Does ext3grep work on ext4?

Question

Does ext3grep work on ext4?

It is recommended in https://unix.stackexchange.com/a/237142/674 and https://askubuntu.com/a/217632/.
In the first link, its option to specify the time window of deletion by --after and --before seems useful to screen out a lot of nontarget files.

ext3grep /dev/sda3 --restore-all --after date -d '2015-01-01 00:00:00' '+%s' --before `date -d ‘2015-01-02 00:00:00’ ‘+%s’

Does it forget to put the two date .. '+%s' inside $()?

Where will it store the output files?

Will it recover files that have been deleted or also files that still exist? The latter are nontarget files.

Does --restore-file specify the original relative pathname of the lost file with respect to the partition?

  --restore-file path

       Will restore file path. path is relative to root of the partition and does not start with a '/' (it must be one  of  the  paths  returned  by  --dump-names).  The
       restored directory, file or symbolic link is created in the current directory as ./path.

If I know my lost file is a pdf file, its filename (can be the same filename with other existing and deleted files) and pathname, and the time window when it became lost, what are the best options to use ext3grep?

---

update

I managed to boot into a bootable flash drive, so my disk /home isn't mounted. Does ext3grep not work on my ext4 filesystem?

$ ext3grep /dev/sda4 --restore-all --after `date -d '2020-01-26 13:00:00' '+%s'` --before `date -d '2020-01-26 14:00:00' '+%s'`
Running ext3grep version 0.10.2
Only show/process deleted entries if they are deleted on or after Sun Jan 26 13:00:00 2020 and before Sun Jan 26 14:00:00 2020.

ext3grep: failed to read-only open device "/dev/sda4": Permission denied

$ sudo ext3grep /dev/sda4 --restore-all --after `date -d '2020-01-26 13:00:00' '+%s'` --before `date -d '2020-01-26 14:00:00' '+%s'`
Running ext3grep version 0.10.2
Only show/process deleted entries if they are deleted on or after Sun Jan 26 13:00:00 2020 and before Sun Jan 26 14:00:00 2020.

WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
ext3grep: ext3grep.cc:119: void run_program(): Assertion `be2le(journal_super_block.s_header.h_magic) == 0xc03b3998U' failed.
Aborted

Thanks.

Answer 1

ext3grep was last updated ten years ago, and it lacks support for many features added to Ext3 and Ext4 since then. You can still try it, it won’t do anything on a file system using features which it doesn’t understand.

Does it forget to put the two date .. '+%s' inside $()?

Yes, I fixed the original.

Where will it store the output files?

As indicated in the help output, it stores output files in a RESTORED_FILES directory under the current directory, recreating the full path as necessary.

Will it recover files that have been deleted or also files that still exist? The latter are nontarget files.

That’s not clear from the help text or from a quick read of the tutorial, but it looks like ext3grep can be used to extract anything. However --ls, --dump-names etc. appear to only list deleted files, so it’s likely that the default is to only consider deleted files.

Does --restore-file specify the original relative pathname of the lost file with respect to the partition?

Yes.

what are the best options to use ext3grep?

--accept to specify the file name, --after and --before to limit the time window.