$ sudo port install testdisk
The bove command installs both testdisk and photorec on osx. To run issue:
$ sudo photorec /log
Then follow the instructions in the command line. But before you run the recovery tool you'll have to find the drive you're attempting to recover from. This is done by using mount
$ mount
/dev/disk1 on / (hfs, local, journaled)
devfs on /dev (devfs, local, nobrowse)
localhost:/cZw0sWXSBvue3biH9HC_QR on /Volumes/MobileBackups (mtmfs, nosuid, read-only, nobrowse)
map -hosts on /net (autofs, nosuid, automounted, nobrowse)
map auto_home on /home (autofs, automounted, nobrowse)The /dev/disk1 using the hfs filesystem is the one I'd like to recover stuff from, you can also use the diskutil program.
$ diskutil list
/dev/disk0 (internal, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *500.1 GB disk0
1: EFI EFI 209.7 MB disk0s1
2: Apple_CoreStorage Macintosh HD 499.2 GB disk0s2
3: Apple_Boot Recovery HD 650.0 MB disk0s3
/dev/disk1 (internal, virtual):
#: TYPE NAME SIZE IDENTIFIER
0: Apple_HFS Macintosh HD +498.9 GB disk1
Logical Volume on disk0s2
71E61617-FD0B-4FFA-A432-4FE2737C217D
Unlocked Encrypted
Again /dev/disk1 proves to be the one we're interested in. To recover it:
$ sudo photorec /log
Password:
PhotoRec 7.0, Data Recovery Utility, April 2015
Opens a new process in your terminal:
PhotoRec 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
Disk /dev/rdisk0 - 500 GB / 465 GiB (RO)
Partition Start End Size in sectors
2 P Unknown 409640 0 1 975503591 0 1 975093952 [Macintosh HD]
Pass 0 - Reading sector 74387313/975093952, 6/10 headers found
Elapsed time 0h08m58s - Estimated time to completion 1h48m34
Now all you have to do i wait. Photorec creates directories in the folder from which is is run. All these directories are named: recup_dir.* the asterix is replaced with numbers and the folders are filled with files.
$ ls -d ~/re*
/Users/bob/recup_dir.1335 /Users/bob/recup_dir.3194 /Users/bob/recup_dir.5052
/Users/bob/recup_dir.1336 /Users/bob/recup_dir.3195 /Users/bob/recup_dir.5053
/Users/bob/recup_dir.1337 /Users/bob/recup_dir.3196 /Users/bob/recup_dir.5054
/Users/bob/recup_dir.1338 /Users/bob/recup_dir.3197 /Users/bob/recup_dir.5055
<snipped>
/Users/bob/recup_dir.1339 /Users/bob/recup_dir.3198 /Users/bob/recup_dir.5056
Each directory is filled with files
$ ls /Users/bob/recup_dir.5052
f580969344.jpg f580974912.pyc f580980568.pyc f580981752.pl f580982432.gz
<snipped>
f580987152.txt f580987848.txt
Making it possible to use the normal file manipulation programs like: find, grep & sed. If you're looking for *.pdf file say anything with chess in it:
$ find ~/pdf/ -name '*.pdf' -exec pdfgrep -n 'chess' '{}' \;
525: such as chess and checkers.
530:strategic game, such as checkers or chess. We will use, as an example, the much simpler
533: For more complex games, such as checkers and chess, it is obviously infeasible to
533: the position. For instance, in a chess program, the evaluation function measures such vari-
533: mizing this function. The best computer chess programs have surprisingly sophisticated
533: Nevertheless, for computer chess, the single most important factor seems to be number
533: For instance, in a chess endgame, where there are relatively few pieces, the time savings
<snipped>
And there you have it. You can use '-H' in the pdfgrep part of the expression above to get a list of files instead of a linenumber, when you're examining many files like in the expression above this is a great help. If you have many files and directories you'll have to wait just like you did when running photorec. Have fun restoring.
No comments:
Post a Comment