Android versions of TestDisk & Photorec or finding a way to use them on a partition dump that uses file based encryption
Posted: 05 Jun 2024, 02:54
Years ago, there was an Android version, is it published somewhere?
viewtopic.php?p=6007&sid=ce00b41e30467e ... c79f#p6007
> I have a command-line (No GUI and no text interface!) version that you can use on a rooted android.
--------------------
Back to the beginning in case it's the wrong approach.
On a phone with Android 13 that was installed from the same version. Like any not too old Android version, the install encrypts the partition with the File Based Encryption (FBE) method. Which for data recovery is not as nice as Full Disk Encryption. Also the partition is ext4.
An app had video data saved in Android/data/the.app.package.name
When uninstalling the app to downgrade it because the latest version crashes, I got a bitter reminder that Android/data/the.app.package.name is wiped on uninstall.
So concretely, I got many 2MB video files grouped in directories that got rm-ed.
IIUC without going to a data recovery company, among all the known publicly available tools, my best bet would be TestDisk's undelete feature that might be able to restore the directory structure. And PhotoRec if that fails.
So hence trying to find an Android build.
Another approach is to do that from a PC with a partition dump. Since the phone if rooted, I got a dump of the data partition (from /dev/block/mmcblk0pblablabla)
But there is still FBE in the way.
Does anyone know if there still any way to exploit such a partition dump with TestDisk or PhotoRec? Since if have the unlock code, there must be a way to get the key.
Hmm, even when installing TestDisk on the phone, it would still face the issue of FDE because IIUC, TestDisk/PhotoRec can only work on a raw partition or drive, so /dev/block/mmcblk0pblablabla. It would need specific code to handle the case of Android's FBE.
Or is there any other way with any tool to have some hope?
viewtopic.php?p=6007&sid=ce00b41e30467e ... c79f#p6007
> I have a command-line (No GUI and no text interface!) version that you can use on a rooted android.
--------------------
Back to the beginning in case it's the wrong approach.
On a phone with Android 13 that was installed from the same version. Like any not too old Android version, the install encrypts the partition with the File Based Encryption (FBE) method. Which for data recovery is not as nice as Full Disk Encryption. Also the partition is ext4.
An app had video data saved in Android/data/the.app.package.name
When uninstalling the app to downgrade it because the latest version crashes, I got a bitter reminder that Android/data/the.app.package.name is wiped on uninstall.
So concretely, I got many 2MB video files grouped in directories that got rm-ed.
IIUC without going to a data recovery company, among all the known publicly available tools, my best bet would be TestDisk's undelete feature that might be able to restore the directory structure. And PhotoRec if that fails.
So hence trying to find an Android build.
Another approach is to do that from a PC with a partition dump. Since the phone if rooted, I got a dump of the data partition (from /dev/block/mmcblk0pblablabla)
But there is still FBE in the way.
Does anyone know if there still any way to exploit such a partition dump with TestDisk or PhotoRec? Since if have the unlock code, there must be a way to get the key.
Hmm, even when installing TestDisk on the phone, it would still face the issue of FDE because IIUC, TestDisk/PhotoRec can only work on a raw partition or drive, so /dev/block/mmcblk0pblablabla. It would need specific code to handle the case of Android's FBE.
Or is there any other way with any tool to have some hope?
)
(there is likely a way around this)