Recovering text files in terminal using grep on Mac OS X Snow Leopard

3

I foolishly removed some source code from my Mac OS X Snow Leopard machine with rm -rf when doing something with buildout. I want to try and recover these files again. I haven't touched the system since to try and seek an answer.

I found this article and it seems like the grep method is the way to go, but when running it on my machine I'm getting 'Resource busy' when trying to run it on the disk.

I'm using this command:

sudo grep -a -B1000 -A1000 'video_output' /dev/disk0s2 > file.txt

Where 'dev/disk0s2' is what came up when I ran df.

I get this when running:

grep: /dev/disk0s2: Resource busy

I'm not an expert with this stuff, I'm trying my best. Please can anyone help me further? I'm on the verge of losing two days of source code work!

Thank you

littlejim84

Posted 2010-02-18T17:40:50.543

Reputation: 123

Answers

1

Try this with an Ubuntu LiveCD (here) or GPartEd boot CD (here) or something similar where you can boot from CD and not your hard drive partition (assuming you have another computer where you can download and burn one of those). Even if they don't understand the HFS+ file system they will be able to read it in raw format.

This will be the safest way. For once, the operating system will not lock the drive and you won't run into the risk tha the swap file or temp files will overwrite the precious free blocks.

Nicholaz

Posted 2010-02-18T17:40:50.543

Reputation: 1 479

2Try booting with the Mac OS X DVD. – Studer – 2010-02-18T20:08:35.790

1

Once you boot to some other device you'll need to keep in mind that if you are grepping for the filename you might not be getting what you want since the file name isn't in the file itself - unless you included it in comments or something.

You'll need to grep for some phrase that you know is in the file.

jch

Posted 2010-02-18T17:40:50.543

Reputation: 166

0

You will have to grep the disk instead of the disk slice. Using my machine as an example,

$ diskutil list
/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *240.1 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:                  Apple_HFS Sandisk 240G            239.2 GB   disk0s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3

disk0 is the entire disk, and disk0s2 is the partition where I deleted the file. Grep does not work on disk slice

$ sudo grep --binary-files=text --context=10 '192.168.1.196' /dev/disk0s2 > recovered.txt
Password:
grep: /dev/disk0s2: Resource busy

But works on the disk itself

$ sudo grep --binary-files=text --context=10 '192.168.1.196' /dev/disk0 > recovered.txt

Caution

grep'ing raw disks in OSX does not work - and will crash OSX. When I ran the command above, Activity Monitor shows grep reading data rapidly. After reading about 3GB, OSX hung and I had to reboot.

hanxue

Posted 2010-02-18T17:40:50.543

Reputation: 2 354

Asked: 2010-02-18T17:40:50.543

Viewed: 2 217 times

Active: 2015-12-15T07:00:08.877