Recover files from unallocated on HFS+ file system
Posted: 18 Mar 2015, 11:49
Just a quick tip for the photorec community. I have been able to recover files from just unallocated space on a HFS+ file system using xmount + photorec.
The latest version of xmount (available here: https://www.pinguin.lu/) allows a user to mount just the unallocated space in a file system. AFAIK, this only works on Linux, the procedure is as follows:
Download and install xmount (requires the fuse bindings).
Create a mount point for the unallocated space e.g mkdir /mnt/xmnt
Get the start sector for the partition you want to do recovery on (using mmls from the sleuthkit, for instance).
Assuming the start sector is 2048 and the physical device is /dev/sdb, this is the xmount command you need:
xmount --in raw /dev/sdb --offset $((512*2048)) --morph unallocated --morphopts unallocated_fs=hfs /mnt/xmnt
If you go to your /mnt/xmnt directory you will find 2 files: sdb.txt and sdb.dd. The sdb.dd file is you unallocated space, mounted with the fuse bindings.
If you now type: photorec /mnt/xmnt/sdb.dd - you can now carve that file, it works best using expert mode, block size set to 512 bytes.
The above is an example for working with a raw disk, however it works for disk image files as well - including E01 files.
The latest version of xmount (available here: https://www.pinguin.lu/) allows a user to mount just the unallocated space in a file system. AFAIK, this only works on Linux, the procedure is as follows:
Download and install xmount (requires the fuse bindings).
Create a mount point for the unallocated space e.g mkdir /mnt/xmnt
Get the start sector for the partition you want to do recovery on (using mmls from the sleuthkit, for instance).
Assuming the start sector is 2048 and the physical device is /dev/sdb, this is the xmount command you need:
xmount --in raw /dev/sdb --offset $((512*2048)) --morph unallocated --morphopts unallocated_fs=hfs /mnt/xmnt
If you go to your /mnt/xmnt directory you will find 2 files: sdb.txt and sdb.dd. The sdb.dd file is you unallocated space, mounted with the fuse bindings.
If you now type: photorec /mnt/xmnt/sdb.dd - you can now carve that file, it works best using expert mode, block size set to 512 bytes.
The above is an example for working with a raw disk, however it works for disk image files as well - including E01 files.