Help with typical usage scenario - recover a file from your main drive

[jayjlawrence]

Hi there, I am here because a utility deleted some 'work in progress' files and I'd like to have a chance to review them before moving on. I think that there were some useful changes that did not get committed to git before they were deleted.

I've tried some of the commercially available tools but they want a lot of $s for a modest recovery task. Here I am hoping that maybe afro can help me out.

So right now I have a 500g Macintosh HD partition which is my system drive and holds the deleted files in question. How do I proceed?

$ mount /dev/disk1s1 on / (apfs, NFS exported, local, journaled) devfs on /dev (devfs, local, nobrowse) /dev/disk1s4 on /private/var/vm (apfs, local, noexec, journaled, noatime, nobrowse) map -hosts on /net (autofs, nosuid, automounted, nobrowse) map auto_home on /home (autofs, automounted, nobrowse)

I tried mmls (installed sleuthkit via homebrew) on /dev/disk1s4, /dev/disk1s1 and /dev/disk1 - not surprisingly I get told resource busy.

Do you normally boot into another OS and work on the drive offline? How about the fact that the drive is encrypted? Should I expect to "dd" my unencrypted /dev/disk1s4 to a file and then use afro on that file?

Any pointers are appreciated and I can respond in kind with a completed how-to if you wish.

[cugu]

Should I expect to "dd" my unencrypted /dev/disk1s4 to a file and then use afro on that file?

You are on the right track. This solution should work. There is also a blog post about how to do this: http://az4n6.blogspot.com/2016/07/how-to-image-mac-using-single-user-mode.html

[lkhphuc]

Please some body help me. I follow the tutorial and dd clone the synthesized disk /dev/disk1 to a file. MMLS did not recognize Cannot determine partition type. But when I run it anyway with afro -o 0 ... it can run, and when finish I only see Preboot/ and Recover folders, not Macintosh HD disk anywhere.

[lkhphuc]

I dd an entire physical disk dd if=/dev/disk0 ... and get this result from mmls However when I run afro -o 76806 -e files ... I received ValueError: 7761 is not a valid ObjectType Does anyone know how to resolve this? I would really appreciate it.

[cugu]

Was the disk encrypted?

[lkhphuc]

Yes, but I mounted it Single User mode and it already asked for the password. Update: Because my disk after dd is 4096-byte sectors instead of 512-byte sector, I multiplied 76806 * 8 = 614448, then run afro -o 614448 -e files ... and now it can run.

However the recover folder only has Preboot and Recover, just like when I dd if=/dev/disk1.

[cugu]

Strange. But that sounds similar to https://github.com/cugu/afro/issues/13. Maybe there is another APFS version out that afro cannot parse.

[mikelpr]

Is there any issue in just doing afro -o (offset) /dev/sda? (Not on image but connected hard disk but not running Linux from it but instead from a live usb)