1LDE(8) LDE(8)
2
6 lde - a curses based file system viewer/editor for Linux
7
9 lde [options] device
10
12 lde supports the three most popular file systems under Linux at the
13 time of its inception: ext2fs, minix, and xiafs. It also has minimal
14 support for msdos FAT file systems and a nofs system in which case lde
15 will function as a binary editor. lde will attempt to automatically
16 detect the file system present on the device or file when it is
17 started, if it does not recognize the file system present on the
18 device, it will default to nofs.
19 lde allows you to view and edit disk blocks in hex or ASCII mode, view
21 a block that contains directory entries in a readable fashion, and view
22 and edit formatted inodes. lde is a great help when recovering deleted
23 files (see doc/UNERASE included with the lde distribution for more
24 info).
25 The device parameter is a required option for lde. If omitted, it will
27 print a warning and refuse to start. The default mode for lde is to
28 use a curses interface; this can be overriden by some of the options
29 listed below.
30
33 -a, --all
34 Indicates that searches should be performed on the entire disk.
35 If -a is not specified, only data zones which are marked not in
36 use will be searched.
37 --append
39 Always append data to existing recovery file. If file does not
40 exist, create new file.
41 -b (--block) block_number
43 Format a single block as hex and dump it to standard output.
44 Specify -N to dump more than one block.
45 -B block_number
47 Format all blocks after specifed block_number as hex and dump to
48 standard output. You can use -N to specify the number of blocks
49 to display.
50 --blanked-indirects
52 Linux <= 2.0.33 blanks all the indirect blocks when truncating
53 an inode. The inode still knows where the 1x/2x/3x indirect
54 blocks are, but they're full of zeros. This was a quick hack
55 that works to restore small (>12k <~500k) unfragmented files.
56 It can be toggled via the flags menu in the curses interface.
57 -d block_number
59 Dump a block's data to standard out as unformatted binary data,
60 ( like cat and faster than dd ). Specify -N to dump more than
61 one block.
62 -D block_number
64 Dump all blocks after block_number to standard out as unformat‐
65 ted binary data. You can use -N to specify the number of blocks
66 to dump.
67 -f, --file recovery_file_name
69 Signal lde that we want to recover an inode to a file and spec‐
70 ify its name. You should specify the inode number to be recov‐
71 ered with the -i option.
72 -g, --grep
74 This option was designed to work with grep output. Grep a file
75 for lost data, pipe it through awk to yield just byte offsets
76 where the desired string lies. lde will then find the block
77 corresponding to the desired offset and try to find an inode
78 which references this block. A sample script is included with
79 the lde distribution (crash_recovery/grep-inode).
80 -h, --help
82 Display extended help.
83 -i (--inode) inode_number
85 Format and dump a single inode to standard output. Specify -N
86 to dump more than one inode.
87 -I inode_number
89 Format and dump all inodes after inode_number to standard out‐
90 put. You can use -N to specify the number of inodes to display.
91 --indirects
93 Search the filesystem for blocks that looks like indirect
94 blocks.
95 --ilookup
97 When searching, if we find a match, activate this flag to lookup
98 the inode which contains the matched block. It might be easier
99 and faster to do this with paper and use lde to interactively
100 lookup only the blocks which have a high probability of being
101 the one you want. --ilookup can also be used if the -B or -b
102 option is specified to try to find an inode reference for the
103 specifed blocks. When using -B you may want to specify -N also.
104 --logtofile
106 Debugging option. All of lde's messages will be dumped to
107 /tmp/ldeerrors.
108 -L --length
110 Sets search string length (when using -T with a filename).
111 -N --limit
113 Sets the number of blocks to display when using inode or block
114 dumps. If unspecified, default is to the end of the filesystem
115 ( -I -B -D ) or a single block ( -i -b -d ).
116 -N can also be used to specify a block to begin/resume searching
118 at. If unspecified in this usage, it defaults to the first data
119 zone.
120 -O --offset
122 Sets search string offset (when using -T with a filename). The
123 first byte in the template file is 0. When searching for
124 matches, the block will be examined starting at this offset.
125 -p, -r, --paranoid, --safe, --read-only
127 Open the device read only. Once set, this cannot be toggled
128 from within the program.
129 -q, --quiet
131 Turn off bell.
132 --recoverable
134 When searching, check that any inodes found contain a deleted
135 file that may be recovered. --ilookup must also be activated
136 for this option to have any effect. If no blocks are marked
137 used by another inode, "recovery possible" will be printed. If
138 blocks are used by another file "recovery NOT possible" will be
139 printed to the screen. You may still be able to get some data
140 back even when it reports that recovery is not possible. To get
141 an idea of how many blocks are in use, you will have to check
142 its recoverablilty from lde via its curses interface (see
143 Recover mode below).
144 If --recoverable is used with -I 1 , it will check all the
146 deleted inodes to see if they can be recovered. The deletion
147 time of the inode will be printed to the screen if it is recov‐
148 erable.
149 -s (--bs or --blocksize) block_size
151 Override blocksize which lde has detected. The blocksize may
152 have been read from the information (superblock) stored on the
153 disk or is what lde would consider the default blocksize for
154 that type of filesystem (generally 1024 bytes). With this
155 option, you can force lde to use a different blocksize.
156 --superscan
158 Try to find ext2 signature on device. Supersedes functionaly
159 previously provided by find_ext2_fs.
160 -S string
162 Search disk for data (of questionable usefulness). This was
163 more for searching for a specific type of file (which is now
164 easier with -T ) rather than file data. To search for data or
165 strings, use the --grep option. If you insist on using -S which
166 might be prudent occasionally, The offset of the string must be
167 specified with -O , and each block will only be inspected at
168 that offset. If -O is not specified, then 0 is assumed and the
169 string must lie at the start of a block. You can also specify
170 the block to begin/resume searching from with -N which defaults
171 to the first data zone.
172 -t fstype
174 Override the auto-detect. fstype = {no, minix, xiafs, ext2fs,
175 msdos}
176 -T type
178 Search disk for data. This will search the start of each block
179 for numbers found in /etc/magic for certain types of files, cur‐
180 rently supported types are {gz, tgz, script}.
181 Note: type tgz only finds tar files that were created with gnu
183 tar using its cfz options. Use gz to find tar files that were
184 compressed after creation (or through a pipe?).
185 If you specify a filename after the -T option, it will read in
187 the first block of the file and search the filesystem for some‐
188 thing which matches it exactly. This may be useful for finding
189 deleted copies of files (i.e. you've found version 1.0, but
190 deleted version 1.5 and now want to recover it) or with the -L
191 and -O options, you can pick off a few bytes and search for
192 magic numbers in a certain file type. When using the filename
193 option, you really should specify -L and -O or they will default
194 to BLOCKSIZE and 0. You can also specify the block to
195 begin/resume searching from with -N which defaults to the first
196 data zone.
197 -V, --version
199 Display version information.
200 -w, --write
202 Allow writes to the disk.
203
207 The lde main screen displays the file system's superblock in the
208 workspace window. The header window will be the same for all modes and
209 indicates the program name and version, the device, the current
210 selected inode, and the current selected block. There are also nine
211 digits (and some extra characters shifted-12456 on an American key‐
212 board, sorry I skip '#' which is reserved for another function)
213 "0123456789!@$%^" which indicate the status of a bogus inode which can
214 be used for file recovery. A digit means the inode block entry has not
215 been filled yet, a minus sign indicates that it has been filled.
216 While displaying the superblock, you can use the following keys which
218 are valid in most modes:
219 b to enter block mode
221 d display the directory contents of the current inode or
223 block
224 f menu of runtime flags
226 i to enter inode mode
228 r to enter recover mode
230 s return to super block mode ( only valid from other modes
232 )
233 q to quit
235 v view the error/warning log
237 ^L to repaint the screen
239 ^O display menu of valid choices ( also F2 )
241 F1 display help screen ( also M-h or ? )
243 I have tried to implement cursor motion modes similar to both vi and
245 emacs (M = meta key, ^ = control key, ESC is recognized as the meta
246 key, M-ESC is recognized occasionally as ESC -- to exit menus).
247 vi emacs
249 UP k ^P
250 DOWN j ^N
251 LEFT h ^B
252 RIGHT l ^F
253 PG_UP ^U M-v
254 PG_DN ^D ^V
255 Inode mode:
258 Once in inode mode, the current inode will be displayed in the
260 workspace window.
261 PG_DOWN
264 Make next inode the current inode.
265 PG_UP Make previous inode the current inode.
267 arrows Move cursor to different fields of inode. Up and left go
269 back one field, down or right will go to the next field.
270 0123456789!@#$%^
272 Add corresponding block entry from this inode to the
273 recovery list.
274 B Switch to block mode, examining block under cursor.
276 b Switch to block mode, examining current block (displayed
278 in status line).
279 c Copy inode to inode copy buffer.
281 e Edit inode information. Use the cursor to select the
283 field you want to edit, then hit RET ^M ^J or e and a
284 line will pop up at the bottom of the screen, enter the
285 new value here. Entering a blank line will leave the
286 value unchanged.
287 Dates can be entered in any format other than the one
289 displayed on the screen. The year must be kept near the
290 month and day. Use formats like "24SEP96 10:00:01" or
291 "10:00:01 Sep 24, 1996". "12/24/96" will probably
292 default to the American interpretation MM/DD/YY. I did
293 not write the date parser, so I don't want to hear any
294 complaints about it.
295 p Paste inode from inode copy buffer.
297 r Switch to recover mode.
299 R Switch to recover mode, copy current inode block informa‐
301 tion into recovery inode.
302 # This will prompt the user to enter a number and it will
304 then make that the current inode. The number may be
305 entered as hexadecimal (leading 'x', '0x', or '$'), octal
306 (leading '´), or decimal.
307 M-b View inode in its raw block format.
309 Block Mode:
311 In block mode, the current block will be displayed in hexadecimal and
313 ASCII. The numbers along the left hand side of the screen are hexadec‐
314 imal offsets from the beginning of the block. As much of the block as
315 possible will be displayed. If the block is marked unused, the central
316 row of ':' will spell out NOT USED.
317 PG_DOWN
320 Display next chunk of this block.
321 PG_UP Display previous chunk of this block.
323 + Make next block the current block.
325 - Make previous block the current block.
327 arrow Move cursor.
329 b View block under cursor. lde will interpret the byte
331 under the cursor as the start of a block pointer (as if
332 it were part of an indirect block). This will be a two
333 byte pointer for the minix file system, four bytes for
334 ext2fs and xiafs.
335 B Interpret blocks under cursor as a block pointer and make
337 it the current block.
338 c Copy block to copy buffer.
340 d Dump block as a directory (see directory popup descrip‐
342 tion below).
343 e Edit the data in hex or ascii mode. TAB ( ^I) switches
345 between hex and ascii editing. While in hex edit, the
346 keys A-F and 0123456789 will not perform their lde func‐
347 tions, but are used to enter new data. In ascii edit,
348 most keys (chars 32-126) are used to enter new data.
349 Characters outside this range must be entered in hex
350 mode, they will be displayed on the ASCII display as a
351 period.
352 Editing will exit on write block ( ^W ) or a command
354 which goes to another block or leaves block mode. To
355 discard your changes and re-read the block use ^A or view
356 another block and come back. You will always be prompted
357 [Yes/Discard changes/Continue edit] before a write
358 occurs. Select y to save the block to disk, d to discard
359 your changes and re-read the data from disk, or c if you
360 made a mistake and want to go back and make some more
361 changes before saving this block.
362 It is probably a good idea to unmount the file system
364 before you do any writes to it. My guess is that bad
365 things will happen if you try to write the inode/block
366 tables while someone else is using the filesystem.
367 I View inode under cursor. lde will interpret the byte
369 under the cursor as the start of an inode pointer (as if
370 it were part of an directory entry). This will be a two
371 byte pointer for the minix file system, four bytes for
372 ext2fs and xiafs.
373 n, p Next/previous block in file. If the displayed file is
375 indexed by the current inode, you can step to the next or
376 previous block in the chain.
377 p Paste block from copy buffer.
379 w Write the current block to the recovery file.
381 0123456789!@#$%^
383 tag this block to be recovered. Under Minix, this will
384 display nine blocks which represent the block pointers in
385 an inode. 0-6 are direct blocks, 7 is the indirect
386 block, and 8 is the double indirect block. One day there
387 may be an option for more direct blocks to make recovery
388 easier. When a block is tagged, the status line will
389 reflect this. To untag a block, go to recover mode and
390 set the block's pointer to zero.
391 # This will prompt the user to enter a block number. The
393 numbers may be entered in the same format described in
394 inode mode (decimal, hex, or octal).
395 ^R Look up inode which references this block.
397 / Search for a string. You will be prompted for a case-
399 sensative search string. The search will proceede from
400 the current block, if a match is found, the block pointer
401 will be advanced and the matching block will be dis‐
402 played.
403 Recover Mode:
405 In recover mode, the tagged blocks are displayed and may be edited by
407 hand. When they are correct the user can dump the file. The user is
408 prompted for a filename which can be 80 chars, the default file is
409 "./RECOVER.file".
410 0123456789!@#$%^
413 Will prompt the user to enter a numeric value for the
414 specified block index. The format of the input should be
415 the same as that described in inode mode.
416 c Check that all the blocks marked for recovery are unused.
418 Complete recovery will be impossible if any blocks are
419 reported in use, but you might be able to salvage a large
420 chunk of your file.
421 r Write out the recovered file.
423 u Unmark all blocks. The recovery inode will be filled
425 with zeroes.
426 Directory View
428 Accessable from inode and block mode. In block mode, it formats the
430 current block as a directory entry with no syntax checking (i.e. it
431 might not really be a directory block). In inode mode, it uses the
432 block pointers to determine what to display. You can use the up and
433 down arrow keys to scroll the display if there are too many entries to
434 display at once.
435 d If the cursor is on a directory, it will follow the link and
438 display that directory. Use D to do the same and set the current
439 inode to the new directory inode.
440 i Set the current inode to the inode under the cursor.
442 I Set the current inode and immediately view it in inode mode.
444 n, p Next/previous block in directory. If the directory being viewed
446 is indexed by the current inode, you can step to the next or
447 previous block in the chain.
448
451 lde -I 1 -N 10 /dev/hda1
452 Display inodes 1-10 on the screen.
453 lde -b 34 /dev/hda1 | more
455 Display block 34 on the screen (formatted in hex and ascii).
456 lde -D 100 -N 51 /dev/hda1 > MyOuput
458 Cat blocks 100-150 to stdout (binary data), which is equivalent
459 to
460 dd if=/dev/hda1 of=MyOutput bs=1024 count=51 skip=100
462 lde -I 1 --recoverable /dev/hda5
464 Display all inodes on /dev/hda5 which have been deleted, but can
465 be recovered.
466 lde -I 1 --recoverable /dev/hda5 | grep "Sep 23"
468 Display all inodes on /dev/hda5 which have been deleted today
469 September 23, but can be recovered. The date format is that of
470 ctime(3):
471 "Wed Jun 30 21:49:08 1993"
473 Note: the day will have a leading space if is less than 10.
475 lde -b 100 --ilookup /dev/hda1
477 Find first inode that references block 100 on /dev/hda1 (to
478 search for multiple occurances, use the curses interface).
479 lde --paranoid -T tgz --ilookup --recoverable /dev/hda5
481 Find all tgz files which have been deleted, display possible
482 inodes and check if it is possible to recover the files, open
483 the file system read only while searching.
484 See docs/UNERASE included with the lde distribution for more examples
486 and instructions for the best way to go about restoring files.
487
490 fsck(8), fsck.minix(8), e2fsck(8), xfsck(8), debugfs(8)
491
493 Scott D. Heavner (sdh@po.cwru.edu)
494 For more info, see the lde project page at sourceforge
496 <http://lde.sourceforge.net/>.
497 19 May 2005 LDE(8)