Pablo Guides

# Course #169: Data Recovery with extundelete$

## Section 1: Installation & Configuration on Kali Linux

### Overview

In this section, we will explore the extundelete tool, a powerful utility for recovering deleted files from ext3 and ext4 file systems in Kali Linux. This course is designed not only for beginners who are new to data recovery but also for experienced pentesters looking to expand their toolkit. We will cover the installation, configuration, and practical usage of extundelete, alongside real-world scenarios where this tool can be crucial for data recovery in penetration testing environments.

### Installation of extundelete

Before diving into the usage of extundelete, let's start with the installation process. Kali Linux typically comes pre-installed with various tools, including extundelete, but it's a good practice to check for the latest version or to install it if it's not available.

#### Step 1: Update Your Package List

Open your terminal and update your package lists to ensure you have the latest information:

"`bash
sudo apt update
"`

#### Step 2: Install extundelete

To install extundelete, use the following command:

"`bash
sudo apt install extundelete
"`

#### Step 3: Verify Installation

After installation, you can verify that extundelete is installed correctly by checking its version:

"`bash
extundelete –version
"`

You should see output indicating the version number of extundelete.

### Configuration

extundelete does not require extensive configuration, but you should be aware of a few key considerations to optimize its use. Ensure that you have the necessary permissions to access the file system from which you intend to recover files.

### Basic Usage

The usage of extundelete primarily revolves around its command-line interface. Let’s explore the basic commands and their options.

#### Key Commands

1. **Recover Deleted Files**

To recover deleted files from a specific partition, you will need to unmount the partition first. Use the following command to unmount:

   sudo umount /dev/sdXn

 

Replace `/dev/sdXn` with the appropriate device identifier. Once unmounted, you can proceed to recover files:

   sudo extundelete /dev/sdXn –restore-all

 

This command attempts to restore all deleted files on the specified partition.

2. **Recover Specific Files**

If you know the specific files you want to recover, you can specify them:

   sudo extundelete /dev/sdXn –restore-file path/to/deleted/file

 

Replace `path/to/deleted/file` with the specific file path you want to recover.

3. **View Deleted Files**

To view a list of deleted files without restoring them, you can use:

   sudo extundelete /dev/sdXn –list

 

### Real-World Use Cases

Understanding when and how to use extundelete can make a significant difference, especially in a pentesting environment. Here are a few scenarios:

#### Scenario 1: Accidentally Deleted Files During Pen Testing

Imagine you’re conducting a pentest on a client’s system, and during your analysis, you accidentally delete a crucial configuration file or sensitive data. Using extundelete, you can recover this file, thus saving time and maintaining the integrity of your testing process.

#### Scenario 2: Recovering Files After a System Crash

If a system crashes and important files are deleted, extundelete can be used to recover those files, allowing you to restore critical information that was lost during the crash. This can be especially beneficial for documentation or reports that need to be submitted post-pentest.

### Detailed Technical Explanations

1. **How extundelete Works**

extundelete operates by reading the file system metadata to locate deleted files. When files are deleted from an ext3 or ext4 file system, the actual data remains on the disk until it is overwritten, although the file system removes the reference to it. extundelete uses this principle to restore lost data.

2. **Inodes and Data Blocks**

In Linux file systems, every file is represented by an inode, which contains information about the file's data blocks, size, and location. When a file is deleted, the inode is marked as free, but the data blocks may still exist until they are reused. extundelete scans these inodes and data blocks to recover the lost files.

3. **File System Activity**

For successful recovery, minimize file system activity on the affected partition. The more you write to the disk after deletion, the higher the chances that the data blocks will be overwritten, making recovery difficult or impossible.

### External References

For further reading and deeper technical knowledge about extundelete, consider the following references:

– [extundelete Documentation](http://extundelete.sourceforge.net/)
– [Linux Ext4 File System](https://www.kernel.org/doc/Documentation/filesystems/ext4.txt)
– [File Recovery Techniques](https://www.digitalforensics.com/file-recovery)

### Code Examples in Markdown

"`markdown
# Install extundelete
sudo apt update
sudo apt install extundelete

# Verify installation
extundelete –version

# Unmount the partition
sudo umount /dev/sdXn

# Recover all deleted files
sudo extundelete /dev/sdXn –restore-all

# Recover specific files
sudo extundelete /dev/sdXn –restore-file path/to/deleted/file

# List deleted files
sudo extundelete /dev/sdXn –list
"`

—

In this section, we have covered everything from installation and configuration to practical steps for using extundelete effectively in real-world scenarios. With these tools in your pentesting arsenal, you can enhance your data recovery skills significantly, which is vital in various security assessments.

—

Made by pablo rotem / פבלו רותם