers.

The ext4extent.py script will display extent index nodes in a human-readable format.

$ ./ext4rewind.py image.ext4 --timestamp 2020-08-12T18:20:27Z blocks 558590 | ./ext4extent.py

dir

The dir command will display the history of directory entries in a human-readable format for the specified inode number.

$ ./ext4rewind.py image.ext4 dir 131074

The optional filename argument will filter the directory entries based on filename.

$ ./ext4rewind.py image.ext4 dir 131074 .*foo.*

References

About

Scripts for ext4 file-system analysis and deleted file recovery

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages