Getting Started

Learn the basic principles of exhuming an extfs filesystem from a disk image.

The exhume extfs module is helping the investigator with the analysis of the Linux Extended Filesystem and extract specific artefacts and metadata. Unlike the exhume filesystem module, exhume extfs can propose some advanced capabilities.

🛠️ Prerequisites

Installing Rust

The Exhume Toolkit is built with Rust and requires it for development or compilation.

Linux and MacOs
Windows

curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh

Visit https://www.rust-lang.org/tools/install to install rustup You can also use winget to install rustup using the following command in PowerShell:

winget install --id Rustlang.Rustup

important

Be sure to restart your Terminal (and in some cases your system) for the changes to take affect.

Installing Exhume ExtFS

The following will install Exhume ExtFS globally.

cargo install exhume_extfs@0.1.2

🚀 Basic Usage

Options

Option	Description
`-b`, `--body <body>`	The path to the body to exhume.
`-f`, `--format <format>`	The format of the file, either `'raw'` or `'ewf'`.
`-o`, `--offset <offset>`	The extfs partition start address (decimal or hex).
`-s`, `--size <size>`	The size of the extfs partition in sectors (decimal or hex).
`-i`, `--inode <inode>`	Display the metadata about a specific inode number (≥2).
`-d`, `--dir_entry`	If `--inode` is specified and it is a directory, list its directory entries.
`--dump`	If `--inode` is specified, dump its content to a file named `inode_<N>.bin`.
`--superblock`	Display the superblock information.
`-j`, `--json`	Output certain structures (`superblock`, `inode`) in JSON format.
`-l`, `--log-level <log_level>`	Set the log verbosity level. Default: `info`. Possible values: `error`, `warn`, `info`, `debug`, `trace`.
`-h`, `--help`	Print help.
`-V`, `--version`	Print version.

exhume_extfs -b <path_to_image> -f <format> -o <offset> -s <size> [options]

📘 Example

exhume_extfs -b disk.E01 -f ewf --offset 0x100000 --size 0x9c00000 --inode 4456449 --dir_entry

This will:

Open disk.E01 as a EWF format file
Start reading at offset 0x100000 of size 0x9c00000
Display the directory entry metadata for inode 4456449

Example output:

[2025-03-30T21:15:52Z INFO  exhume_extfs] Inode 4456449 metadata:
{
  "atime": 1570905329,
  "atime_extra": 892030028,
  "block_pointers": [
    127754,
    4,
    0,
    0,
    1,
    17834016,
    0,
    0,
    0,
    0,
    0,
    0,
    0,
    0,
    0
  ],
  "blocks": 8,
  "checksum": 539136813,
  "crtime": 1558108623,
  "crtime_extra": 2982906632,
  "ctime": 1570905319,
  "ctime_extra": 1468031040,
  "dtime": 0,
  "extra_isize": 32,
  "file_acl": 0,
  "flags": 524288,
  "generation": 1337569355,
  "gid": 0,
  "is_dir": true,
  "is_regular_file": false,
  "is_symlink": false,
  "links_count": 19,
  "mode": 16877,
  "mtime": 1570905319,
  "mtime_extra": 1468031040,
  "projid": 0,
  "size": 4096,
  "uid": 0
}
[2025-03-30T21:13:29Z INFO  exhume_extfs] Directory listing for inode 4456449:
4456449 / 0x2 .
2 / 0x2 ..
4456450 / 0x1 .bashrc
4456451 / 0x2 .cache
4456452 / 0x2 .config
4456457 / 0x1 .profile
4467464 / 0x2 .gnupg
4467474 / 0x2 .local
4467514 / 0x2 Desktop
4467517 / 0x2 Public
4467472 / 0x1 .ICEauthority
4467515 / 0x2 Downloads
4467516 / 0x2 Templates
4467518 / 0x2 Documents
4467519 / 0x2 Music
4467520 / 0x2 Pictures
4467521 / 0x2 Videos
4458874 / 0x1 .bash_history
4467599 / 0x1 archive-key.asc
4458913 / 0x2 .mozilla
4458929 / 0x2 .msf4
4459060 / 0x2 .ssh
4459064 / 0x2 .vnc
4459067 / 0x2 .fltk

🛠️ Prerequisites​

Installing Rust​

Installing Exhume ExtFS​

🚀 Basic Usage​

Options​

📘 Example​