.TH EXT3GREP 8 "2008-09-14" "0.8.0" "recover files on ext3 filesystems"

.SH NAME
ext3grep \- ext3 file recovery tool

.SH SYNOPSIS
\fBext3grep\fR [\fIOPTIONS\fR] \fIFILE\fR \&...

.SH DESCRIPTION
ext3grep is a simple tool intended to aid anyone who accidentally deletes a file on an ext3 filesystem, only to find that they wanted it shortly thereafter.

.SH OPTIONS
.IP "\fB\-\-superblock\fR" 4
Print contents of superblock in addition to the rest. If no action is specified then this option is implied.
.IP "\fB\-\-print\fR" 4
Print contents of block or inode, if any.
.IP "\fB\-\-ls\fR" 4
Print directories, one line per entry. See the \fBFILTERS\fR section for details on filtering this output.
.IP "\fB\-\-accept\fR \fIFILE\fR" 4
Accepts 'file' as a legal filename. Can be used multiple times. If you change any \fB\-\-accept\fR you must remove BOTH stage* files!
.IP "\fB\-\-journal\fR" 4
Prints the contents of the journal.
.IP "\fB\-\-show\-path\-inodes\fR" 4
Show the inode of each directory component in paths.
.PP
.SS "Filters:"
.IP "\fB\-\-group\fR \fIgid\fR" 4
Only show/process files owned by process group \fIgid\fR.
.IP "\fB\-\-directory\fR" 4
Only show/process process directory inodes.
.IP "\fB\-\-after\fR \fIdtime\fR" 4
Only show/process entries deleted on or after \fIdtime\fR.
.IP "\fB\-\-before\fR \fIdtime\fR" 4
Only show/process entries deleted before \fIdtime\fR.
.IP "\fB\-\-deleted\fR" 4
Only show/process deleted entries.
.IP "\fB\-\-allocated\fR" 4
Only show/process allocated inodes/blocks.
.IP "\fB\-\-unallocated\fR" 4
Only show/process unallocated inodes/blocks.
.IP "\fB\-\-reallocated\fR" 4
Do not suppress entries with reallocated inodes. Inodes are considered 'reallocated' if the entry is deleted but the inode is allocated, but also when the file type in the dir entry and the inode are different.
.IP "\fB\-\-zeroed\-inodes\fR" 4
Do not suppress entries with zeroed inodes. Linked entries are always shown, regardless of this option.
.IP "\fB\-\-depth\fR depth"
Process directories recursively up till a depth of 'depth'.
.PP
.SS "Actions:"
.IP "\fB\-\-inode\-to\-block\fR \fIinode_num\fR" 4
Print the block that contains inode \fIinode_num\fR.
.IP "\fB\-\-inode\fR \fIinode_num\fR" 4
Show info on inode \fIinode_num\fR. If \fB\-\-ls\fR is used and the inode is a directory, then the filters apply to the entries of the directory. If you do not use \fB\-\-ls\fR then \fB\-\-print\fR is implied.
.IP "\fB\-\-block\fR \fIblock_num\fR" 4
Show info on block \fIblock_num\fR. If \fB\-\-ls\fR is used and the block is the first block of a directory, then the filters apply to entries of the directory. If you do not use \fB\-\-ls\fR then \fB\-\-print\fR is implied.
.IP "\fB\-\-histogram\fR=[\fIatime\fR|\fIctime\fR|\fImtime\fR|\fIdtime\fR|\fIgroup\fR]" 4
Generate a histogram based on the given specs. Using atime, ctime or mtime will change the meaning of \fB\-\-after\fR and \fB\-\-before\fR to those times.
.IP "\fB\-\-journal\-block\fR \fIblock_num\fR" 4
Show info on journal block \fIblock_num\fR.
.IP "\fB\-\-journal\-transaction\fR \fIseq\fR" 4
Show info on transaction with sequence number \fIseq\fR.
.IP "\fB\-\-dump\-names\fR" 4
Write the paths of files to stdout. This implies \fB\-\-ls\fR but suppresses its output.
.IP "\fB\-\-search\-start\fR \fIstr\fR" 4
Find blocks that start with the fixed string \fIstr\fR.
.IP "\fB\-\-search\fR \fIstr\fR" 4
Find blocks that contain the fixed string \fIstr\fR.
.IP "\fB\-\-search\-inode\fR \fIblock_num\fR" 4
Find inodes that refer to block \fIblock_num\fR.
.IP "\fB\-\-search\-zeroed\-inodes\fR" 4
Return allocated inode table entries that are zeroed.
.IP "\fB\-\-inode\-dirblock\-table\fR \fIdir\fR" 4
Print a table for directory path \fIdir\fR of directory block numbers found and the inodes used for each file.
.IP "\fB\-\-show\-journal\-inodes\fR \fIinode_num\fR" 4
Show copies of inode \fIinode_num\fR still in the journal.
.IP "\fB\-\-restore\-file\fR \fIpath\fR" 4
Will restore file \fIpath\fR. \fIpath\fR is relative to root of the partition and does not start with a '/' (it must be one of the paths returned by \fB\-\-dump\-names\fR). The restored directory, file or symbolic link is created in the current directory as ./\fIpath\fR.
.IP "\fB\-\-restore\-all\fR" 4
As \fB\-\-restore\-file\fR but attempts to restore everything. The use of \fB\-\-after\fR is highly recommended because the attempt to restore very old files will only result in them being hard linked to a more recently deleted file and as such pollute the output.
.IP "\fB\-\-show\-hardlinks\fR" 4
Show all inodes that are shared by two or more files.
.IP "\fB\-\-version\fR, \fB\-[vV]\fR" 4
Prints the version information and exits.
.IP "\fB\-\-help\fR," 4
Prints a help message and exits.

.SH EXAMPLES
\fBRestoring all files from the ext3 partition/file /backup/sda1:\fR
.nf
ext3grep \-\-restore-all /backup/sda1
.fi
\fBListing the files owned by GID 1000 on /backup/sda1:\fR
.nf
ext3grep \-\-ls \-\-group 1000 /backup/sda1
.fi
\fBFinding all files containing the string Critical_report in their name on /backup/sda1:\fR
.nf
ext3grep \-\-dump-names /backup/sda1 | grep 'Critical_report'
.fi

.SH LIMITATIONS
Do not attempt to use ext3grep for recovery from a mounted filesystem. Ever.
.PP
No, not even then.
.PP
ext3grep sometimes runs out of memory spare on 32-bit architectures and crashes. It is highly recommended that you run ext3grep in a 64-bit environment when dealing with large filesystems, though this is seen as a bug.
.PP
ext3grep cannot recover files if there are no remnants of them.
.PP
Some files that ext3grep recovers may have trailing null bytes - just scrape them off like the burnt bits on toast.

.SH SEE ALSO
\fIdebugfs\fR(8)

.SH AUTHOR
ext3grep was written by Carlo Wood <\fIcarlo@alinoe.com\fR>.
.PP
This manual page was written by Rich Ercolani <\fIrercola@acm.jhu.edu\fR>, for the Debian project (but may be used by others). It may be distributed under the same terms as ext3grep, the GNU General Public License, either version 2 or (at your option) any later version.