Scripted on E01 with mutli partitions

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
mabbott
Posts: 2
Joined: 19 Oct 2012, 21:50

Scripted on E01 with mutli partitions

#1 Post by mabbott »

Thank you for this wonderful piece of software.

I have to recover deleted files on numerous E01 images.
My current one I am working with has 4 partitions. A HFS+, NTFS, EXT4 and a Fat32.
I have found that I need to first mount the E01 Image using ewfmount. I then pass it the ewf1 file that got mounted. I have not been able to get it running on just the E01. This is ok.
I would like to have your tool automatically run through each partition found on the evidence file. Right now I either have to know the partition name or just settle with it only running on the first partition. Due to the fact I will be encountering E01s containing random partition types, this will not work.

Do you have a recommendation?

XUbuntu Linux
Scripts written in python3.2

Thanks!

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Scripted on E01 with multi partitions

#2 Post by cgrenier »

You can
- parse the output of 'testdisk -lu "image.E*"' to get the list of all partitions and
- for each partition except the extended, run 'testdisk /log /cmd "image.E*" advanced,X,list,recursive' with X being the partition number.

mabbott
Posts: 2
Joined: 19 Oct 2012, 21:50

Re: Scripted on E01 with mutli partitions

#3 Post by mabbott »

-EDIT-
I tried working with a bunch of other images I had. The recursive piece does work with some of them.
I apologize for this, as I think my ignorance of Linux is the hurdle here... But exactly how do I reference the individual partitions contained within the E01/ewf1?
I have tried mounting first, and then passing them in, for example: (where mount_0 is the first mounted partition)
photorec /cmd /mnt/tapeworm/test/mount_0 search

Here is the output from testdisk:
testdisk -lu /mnt/test2/ewf1TestDisk 6.13, Data Recovery Utility, November 2011
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
Please wait...
Disk /mnt/test2/ewf1 - 10 GB / 10 GiB - CHS 1322 255 63 (RO), sector size=512

Disk /mnt/test2/ewf1 - 10 GB / 10 GiB - CHS 1322 255 63 (RO)
Partition Start End Size in sectors
1 * HPFS - NTFS 63 9510479 9510417
2 P FAT32 9510480 10538639 1028160 [HACKINGTLS]
3 E extended 10539006 21231615 10692610
5 L Linux 10539008 19122992 8583985
X extended 20659590 21231615 572026
6 L Linux Swap 20660224 21231615 571392

So how do I run photorec on each one of those partitions using the photorec /cmd command?

I also tried your suggestion with the recursive option. On one image (win7 NTFS) the recursive caused the command to fail. On this image I got a 35mb file that I have been looking through but unsure of what pieces to pass into the photorec command.

Thank you very much for all of your help!

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Scripted on E01 with mutli partitions

#4 Post by cgrenier »

After

Code: Select all

testdisk -lu /mnt/test2/ewf1
to get a list of all the files in testdisk.log, run

Code: Select all

testdisk /log /cmd  /mnt/test2/ewf1 advanced,1,list,recursive
testdisk /log /cmd  /mnt/test2/ewf1 advanced,2,list,recursive
testdisk /log /cmd  /mnt/test2/ewf1 advanced,5,list,recursive
to recover files from the free space (deleted files), run

Code: Select all

photorec /d recup1 /cmd  /mnt/test2/ewf1 1,freespace,search
photorec /d recup2 /cmd  /mnt/test2/ewf1 2,freespace,search
photorec /d recup5 /cmd  /mnt/test2/ewf1 5,freespace,search

Locked