Getting Started
Learn the basic principles of exhuming an extfs filesystem from a disk image.
The exhume extfs module is helping the investigator with the analysis of the Linux Extended Filesystem and extract specific artefacts and metadata. Unlike the exhume filesystem module, exhume extfs can propose some advanced capabilities.
🛠️ Prerequisites
Installing Rust
The Exhume Toolkit is built with Rust and requires it for development or compilation.
- Linux and MacOs
- Windows
curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh
Visit https://www.rust-lang.org/tools/install to install rustup
You can also use winget to install rustup using the following command in PowerShell:
winget install --id Rustlang.Rustup
important
Be sure to restart your Terminal (and in some cases your system) for the changes to take affect.
Installing Exhume ExtFS
The following will install Exhume ExtFS globally.
cargo install exhume_extfs@0.1.7
🚀 Basic Usage
Options
| Option | Description |
|---|---|
-b, --body <body> | The path to the body to exhume. |
-f, --format <format> | The format of the file, either 'raw' or 'ewf'. |
-o, --offset <offset> | The extfs partition start address (decimal or hex). |
-s, --size <size> | The size of the extfs partition in sectors (decimal or hex). |
-i, --inode <inode> | Display the metadata about a specific inode number (≥2). |
-d, --dir_entry | If --inode is specified and it is a directory, list its directory entries. |
--dump | If --inode is specified, dump its content to a file named inode_<N>.bin. |
--superblock | Display the superblock information. |
-j, --json | Output certain structures (superblock, inode, dir_entry ) in JSON format. |
--recover | Scan all free inodes and carve deleted files. |
--journal | Display the journal block listing (jls). |
-t, --timeline | Print a JSON timeline assembled from the ext4 journal. |
-l, --log-level <log_level> | Set the log verbosity level. Default: info. Possible values: error, warn, info, debug, trace. |
-h, --help | Print help. |
-V, --version | Print version. |
exhume_extfs -b <path_to_image> -f <format> -o <offset> -s <size> [options]
📘 Example
exhume_extfs -b disk.E01 -f ewf --offset 0x100000 --size 0x9c00000 --inode 4456449 --dir_entry
This will:
- Open disk.E01 as a EWF format file
- Start reading at offset 0x100000 of size 0x9c00000
- Display the directory entry metadata for inode 4456449
Example output:
[2025-05-28T07:39:36Z INFO exhume_body] Detected an EWF disk image.
[2025-05-28T07:39:36Z INFO exhume_extfs::superblock] Extended FileSystem Journaling feature is on.
[2025-05-28T07:39:36Z INFO exhume_extfs] Directory listing for inode 2:
2 / 0x2 .
2 / 0x2 ..
11 / 0x2 lost+found
3538945 / 0x2 media
12 / 0x1 0
1966081 / 0x2 run
786433 / 0x2 sys
4980737 / 0x2 srv
13 / 0x7 bin
15 / 0x7 initrd.img.old
1441793 / 0x2 boot
3801089 / 0x2 dev
262145 / 0x2 var
21 / 0x7 initrd.img
17 / 0x7 lib32
20 / 0x7 sbin
524289 / 0x2 usr
4456449 / 0x2 root
1179649 / 0x2 etc
393218 / 0x2 .cache
4063233 / 0x2 proc
19 / 0x7 libx32
18 / 0x7 lib64
22 / 0x7 vmlinuz.old
16 / 0x7 lib
3276801 / 0x2 home
393217 / 0x2 mnt
23 / 0x7 vmlinuz
1703937 / 0x2 tmp
2883585 / 0x2 opt