How to explore a ddrescue image manually / interactively?

1

I have a ddrescue image containing data from a Btrfs partition whose first GBs were overwritten. Therefore, the filesystem cannot be mounted, so the files cannot be accessed through any filesystem as such — only as raw data. I have already tried using TestDisk / PhotoRec to carve out data from this dd image, and I was able to recover many files. Yet, what I now need is to able to explore this dd image more thoroughly, and interactively (as opposed to using some automated file recovery software). How can I do it?

Tocell

Posted 2017-11-10T18:53:45.867

Reputation: 31

Answers

0

Here’s a rough idea to get you started:

  • Create an (empty) filesystem that’s as similar as possible to the one that was clobbered.  I guess making it the same size is probably fairly important; try to replicate as many other parameters as you can remember, recover, or reconstruct.
  • Estimate how much of your filesystem got overwritten; let’s say that it was 3 GB.
  • Make a copy of your image, and overwrite its first 3 GB with the first 3 GB of the empty filesystem.
  • See what progress you can make on that hybrid image.

At first I was going to suggest that you use debugfs, but then I recalled that it supports only ext2/ext3/ext4 filesystems.  But see if you can find tools that handle your filesystem type.  Try searching for “computer forensic tools”.

G-Man Says 'Reinstate Monica'

Posted 2017-11-10T18:53:45.867

Reputation: 6 509

Asked: 2017-11-10T18:53:45.867

Viewed: 220 times

Active: 2017-11-11T06:17:41.953