Getting Started

Learn the basic principles of exhuming an extfs filesystem from a disk image.

The exhume extfs module is helping the investigator to analyse Linux Extended Filesystem and extract specific artefacts and metadata. Unlike the FileSystem module, exhume extfs can propose some advanced capabilities.

🛠️ Prerequisites

Installing Rust

The Exhume Toolkit is built with Rust and requires it for development or compilation.

Linux and MacOs
Windows

curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh

Visit https://www.rust-lang.org/tools/install to install rustup You can also use winget to install rustup using the following command in PowerShell:

winget install --id Rustlang.Rustup

important

Be sure to restart your Terminal (and in some cases your system) for the changes to take affect.

Installing Exhume ExtFS

The following will install Exhume ExtFS globally.

cargo install exhume_extfs@0.1.1

🚀 Basic Usage

Required Flags:

-b, --body <FILE>: Path to the disk image or body.
-o, --offset <OFFSET>: Offset in bytes to begin reading from.
-s, --size <SIZE>: Size of the extfs partition in sectors.

Optional Flags:

-f, --format <FORMAT>: Format of the image (raw or ewf).
--inode <INODE>: Display metadata about a specific inode number.
--dir_entry: If --inode is specified and it’s a directory, list its directory entries.
--dump: Dump inode content to a file.
--superblock: Display the superblock information.
--json: Output certain structures (superblock, inode) in JSON format.

exhume_extfs -b <path_to_image> -f <format> -o <offset> -s <size> [options]

📘 Example

exhume_extfs -b disk.E01 -f ewf --offset 0x100000 --size 0x9c00000 --inode 4456449 --dir_entry

This will:

Open disk.E01 as a EWF format file
Start reading at offset 0x100000 of size 0x9c00000
Display the directory entry metadata for inode 4456449

Example output:

[2025-03-30T21:15:52Z INFO  exhume_extfs] Inode 4456449 metadata:
{
  "atime": 1570905329,
  "atime_extra": 892030028,
  "block_pointers": [
    127754,
    4,
    0,
    0,
    1,
    17834016,
    0,
    0,
    0,
    0,
    0,
    0,
    0,
    0,
    0
  ],
  "blocks": 8,
  "checksum": 539136813,
  "crtime": 1558108623,
  "crtime_extra": 2982906632,
  "ctime": 1570905319,
  "ctime_extra": 1468031040,
  "dtime": 0,
  "extra_isize": 32,
  "file_acl": 0,
  "flags": 524288,
  "generation": 1337569355,
  "gid": 0,
  "is_dir": true,
  "is_regular_file": false,
  "is_symlink": false,
  "links_count": 19,
  "mode": 16877,
  "mtime": 1570905319,
  "mtime_extra": 1468031040,
  "projid": 0,
  "size": 4096,
  "uid": 0
}
[2025-03-30T21:13:29Z INFO  exhume_extfs] Directory listing for inode 4456449:
4456449 / 0x2 .
2 / 0x2 ..
4456450 / 0x1 .bashrc
4456451 / 0x2 .cache
4456452 / 0x2 .config
4456457 / 0x1 .profile
4467464 / 0x2 .gnupg
4467474 / 0x2 .local
4467514 / 0x2 Desktop
4467517 / 0x2 Public
4467472 / 0x1 .ICEauthority
4467515 / 0x2 Downloads
4467516 / 0x2 Templates
4467518 / 0x2 Documents
4467519 / 0x2 Music
4467520 / 0x2 Pictures
4467521 / 0x2 Videos
4458874 / 0x1 .bash_history
4467599 / 0x1 archive-key.asc
4458913 / 0x2 .mozilla
4458929 / 0x2 .msf4
4459060 / 0x2 .ssh
4459064 / 0x2 .vnc
4459067 / 0x2 .fltk

🛠️ Prerequisites​

Installing Rust​

Installing Exhume ExtFS​

🚀 Basic Usage​

📘 Example​

🛠️ Prerequisites

Installing Rust

Installing Exhume ExtFS

🚀 Basic Usage

📘 Example