From owner-freebsd-hackers@FreeBSD.ORG Fri Jun 13 18:30:14 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B4297B63 for ; Fri, 13 Jun 2014 18:30:14 +0000 (UTC) Received: from tinker.exit.com (tinker.exit.com [IPv6:2001:470:f0fd:0:2e0:81ff:fe2b:acbc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6811E2881 for ; Fri, 13 Jun 2014 18:30:14 +0000 (UTC) Received: from jill.exit.com (jill.exit.com [IPv6:2001:470:f0fd:0:2e0:81ff:febc:fdcc]) by tinker.exit.com (8.14.7/8.14.7) with ESMTP id s5DIUCtI056256; Fri, 13 Jun 2014 11:30:12 -0700 (PDT) (envelope-from frank@exit.com) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=exit.com; s=tinker; t=1402684212; bh=RuIKaWdl+GaeaInkfFEOib3LYzh8n5tY1tU5r8/KKrs=; h=Subject:From:Reply-To:To:Cc:In-Reply-To:References:Date; b=Iyp+nOUq1TTjFclKN9NmR7m0rHSljJxJyIgO+GyfKjmYYV8lT7Sl/hFaDdOhk27xb trzyqdMKj42hG9HaamtHdKpTREk0nZSt2olcg9hI/fh6xaql8D+S4nTPezrQS1I9aD WXRDSCprXP0AI+H3ZSFZJdFUfzHoUFheAnr26gxI= Received: from jill.exit.com (localhost [127.0.0.1]) by jill.exit.com (8.14.7/8.14.5) with ESMTP id s5DIUBSi035298; Fri, 13 Jun 2014 11:30:11 -0700 (PDT) (envelope-from frank@exit.com) Received: (from frank@localhost) by jill.exit.com (8.14.7/8.14.5/Submit) id s5DIUBW8035297; Fri, 13 Jun 2014 11:30:11 -0700 (PDT) (envelope-from frank@exit.com) X-Authentication-Warning: jill.exit.com: frank set sender to frank@exit.com using -f Subject: Re: picking data out of a UFS image From: Frank Mayhar Reply-To: frank@exit.com To: John-Mark Gurney In-Reply-To: <20140613153107.GX31367@funkthat.com> References: <20140613145246.DB840C00AA@smtp.hushmail.com> <20140613153107.GX31367@funkthat.com> Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Organization: Exit Consulting Date: Fri, 13 Jun 2014 11:30:11 -0700 Message-ID: <1402684211.35278.0.camel@jill.exit.com> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Cc: freebsd-hackers@freebsd.org, falcon17@hushmail.com X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2014 18:30:14 -0000 On Fri, 2014-06-13 at 08:31 -0700, John-Mark Gurney wrote: > falcon17@hushmail.com wrote this message on Fri, Jun 13, 2014 at 07:52 -0= 700: > > I had an old dying disk and I managed to make a dd image of half of it > > before it went completely bellyup. When I have done this in the past I > > have been able to use the sleuth kit ffind, fls, etc to dig around, or > > even vnconfig and mount the whole image. This time none of that is > > working, in fact it claims bad superblock altho I think I found an > > alternate that works. > > In any case I am able to find some textual data when I simply hexdump > > or strings the image, and some of that is what I was looking to > > recover. Is it reasonably easy to work backwards from that, say, using > > the location I found for the start of this file, to search backwards > > and hunt down its inode? Maybe work from there to pick out others? > > I guess what I am looking for is a little guidance on picking out UFS > > data structures manually. Thanks! >=20 > I developed a python script to extract data from a broken FFS... the > sources are here: > https://people.freebsd.org/~jmg/ffsrecov/ >=20 > It's been a long time since I've looked at it, but should help you.. There's also sysutils/ffs2recov in ports. Although that, too, hasn't been touched in a long time. --=20 Frank Mayhar frank@exit.com