Re: hints for scanning msdosfs patters?
vladas wrote: > > Thank you for all these good ideas. > I will check them out. > > vladas > > Foremost might help too. It find for file headers/footers. Don't know if it will help on a very fragmented FAT, but it worked for me on an ext3 partition, where i deleted some files. The only problem is that it does not recover the name of the file (not much a problem), and it find a lot of duplicate files. Many of them are parts of the other and/or vice-versa. I've used a tool called fdupes, that checks for size, md5 and other things to find duplicates, them delete one (or more) of the duplicated files, leaving just one of them. My 2 cents, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: hints for scanning msdosfs patters?
On 07/07/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: On Thu, Jul 06, 2006 at 08:56:55PM +0900, vladas wrote: > Hi all. > > I have fd up the first 10Mb of the 3Gb fat disk > (not partition, the whole 3Gb disk) full of windoze > shit. Then, due to time limits, made some of sort > of backup of the mess with dd and put Puffy into > that disk (dedicated install). The problem is that > management needs some of that stuff back <..>. > > I would be grateful if anybody could give any hints > on how to grep the 3Gb backup image for any msdosfs > patterns so that I could get at least some of the > individual files back. Sorry for asking it like that > instead of just reading mount_msdos src silently > - maybe someone had this before.. > > I am posting this to misc@ because Puffy is the > only OS I run. > > Would be grateful for any hint etc. 'Keep backups' is the best one, but probably a bit late. (Unless you were told you could delete the data, in which case a clue by four might be appropriate.) Several good suggestions have already been given, so I'll not repeat them. Aside from Wietse Venema's The Coroner's Toolkit (TCT), there is also the Sleuth Kit. It's more modern and presumably has a more friendly interface (TCT, while a good tool, does not quite shine there). I am fairly certain it does FAT as well, but I have no clue if it would work in this case - it's really meant for finding deleted/hidden files in intact filesystems. However, at least 'sigfind' from the Sleuth Kit might be useful, if you know what you are looking for (and willing to spend lots of time). However, in case you only destroyed the partition table, but not the partition in question (i.e., the partition you want to recover data from), I have had personal success with a Knoppix disk, a loopback device with an offset Tried this in the very first place with no result. First 10Mb appeared to be a lot:) (this does not seem to be supported on OpenBSD), and just mounting it. Of course, one could simulate this on OpenBSD by exploiting the magic of dd(1), vnd(4), and mount_msdos(8), too. Of course, this requires you to know the exact starting byte of the filesystem, but other tools exist to help with that. In this case, someone who shut down Partition Magic because it was taking too long, it worked just fine, over the phone no less. Joachim Thank you for all these good ideas. I will check them out. vladas
Re: hints for scanning msdosfs patters?
On Thu, Jul 06, 2006 at 08:56:55PM +0900, vladas wrote: > Hi all. > > I have fd up the first 10Mb of the 3Gb fat disk > (not partition, the whole 3Gb disk) full of windoze > shit. Then, due to time limits, made some of sort > of backup of the mess with dd and put Puffy into > that disk (dedicated install). The problem is that > management needs some of that stuff back <..>. > > I would be grateful if anybody could give any hints > on how to grep the 3Gb backup image for any msdosfs > patterns so that I could get at least some of the > individual files back. Sorry for asking it like that > instead of just reading mount_msdos src silently > - maybe someone had this before.. > > I am posting this to misc@ because Puffy is the > only OS I run. > > Would be grateful for any hint etc. 'Keep backups' is the best one, but probably a bit late. (Unless you were told you could delete the data, in which case a clue by four might be appropriate.) Several good suggestions have already been given, so I'll not repeat them. Aside from Wietse Venema's The Coroner's Toolkit (TCT), there is also the Sleuth Kit. It's more modern and presumably has a more friendly interface (TCT, while a good tool, does not quite shine there). I am fairly certain it does FAT as well, but I have no clue if it would work in this case - it's really meant for finding deleted/hidden files in intact filesystems. However, at least 'sigfind' from the Sleuth Kit might be useful, if you know what you are looking for (and willing to spend lots of time). However, in case you only destroyed the partition table, but not the partition in question (i.e., the partition you want to recover data from), I have had personal success with a Knoppix disk, a loopback device with an offset (this does not seem to be supported on OpenBSD), and just mounting it. Of course, one could simulate this on OpenBSD by exploiting the magic of dd(1), vnd(4), and mount_msdos(8), too. Of course, this requires you to know the exact starting byte of the filesystem, but other tools exist to help with that. In this case, someone who shut down Partition Magic because it was taking too long, it worked just fine, over the phone no less. Joachim
Re: hints for scanning msdosfs patters?
Seems like a small tax on people who don't keep decent backups. Yeah, thats thats me. Thank you all so much for the links. vladas
Re: hints for scanning msdosfs patters?
Hi Nick, On 2006.07.07, at 2:51 PM, Nick Guenther wrote: I've used R-Studio and it works quite well (and quickly so long as you keep your computer out of screensavers and things). It's somewhat expensive at 100$. It works by just scanning the disk for signatures of files, and is usually able to recover a lot. http://www.r-studio.com/ $100 seems cheap to me for something which works, given the desperation when it's needed. Seems like a small tax on people who don't keep decent backups. Like me, once upon a time. ; ) I've been wanting to try R-Studio, since it has FFS support. I'll switch to it if it's as good as GDB. Shane
Re: hints for scanning msdosfs patters?
On 7/6/06, Shane J Pearson <[EMAIL PROTECTED]> wrote: Hello Vladas, On 2006.07.06, at 9:56 PM, vladas wrote: > I have fd up the first 10Mb of the 3Gb fat disk > (not partition, the whole 3Gb disk) full of windoze > shit. Then, due to time limits, made some of sort > of backup of the mess with dd and put Puffy into > that disk (dedicated install). The problem is that > management needs some of that stuff back <..>. > > I would be grateful if anybody could give any hints > on how to grep the 3Gb backup image for any msdosfs > patterns so that I could get at least some of the > individual files back. Sorry for asking it like that > instead of just reading mount_msdos src silently > - maybe someone had this before.. > > I am posting this to misc@ because Puffy is the > only OS I run. Do you have access to a Windows machine? The best file recovery applications for FAT file systems I have found, are Windows apps, oddly enough. I have had great success with "Get Data Back". It is comparatively very cheap yet was the best I have tried even amongst file recovery apps costing thousands. They sell the FAT and NTFS versions separately. In fact it finds files from multiple old file-systems which even the "Forensic Tool Kit" does not find. I have used GDB ($ $) to compliment FTK () in the past. http://www.runtime.org/gdb.htm BTW, I have no affiliation with Runtime. It just saved my bacon once under a pretty bleak situation (girlfriends data! Yikes). I've since recommended it to others who also found it to get their data back. A friend of mine had a motherboard die, he was using the motherboards built in IDE "RAID" 0. I told him about GDB, I thought he tried it and it worked for him. But I've since noticed that Runtime now has recovery software specifically for disks used in a RAID, which might have been what he used. Regardless, Runtime even got his files back. I've used R-Studio and it works quite well (and quickly so long as you keep your computer out of screensavers and things). It's somewhat expensive at 100$. It works by just scanning the disk for signatures of files, and is usually able to recover a lot. http://www.r-studio.com/ -Nick
Re: hints for scanning msdosfs patters?
Hello Vladas, On 2006.07.06, at 9:56 PM, vladas wrote: I have fd up the first 10Mb of the 3Gb fat disk (not partition, the whole 3Gb disk) full of windoze shit. Then, due to time limits, made some of sort of backup of the mess with dd and put Puffy into that disk (dedicated install). The problem is that management needs some of that stuff back <..>. I would be grateful if anybody could give any hints on how to grep the 3Gb backup image for any msdosfs patterns so that I could get at least some of the individual files back. Sorry for asking it like that instead of just reading mount_msdos src silently - maybe someone had this before.. I am posting this to misc@ because Puffy is the only OS I run. Do you have access to a Windows machine? The best file recovery applications for FAT file systems I have found, are Windows apps, oddly enough. I have had great success with "Get Data Back". It is comparatively very cheap yet was the best I have tried even amongst file recovery apps costing thousands. They sell the FAT and NTFS versions separately. In fact it finds files from multiple old file-systems which even the "Forensic Tool Kit" does not find. I have used GDB ($ $) to compliment FTK () in the past. Last time I tried GDB, I believe it accepted images as one large image, or images broken up into portions, but with the limitation that the portions must be 688,128,000 bytes in size. If you need to run GDB on a system limited to 2GB files, then use split(1) to break the big dd image into the size GDB needs. The standard suffix split uses is fine for GDB. Run GDB against the files, answer a few simple questions and after a while you might find a file listing of the old files, ready to be copied off. BTW, GDB *can* get data back even if both FAT's are completely gone (it has for me). http://www.runtime.org/gdb.htm BTW, I have no affiliation with Runtime. It just saved my bacon once under a pretty bleak situation (girlfriends data! Yikes). I've since recommended it to others who also found it to get their data back. A friend of mine had a motherboard die, he was using the motherboards built in IDE "RAID" 0. I told him about GDB, I thought he tried it and it worked for him. But I've since noticed that Runtime now has recovery software specifically for disks used in a RAID, which might have been what he used. Regardless, Runtime even got his files back. Good luck, Shane
Re: hints for scanning msdosfs patters?
Thank you all for your really informative replies.
Re: hints for scanning msdosfs patters?
On 6 July 2006, vladas <[EMAIL PROTECTED]> wrote: [...] > I was not clear enough in the first place: due to the first 10Mb being > gone, I do not expect to find any valid fs anymore. What I still hope > for are individual files from the 3Gb image file that I have. I mean > e.g. exe's, or dll's, zip's, lha's etc should have their size written > in them or their data structures, not only fs, as well. > > So that e.g. for exe's I would find their "MZ" beginning chars, size > after them and seek until the end by the size. [...] There are normally two copies of FAT. I'm too lazy to check how large they should be for a 3 GB fs, but I guess you erased both. Looking for signatures like MZ and PK will get you the first block in a file. Without FAT however you won't be able to locate any subsequent blocks. Depending on how fragmented the fs was when you erased the FAT, there is a tiny chance some of the blocks are contiguous, but that's just about all you can hope for. You can try lazarus from Wietse Venema's Coroner Toolkit: http://www.porcupine.org/forensics/tct.html However, like I said, I doubt you'll get very far without FAT. Regards, Liviu Daia -- Dr. Liviu Daia http://www.imar.ro/~daia
Re: hints for scanning msdosfs patters?
>>> vladas 6-Jul-06 13:46 >>> > > Thank you for your replies. I was not clear enough in the first place: > due to the first 10Mb being gone, I do not expect to find any valid fs > anymore. What I still hope for are individual files from the 3Gb image > file that I have. I mean e.g. exe's, or dll's, zip's, lha's etc should > have their size written in them or their data structures, not only fs, > as well. > > So that e.g. for exe's I would find their "MZ" beginning chars, size > after them and seek until the end by the size. Its gonna be time > consuming, I know. That is why I asked in the first place. It is true that the data from most of your files will still be on the disk. However, the FAT filesystem does not store each file contiguously, but in chunks called clusters. The maximum cluster size on a FAT filesystem is 32KB. Files that are not fragmented will have their clusters adjacent on the disk, but if the disk has been in use for a while, many files will have their clusters spread out across the disk. The metadata that the FAT filesystem uses to say which clusters form each file is the FAT, which is in the first part of the disk, and therefore no longer available in your case: Your disk will have a cluster size of 32KB (the maximum permitted by the specification) and a FAT with 32-bit entries. There will need to be 98,000 (approx) entries in the FAT (3 GB / 32 KB). 256 32-bit FAT entries fit in 1 KB, so the FAT will have taken up 380 KB or so. Even though there are usually two copies of the FAT, both will be gone. > I dared to ask about it on misc@ because I thought that mount_msdos > might be more helpful in this case. Sadly, with the FAT and other control structures gone you are down to looking for needles in your 3 GB haystack. Of course, if the FAT filesystem didn't start in the first 10 MB of the disk, you are much more likely to be able to recover your data. Otherwise, depending on the data you're looking for, strings(1) may help :( Or you may need to look for Unicode strings (typically with every other byte being 0). Good luck Tom
Re: hints for scanning msdosfs patters?
vladas wrote: > due to the first 10Mb being gone, I do not expect to find any valid fs > anymore. What I still hope for are individual files from the 3Gb image > file that I have. I mean e.g. exe's, or dll's, zip's, lha's etc should have > their size written in them or their data structures, not only fs, as well. If there where more than one partition on the disk the problem isn't as hard though. I've had great success previously with gpart which you can find at http://www.stud.uni-hannover.de/user/76201/gpart/. The program tries to guess how the partition-table looked by scanning the disk for known filesystem-signatures, and will often be able to recreate all partitions following the first one in cases like yours. Best Regards, Jimmy
Re: hints for scanning msdosfs patters?
if there was only one partion with FAT, you#re out of luck with any standard tool because the fat is within the first 10 mb. the are tools out there (google something like 'file recovery FAT'), but I don't know whether such exist for OpenBSD: In any case, the more fragmented the FAT was, the less is the chance of reviving something meaningful. Seriously. Recovering messed up file systems is not something you can do if you don't know how to do it. You can't learn it when you need it nownownow. And noone will do it for you unless you pay them. ibas are the best. And reading the source to mount_msdos won't help you a bit since it doesn't do much more than setup some trivial arguments and call mount(2). Thank you for your replies. I was not clear enough in the first place: due to the first 10Mb being gone, I do not expect to find any valid fs anymore. What I still hope for are individual files from the 3Gb image file that I have. I mean e.g. exe's, or dll's, zip's, lha's etc should have their size written in them or their data structures, not only fs, as well. So that e.g. for exe's I would find their "MZ" beginning chars, size after them and seek until the end by the size. Its gonna be time consuming, I know. That is why I asked in the first place. I dared to ask about it on misc@ because I thought that mount_msdos might be more helpful in this case. Thank you so much for the time.
Re: hints for scanning msdosfs patters?
On 7/6/06, vladas <[EMAIL PROTECTED]> wrote: I have fd up the first 10Mb of the 3Gb fat disk (not partition, the whole 3Gb disk) full of windoze shit. Then, due to time limits, made some of sort of backup of the mess with dd and put Puffy into that disk (dedicated install). The problem is that management needs some of that stuff back <..>. if there was only one partion with FAT, you#re out of luck with any standard tool because the fat is within the first 10 mb. the are tools out there (google something like 'file recovery FAT'), but I don't know whether such exist for OpenBSD: In any case, the more fragmented the FAT was, the less is the chance of reviving something meaningful. --knitti
hints for scanning msdosfs patters?
Hi all. I have fd up the first 10Mb of the 3Gb fat disk (not partition, the whole 3Gb disk) full of windoze shit. Then, due to time limits, made some of sort of backup of the mess with dd and put Puffy into that disk (dedicated install). The problem is that management needs some of that stuff back <..>. I would be grateful if anybody could give any hints on how to grep the 3Gb backup image for any msdosfs patterns so that I could get at least some of the individual files back. Sorry for asking it like that instead of just reading mount_msdos src silently - maybe someone had this before.. I am posting this to misc@ because Puffy is the only OS I run. Would be grateful for any hint etc.
