From owner-freebsd-hackers@FreeBSD.ORG Fri Jun 13 19:54:21 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D8034D8B for ; Fri, 13 Jun 2014 19:54:21 +0000 (UTC) Received: from luna.schedom-europe.net (luna.schedom-europe.net [193.109.184.86]) by mx1.freebsd.org (Postfix) with SMTP id 43D072036 for ; Fri, 13 Jun 2014 19:54:20 +0000 (UTC) Received: (qmail 13582 invoked by uid 507); 13 Jun 2014 21:47:38 +0200 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on luna.schedom-europe.net X-Spam-Level: ************** X-Spam-Status: No, score=14.9 required=15.0 tests=BAYES_99, FH_DATE_PAST_20XX, HELO_LH_HOME, RCVD_IN_PBL, RDNS_DYNAMIC autolearn=disabled version=3.2.5 Received: from ip-83-101-50-142.customer.schedom-europe.net (HELO bennypc.home) (83.101.50.142) by luna.schedom-europe.net with SMTP; 13 Jun 2014 21:47:30 +0200 Message-ID: <539B5555.80506@belgacom.net> Date: Fri, 13 Jun 2014 21:47:33 +0200 From: Benny Goemans User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-hackers@freebsd.org Subject: Re: picking data out of a UFS image References: <20140613145246.DB840C00AA@smtp.hushmail.com> <20140613153107.GX31367@funkthat.com> <1402684211.35278.0.camel@jill.exit.com> In-Reply-To: <1402684211.35278.0.camel@jill.exit.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2014 19:54:21 -0000 On 06/13/14 20:30, Frank Mayhar wrote: > On Fri, 2014-06-13 at 08:31 -0700, John-Mark Gurney wrote: >> falcon17@hushmail.com wrote this message on Fri, Jun 13, 2014 at 07:52 -0700: >>> I had an old dying disk and I managed to make a dd image of half of it >>> before it went completely bellyup. When I have done this in the past I >>> have been able to use the sleuth kit ffind, fls, etc to dig around, or >>> even vnconfig and mount the whole image. This time none of that is >>> working, in fact it claims bad superblock altho I think I found an >>> alternate that works. >>> In any case I am able to find some textual data when I simply hexdump >>> or strings the image, and some of that is what I was looking to >>> recover. Is it reasonably easy to work backwards from that, say, using >>> the location I found for the start of this file, to search backwards >>> and hunt down its inode? Maybe work from there to pick out others? >>> I guess what I am looking for is a little guidance on picking out UFS >>> data structures manually. Thanks! >> I developed a python script to extract data from a broken FFS... the >> sources are here: >> https://people.freebsd.org/~jmg/ffsrecov/ >> >> It's been a long time since I've looked at it, but should help you.. > There's also sysutils/ffs2recov in ports. Although that, too, hasn't > been touched in a long time. If it doesn't matter that you lose your filesystem structure (directories and filenames) you could use photorec (in ports under sysutils/testdisk). Contradictory to its name it is able to recover a large collection of files based on their headers. If you're trying to do this manually, that tool could possibly help you. I know it can read UFS since I'm using it right now on an image pulled from an SD card. Regards, Benny Goemans ps. if you should be able to get the disk back up, try ddrescue, it'll backup more then standard dd (with retries etc)