search

cugu / afro

File recovery for APFS
159 stars 15 forks source link

Any possible reason for "AttributeError: 'PointerValT' object has no attribute 'ov_paddr'"? #13

Open fenggy09 opened 5 years ago

fenggy09 commented 5 years ago

Hi, I've tried afro for recovering deleted files on a raw APFS image (500GB) but the result is always that only "Preboot", "Recovery" and "VM" volumes got recovered but not the volume where the OS is:

ls -l mac001.img.carve_apsb.extracted/
total 0
drwxrwxrwx  4 xx  xxx  128 Apr 15 18:50 Preboot
drwxrwxrwx  4 xx  xxx  128 Apr 15 18:49 Recovery
drwxrwxrwx  5 xx  xxx  160 Apr 15 18:49 VM

The log for carving kept showing errors like:

INFO     Found apsb in block 1060460
INFO     Found apsb in block 1060469
INFO     'PointerValT' object has no attribute 'ov_paddr'
INFO     Found apsb in block 1060657
INFO     'PointerValT' object has no attribute 'ov_paddr'
INFO     Found apsb in block 1060688
INFO     Found apsb in block 1060897
INFO     'ApfsSuperblockT' object has no attribute 'btn_flags'
INFO     Found apsb in block 1060965
INFO     'PointerValT' object has no attribute 'ov_paddr'
INFO     Found apsb in block 1061039
INFO     'PointerValT' object has no attribute 'ov_paddr'
INFO     Found apsb in block 1061457
INFO     'PointerValT' object has no attribute 'ov_paddr'
INFO     Found apsb in block 1061578
INFO     'PointerValT' object has no attribute 'ov_paddr'
INFO     Found apsb in block 1061698
INFO     'PointerValT' object has no attribute 'ov_paddr'
INFO     Found apsb in block 1061742
INFO     'PointerValT' object has no attribute 'ov_paddr'
INFO     Found apsb in block 1061792
INFO     'PointerValT' object has no attribute 'ov_paddr'
INFO     Found apsb in block 1062839
INFO     'PointerValT' object has no attribute 'ov_paddr'
INFO     Found apsb in block 1062842
INFO     Found apsb in block 1063444
INFO     'BtreeNodePhysT' object has no attribute 'om_tree_oid'
INFO     Found apsb in block 1063449
INFO     'BtreeNodePhysT' object has no attribute 'om_tree_oid'
INFO     Found apsb in block 1063666
INFO     'BtreeNodePhysT' object has no attribute 'om_tree_oid'
INFO     Found apsb in block 1063709
INFO     Found apsb in block 1063782
INFO     'BtreeNodePhysT' object has no attribute 'om_tree_oid'
INFO     Found apsb in block 1064320
INFO     'BtreeNodePhysT' object has no attribute 'om_tree_oid'
INFO     Found apsb in block 1066450
INFO     'BtreeNodePhysT' object has no attribute 'om_tree_oid'
INFO     Found apsb in block 1068889
INFO     'Obj' object has no attribute 'body'

And I tried the "-m parse" option to see if same errors appear:

afro -o 409640 -m parse -l DEBUG -e bodyfile disk0\ Image\ raw.00001 
Traceback (most recent call last):
  File "/usr/local/bin/afro", line 11, in <module>
    load_entry_point('afro==0.2', 'console_scripts', 'afro')()
  File "/usr/local/lib/python3.7/site-packages/afro-0.2-py3.7.egg/afro/__init__.py", line 115, in main
  File "/usr/local/lib/python3.7/site-packages/afro-0.2-py3.7.egg/afro/__init__.py", line 74, in extract
  File "/usr/local/lib/python3.7/site-packages/afro-0.2-py3.7.egg/afro/parse.py", line 74, in parse
  File "/usr/local/lib/python3.7/site-packages/afro-0.2-py3.7.egg/afro/parse.py", line 59, in parse_nxsb
  File "/usr/local/lib/python3.7/site-packages/afro-0.2-py3.7.egg/afro/parse.py", line 46, in parse_apsb
AttributeError: 'PointerValT' object has no attribute 'ov_paddr'

Would you mind explain what could be the reason for these "no attribute" errors? (parsing the OS volume leads to null objects?) Thanks very much!

cugu commented 5 years ago

It looks like the APFS format might differ from the one that afro can handle. It might be a newer or older version of APFS.

fenggy09 commented 5 years ago

May I know what model of mac did you tested Afro on? Thank you!

cugu commented 5 years ago

I tested afro with APFS version 748.31.8. The current APFS version on my Mac is 945.250.134.

phyordia commented 5 years ago

Any updates on this? I'm having the same issue... @cugu : How to get the APFS version?

cugu commented 5 years ago

You can try strings /sbin/fsck_apfs | grep "fsck_apfs ("

phyordia commented 5 years ago

Thank you. My APFS version is 945.260.7.

Newbie here, but from what I found was that so far: Some nodes that are being instantiated as PointerValT objects, which do not have the .ov_paddr

They are being created because their parent node looks like:

    NodeEntry _on 256
    NodeEntry _parent <afro.libapfs.apfs.Apfs.BtreeNodePhysT object at 0x113e8dba8>
    NodeEntry btn_level 2

I tried to add .ov_paddr = None in PointerValT._read() (and skip them in parse_apsb()) but that doesn't recover anything. Sorry if this is meaningless, but otherwise, I'm happy to try some ideas you might have.

davidschlachter commented 3 years ago

I can confirm this bug: with an image of a working Catalina (macOS 10.15) system, only files from VM, Preboot, and Recovery are recovered, as previously described.

However, I am able to create APFS disk images in Disk Utility on both macOS 10.14 (system APFS version: 945.275.9) and 11 (system APFS: 1677.50.1) which are successfully read and recovered using afro. I suspect that the on-disk format (for the actual macOS system) is not the same as what Disk Utility creates in the two disk images.

When I have some time, I may be able to look through the paper and compare the previously described APFS format to my system image. I would be happy to provide any further information.