I have a ddrescue image containing data from a Btrfs partition whose first GBs were overwritten. Therefore, the filesystem cannot be mounted, so the files cannot be accessed through any filesystem as such — only as raw data. I have already tried using TestDisk / PhotoRec to carve out data from this dd image, and I was able to recover many files. Yet, what I now need is to able to explore this dd image more thoroughly, and interactively (as opposed to using some automated file recovery software). How can I do it?
Add a comment
|
1 Answer
Here’s a rough idea to get you started:
- Create an (empty) filesystem that’s as similar as possible to the one that was clobbered. I guess making it the same size is probably fairly important; try to replicate as many other parameters as you can remember, recover, or reconstruct.
- Estimate how much of your filesystem got overwritten; let’s say that it was 3 GB.
- Make a copy of your image, and overwrite its first 3 GB with the first 3 GB of the empty filesystem.
- See what progress you can make on that hybrid image.
At first I was going to suggest that you use debugfs, but then I recalled that it supports only ext2/ext3/ext4 filesystems. But see if you can find tools that handle your filesystem type. Try searching for “computer forensic tools”.
answered Nov 11, 2017 at 6:17
G-Man Says 'Reinstate Monica'G-Man Says 'Reinstate Monica'
7,86722 gold badges41 silver badges87 bronze badges