Recover files from unallocated on HFS+ file system

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
stumpyuk
Posts: 16
Joined: 19 Sep 2012, 11:41

Recover files from unallocated on HFS+ file system

#1 Post by stumpyuk »

Just a quick tip for the photorec community. I have been able to recover files from just unallocated space on a HFS+ file system using xmount + photorec.

The latest version of xmount (available here: https://www.pinguin.lu/) allows a user to mount just the unallocated space in a file system. AFAIK, this only works on Linux, the procedure is as follows:

Download and install xmount (requires the fuse bindings).
Create a mount point for the unallocated space e.g mkdir /mnt/xmnt
Get the start sector for the partition you want to do recovery on (using mmls from the sleuthkit, for instance).
Assuming the start sector is 2048 and the physical device is /dev/sdb, this is the xmount command you need:
xmount --in raw /dev/sdb --offset $((512*2048)) --morph unallocated --morphopts unallocated_fs=hfs /mnt/xmnt

If you go to your /mnt/xmnt directory you will find 2 files: sdb.txt and sdb.dd. The sdb.dd file is you unallocated space, mounted with the fuse bindings.
If you now type: photorec /mnt/xmnt/sdb.dd - you can now carve that file, it works best using expert mode, block size set to 512 bytes.

The above is an example for working with a raw disk, however it works for disk image files as well - including E01 files.

fridsun
Posts: 2
Joined: 21 Apr 2016, 17:06

Re: Recover files from unallocated on HFS+ file system

#2 Post by fridsun »

Thank you so much!
A somewhat surprising example of the Unix philosophy? ;)

baychae
Posts: 1
Joined: 08 Jun 2016, 15:25

Re: Recover files from unallocated on HFS+ file system

#3 Post by baychae »

Hi,

When I enter this I get an error:

Code: Select all

ERROR: ParseCmdLine.05.05@386 : Unknown input image type "raw"!
Please advise.

Locked