ext3grep – Recover Deleted Files on Debian and Ubuntu

ext3grep is a simple program for recovering files on an EXT3 filesystem. It is an investigation and recovery tool that is useful in forensics investigations. It helps to show information about files that existed on a partition and also recover accidentally deleted files.

In this article, we will demonstrate a useful trick, that will help you to recover accidentally deleted files on ext3 filesystems using ext3grep in Debian and Ubuntu.

Testing Scenario

  • Device name: /dev/sdb1
  • Mount point: /mnt/TEST_DRIVE
  • Filesystem type: EXT3

How to Recover Deleted Files Using ext3grep Tool

To recover deleted files, first you need to install ext3grep program on your Ubuntu or Debian system using APT package manager as shown.

$ sudo apt install ext3grep

Once installed, now we will demonstrate how to recover deleted files on a ext3 filesystem.

First, we will create some files for testing purpose in the mount point /mnt/TEST_DRIVE of the ext3 partition/device i.e. /dev/sdb1 in this case.

$ cd /mnt/TEST_DRIVE
$ sudo touch files[1-5]
$ ls -l
Create Files in Mount Point
Create Files in Mount Point

Now we will remove one file called file5 from the mount point /mnt/TEST_DRIVE of the ext3 partition.

$ sudo rm file5
Remove a File in Linux
Remove a File in Linux

Now we will see how to recover deleted file using ext3grep program on the targeted partition. First, we need to unmount it from the mount point above (note that you have to use cd command to switch to another directory for the unmount operation to work, otherwise the umount command will show the error “that target is busy“).

$ cd
$sudo umount /mnt/TEST_DRIVE

Now that we have deleted one of the files (which we’ll assume was done accidentally), to view all the files that existed in the device, run the --dump-name option (replace /dev/sdb1 with the actual device name).

$ ext3grep --dump-name /dev/sdb1
View Files on Partition
View Files on Partition

To recover the above deleted file i.e. file5, we use the --restore-all option as shown.

$ ext3grep --restore-all /dev/sdb1

Once the recovery process is complete, all recovered files will be written to the directory RESTORED_FILES, you can check if the deleted file is recovered or not.

$ cd RESTORED_FILES
$ ls 
Recover a Deleted File
Recover a Deleted File

We may specify a particular file to recover, for example the file called file5 (or specify the full path of the file within the ext3 device).

$ ext3grep --restore-file file5 /dev/sdb1 
OR
$ ext3grep --restore-file /path/to/some/file /dev/sdb1 

In addition, we can also restore files within a given period of time. For example, simply specify the correct date and time frame as shown.

$ ext3grep --restore-all --after `date -d 'Jan 1 2019 9:00am' '+%s'` --before `date -d 'Jan 5 2019 00:00am' '+%s'` /dev/sdb1 

For more information, see the ext3grep man page.

$ man ext3grep

That’s it! ext3grep is a simple and useful tool to investigate and recover deleted files on an ext3 filesystem. It is one of the the best programs to recover files on Linux. If you have any questions or any thoughts to share, reach us via the feedback form below.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

16 Comments

Leave a Reply
  1. LinuxMint 17 Laptop has 2 partitions Win7 and Linux Mint which I use 99% of time.

    Have installed ext3grep from Software Manager, and it says installed. But I cannot find to open. How to find?

    How do I tell if If I have ext3?

    Can I limit a search (when I get it working) to look for only .pdf after a certain date says Jan 3, 2020? Can I tell it to look at subfolders in ‘Documents‘ directory?

    Note: the pdf’s I am looking for were downloaded into ‘Downloads‘ directory and then cut/copy to a Documents subfolder, and then alas deleted in error!

    Reply
    • @Charles

      Open a terminal window and try to type a few characters of the command then press [Tab]:

      $ ext3[Tab completion]
      

      Follow the instructions in the guide to restore lost files.

      Reply
    • “But I cannot find to open. How to find?”
      Use Find Files/folders tool.

      “How do I tell if If I have ext3?”
      Use GParted or some other partition editor to view your disk.

      “Can I limit a search …….”
      Find FIles/Folders tool has options for the file type (.PDF), date range (before 1/3/2020) and where to search (Documents).
      However, I would suggest that you search your entire /home directory. Inadvertently you could have copied those files to any directory.

      Reply
  2. Good program to recover accidentally deleted files at the moment.

    In another case it is best to turn off the computer and use Caine Linux that mounts the partitions in read-only mode and include: Photorec, Test disk and other tools.

    Reply
  3. Hi

    Very interesting, I lost a one TB HD content 80% full with pics, which were not yet saved. Can I use the system described above despite I have ext4 and NOT ext3?

    Reply
  4. This article is interesting not so much because of what it does or how to use it. This article is vital as a use case for the shred(1) program. If you want to ensure that the information in a file is really gone, then shred it prior to running it.

    Reply
  5. It sounds like a great piece of software. Unfortunately, the Linux world has moved on from ext3 to ext4, jfs, xfs, btrfs, etc making ext3grep obsolete and outdated. To handle all those diverse file systems, PhotoRec is much preferred.

    Reply
  6. Given scenario is NOT a test.

    It is common beginners attempt. Let’s take the easiest approach. It can’t be considered as base for any approval.

    Reply
    • @Kacper

      This is a simply a basic guide prepared to get a beginner started with using ext3grep. So the provided scenario is a basic use/test case.

      Reply
    • Agreed… Try deleting some files, then writing to the filesystem several times or hours later when logs have been updated, and then try to restore the files.

      Tools like this have existed for as long as Linux/Unix has been around and they all fall short of the inevitable.

      Better to just watch what you are doing :-D.
      Joe

      Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.