This software contains scripts that aid in recovering deleted files from ext2/ext3 file systems. It provides a practical solution to retrieve accidentally deleted data.
Ext2/ext3 file systems store metadata, including the file name, size, and creation/modification date, within "iNodes" along with the location in which file system blocks store the real data. When files are deleted, the connection between the iNode and data blocks is severed, and both the iNode and data blocks are marked as 'free,' although the information remains until it is overwritten. This is where tools like PhotoRec or foremost come in, enabling the scanning of free blocks for file 'signatures' to recover data.
While these tools can restore the data, they cannot recover the original file name accurately, meaning that everything is retrieved simultaneously, or nothing at all. For large disks, the restore process can take hours to sort, recovering many files. However, iNodes are grouped, and each group keeps specific data blocks, meaning that systems such as R.A.L.F. can limit file restoration by interrogating iNodes to restrict the restore process to specific groups of blocks.
Sleuthkit aids R.A.L.F., with fls executable listing all iNodes complete with Metadata, and fsstat listing iNode groups and their data blocks. Dls extracts the requisite data blocks from the file system, storing them to an image. Then, retrieving data via PhotoRec or foremost scans that image - not the entire file system - leading to more precise results.
G.A.B.I. differs from R.A.L.F. as it is designed to extract all files from a given disk or partition using PhotoRec or foremost directly. Although there may be no need for G.A.B.I., it can save time and ensure files are recovered to a different disk and partition, thus avoiding the potential for further destruction before the recovery is complete.
Version 0.1.6: N/A