Recover files from unallocated on HFS+ file system

Using PhotoRec to recover lost data
Post Reply
Message
Author
stumpyuk
Posts: 16
Joined: 19 Sep 2012, 11:41

Recover files from unallocated on HFS+ file system

#1 Post by stumpyuk » 18 Mar 2015, 11:49

Just a quick tip for the photorec community. I have been able to recover files from just unallocated space on a HFS+ file system using xmount + photorec.

The latest version of xmount (available here: https://www.pinguin.lu/) allows a user to mount just the unallocated space in a file system. AFAIK, this only works on Linux, the procedure is as follows:

Download and install xmount (requires the fuse bindings).
Create a mount point for the unallocated space e.g mkdir /mnt/xmnt
Get the start sector for the partition you want to do recovery on (using mmls from the sleuthkit, for instance).
Assuming the start sector is 2048 and the physical device is /dev/sdb, this is the xmount command you need:
xmount --in raw /dev/sdb --offset $((512*2048)) --morph unallocated --morphopts unallocated_fs=hfs /mnt/xmnt

If you go to your /mnt/xmnt directory you will find 2 files: sdb.txt and sdb.dd. The sdb.dd file is you unallocated space, mounted with the fuse bindings.
If you now type: photorec /mnt/xmnt/sdb.dd - you can now carve that file, it works best using expert mode, block size set to 512 bytes.

The above is an example for working with a raw disk, however it works for disk image files as well - including E01 files.

Sponsored links

fridsun
Posts: 2
Joined: 21 Apr 2016, 17:06

Re: Recover files from unallocated on HFS+ file system

#2 Post by fridsun » 21 Apr 2016, 17:08

Thank you so much!
A somewhat surprising example of the Unix philosophy? ;)

baychae
Posts: 1
Joined: 08 Jun 2016, 15:25

Re: Recover files from unallocated on HFS+ file system

#3 Post by baychae » 08 Jun 2016, 15:32

Hi,

When I enter this I get an error:

Code: Select all

ERROR: ParseCmdLine.05.05@386 : Unknown input image type "raw"!
Please advise.

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests