picking data out of a UFS image
Frank Mayhar
frank at exit.com
Fri Jun 13 18:30:14 UTC 2014
On Fri, 2014-06-13 at 08:31 -0700, John-Mark Gurney wrote:
> falcon17 at hushmail.com wrote this message on Fri, Jun 13, 2014 at 07:52 -0700:
> > I had an old dying disk and I managed to make a dd image of half of it
> > before it went completely bellyup. When I have done this in the past I
> > have been able to use the sleuth kit ffind, fls, etc to dig around, or
> > even vnconfig and mount the whole image. This time none of that is
> > working, in fact it claims bad superblock altho I think I found an
> > alternate that works.
> > In any case I am able to find some textual data when I simply hexdump
> > or strings the image, and some of that is what I was looking to
> > recover. Is it reasonably easy to work backwards from that, say, using
> > the location I found for the start of this file, to search backwards
> > and hunt down its inode? Maybe work from there to pick out others?
> > I guess what I am looking for is a little guidance on picking out UFS
> > data structures manually. Thanks!
>
> I developed a python script to extract data from a broken FFS... the
> sources are here:
> https://people.freebsd.org/~jmg/ffsrecov/
>
> It's been a long time since I've looked at it, but should help you..
There's also sysutils/ffs2recov in ports. Although that, too, hasn't
been touched in a long time.
--
Frank Mayhar
frank at exit.com
More information about the freebsd-hackers
mailing list