Frequently Asked Questions about ext3undel

Can ext3undel really recover all deleted files?

To some degree. Due to the concept of the ext3 file system, it's not that easy as e.g. with FAT - where files are only "marked" deleted. With ext3, deleting a file destroys the connection between the metadata (name, size, location, etc.) and the real data. Both are stored in different iNodes. So the only chances we have here are:

• hope the data are not yet overwritten (in both places, metadata and real data) - otherwise we are always lost
• hope the file type is supported by our tools (see below)
• restrict the search: iNodes are grouped, so by the group we can tell which iNodes we have to scan
• hope the file was not "fragmented" (otherwise we won't get the full file back)

Just to mention the main things. So you cannot lean back and say: Don't worry. Chances are not at 100%. To increase chances for recovery, best is to make the affected drive r/o as soon as possible, create a raw copy, and try to recover from that copy. That's what forensics do - and except of the r/o, that's also how ext3undel works.

What file types are supported?

That depends very much of what tools you use with ext3undel. As you can read in the documentation, ext3undel supports foremost as well as PhotoRec. As shipped, foremost supports about 20 different file types, while PhotoRec support some 200. For a list, see the files trunk/filetypes.foremost and filetypes.photorec.

Why do the recovered files have such cryptic names?

That's again due to the concept of the ext3 file system as described above. Metadata - and the file names belong to these - are stored independently from the real data. As you deleted the file, the connection is lost - so there's no way to tell the file name belonging to the restored data. That's why the used tools - foremost as well as PhotoRec - use these cryptic filenames. In the end, you still have to check/rename all restored files manually, sorry.