search

cugu / afro

File recovery for APFS
159 stars 15 forks source link

not an issue - question regarding creating apfs volume (from failed drive) #2

Closed johndpope closed 6 years ago

johndpope commented 6 years ago

so I have a failed external ssd usb which was running apfs / osx majove. (I plugged it into the wrong usb port after usb disconnected and it died.)

img_3521

I can easily clone this using clonzilla to iso file or dd. It doesn't seem possible to use drive directly. do you have any advice?

While I have been able to dig through drive to detect certain file types - it's not helping me recover the failed partition / directory structure. 

CAPTURE 7/23/2018 3:51:19 PM
Recovery Details
Drive:Physical hard drive 3.64 TB (DISK1:)
# MFT:0
# $Mft:0
# $MftMirr:0
# Index:0
# NT boot sectors:0
# FAT32 boot sectors:2
# FAT16 boot sectors:0
# exFAT boot sectors:0
# HFS+ volume headers:0
# Unused HFS volume headers:0
# HFS node ends:2
# HFS header nodes:0
# APFS NXSBs:134
# APFS APSBs:0
# APFS Blocks:196
# EXT Superblocks:0
# XFS Superblocks:0
# 12-bit FATs:0
# 16-bit FATs:0
# 32-bit FATs:0
# EXFAT FATs:0
# Directory starts:11
# Directory conts:111
# exFAT Directory roots:0
# exFAT Directory starts:0
# exFAT Directory conts:0
Dir tracker list:9 entries
FAT analyse list:8 entries
FAT cache:4 entries
CrissCross:Level 1, 104,264 sectors in 18 chunks
CrossCrossMemo:L1/Br100/Dry0
Sectors starts:63
Cluster starts:356
All clusters:338
Cl sizes:0
File system list:2 items
Selected file system:FAT32 at sector 4,112, cluster size 8 (511 MB) more...
ID:253129999 created 7/23/2018 3:50:30 PM
cugu commented 6 years ago

Well, whatever software you are using seems to detect the APFS NXSBs, but FAT32 is selected for recovery.

Another approach is that you can try to list the partitions with the sleuthkit: mmls disk.dd and than proceed as described in the README.

johndpope commented 6 years ago

I thought with a bit of perseverance - I could modify some of the internals of apfs (change the bytes of current super block) and rewind it to a previous check point. I'd have to dig around - could take months. I read in your links that they achieve this.

also - I thought it might be an idea to attach a sample /tiny hdd image to this repo - all my drives are like 1tb so it's going to take 10 hrs to get an image ready.

incidentally - the output above is from getDataBack PC software https://www.youtube.com/watch?v=XQBprGyy_Ko

johndpope commented 6 years ago

fyi - found this apfs hex editor https://github.com/ydkhatri/APFS_010 / so determining the checkpoint from should be within reach.