search

Lazza / RecuperaBit

A tool for forensic file system reconstruction.
GNU General Public License v3.0
534 stars 75 forks source link

Command to show partitions only with valid size #94

Open anounyym1 opened 3 years ago

anounyym1 commented 3 years ago

I was recovering my disk that had first 1.4MB overwritten. I assume my VMs on that disks made recovering much harder, since list of recoverable partitions was this: recoverable.txt In case someone else ends up into same situation, I wonder is it possible to add command that would list only recoverable partitions with valid size?

Lazza commented 3 years ago

Can you clarify what you mean by "valid size"?

anounyym1 commented 3 years ago

As you can see on that txt-file, most of found recoverable partitions were showing up as "Partition (NTFS, ??? b". Only few found partitions had some size showing up.

Lazza commented 3 years ago

OK. But why would we want to hide those?

There are partitions with thousands of recoverable files for which simply there is no boot sector (and backup), so we don't know where they end. Conversely, there are "partitions" of 3 MB which probably hold nothing of value that would still show up.

anounyym1 commented 3 years ago

I am pretty sure that my virtual machine images are causing all of these found partitions with no boot sector, so having new command that shows these found partitions with only valid size would speed up process of finding correct partition to recover.

Lazza commented 3 years ago

Just to clarify:

my disk that had first 1.4MB overwritten

If you overwrite the first sector of the specific partition you are looking for, then you already find yourself without one boot sector. Granted, there should be a backup boot sector which the software uses to verify the size, but that could be damaged as well.

Now, regarding the commands, I fully agree that the textual interface needs some revamp. I will leave this request open but I think it will become obsolete when a better textual interface is developed. 😃

anounyym1 commented 3 years ago

Yes I understand that not every case is this easy, but it would be nice to somehow show the most likely results from all recoverable results. After all RecuperaBit did find correct partition, even it took bit while to find it from list. Partition #13613 -> Partition (NTFS, 596.17 GB, 266863 files, Recoverable, Offset: 2048, Offset (b): 1048576, Sec/Clus: 8, MFT offset: 6293504, MFT mirror offset: 2064)