Page 1 of 1

Recover files from unallocated on HFS+ file system

Posted: 18 Mar 2015, 11:49
by stumpyuk
Just a quick tip for the photorec community. I have been able to recover files from just unallocated space on a HFS+ file system using xmount + photorec.

The latest version of xmount (available here: https://www.pinguin.lu/) allows a user to mount just the unallocated space in a file system. AFAIK, this only works on Linux, the procedure is as follows:

Download and install xmount (requires the fuse bindings).
Create a mount point for the unallocated space e.g mkdir /mnt/xmnt
Get the start sector for the partition you want to do recovery on (using mmls from the sleuthkit, for instance).
Assuming the start sector is 2048 and the physical device is /dev/sdb, this is the xmount command you need:
xmount --in raw /dev/sdb --offset $((512*2048)) --morph unallocated --morphopts unallocated_fs=hfs /mnt/xmnt

If you go to your /mnt/xmnt directory you will find 2 files: sdb.txt and sdb.dd. The sdb.dd file is you unallocated space, mounted with the fuse bindings.
If you now type: photorec /mnt/xmnt/sdb.dd - you can now carve that file, it works best using expert mode, block size set to 512 bytes.

The above is an example for working with a raw disk, however it works for disk image files as well - including E01 files.

Re: Recover files from unallocated on HFS+ file system

Posted: 21 Apr 2016, 17:08
by fridsun
Thank you so much!
A somewhat surprising example of the Unix philosophy? ;)

Re: Recover files from unallocated on HFS+ file system

Posted: 08 Jun 2016, 15:32
by baychae
Hi,

When I enter this I get an error:

Code: Select all

ERROR: ParseCmdLine.05.05@386 : Unknown input image type "raw"!
Please advise.