Date: Fri, 13 Jun 2014 11:30:11 -0700 From: Frank Mayhar <frank@exit.com> To: John-Mark Gurney <jmg@funkthat.com> Cc: freebsd-hackers@freebsd.org, falcon17@hushmail.com Subject: Re: picking data out of a UFS image Message-ID: <1402684211.35278.0.camel@jill.exit.com> In-Reply-To: <20140613153107.GX31367@funkthat.com> References: <20140613145246.DB840C00AA@smtp.hushmail.com> <20140613153107.GX31367@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 2014-06-13 at 08:31 -0700, John-Mark Gurney wrote: > falcon17@hushmail.com wrote this message on Fri, Jun 13, 2014 at 07:52 -0= 700: > > I had an old dying disk and I managed to make a dd image of half of it > > before it went completely bellyup. When I have done this in the past I > > have been able to use the sleuth kit ffind, fls, etc to dig around, or > > even vnconfig and mount the whole image. This time none of that is > > working, in fact it claims bad superblock altho I think I found an > > alternate that works. > > In any case I am able to find some textual data when I simply hexdump > > or strings the image, and some of that is what I was looking to > > recover. Is it reasonably easy to work backwards from that, say, using > > the location I found for the start of this file, to search backwards > > and hunt down its inode? Maybe work from there to pick out others? > > I guess what I am looking for is a little guidance on picking out UFS > > data structures manually. Thanks! >=20 > I developed a python script to extract data from a broken FFS... the > sources are here: > https://people.freebsd.org/~jmg/ffsrecov/ >=20 > It's been a long time since I've looked at it, but should help you.. There's also sysutils/ffs2recov in ports. Although that, too, hasn't been touched in a long time. --=20 Frank Mayhar frank@exit.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1402684211.35278.0.camel>