Thread: [sleuthkit-users] Exfat recovery
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Dennis Z. <de...@es...> - 2015-01-31 01:40:33
|
Hi, I'm trying to recover deleted data from an SD card that I pulled out of a smartphone. I backed up the image using: dd if=/dev/sdb of=/tmp/disk.img However, when I try to recover the files using the following command: usr/local/sleuthkit/bin/fls -r -p disk.img | less I get the following error: Cannot determine file system type Fdisk shows that it's a WN95 FAT32. Thank you, Dennis. |
|
From: Kalin K. <me....@gm...> - 2015-01-31 02:08:23
|
On Jan 31, 2015 10:41 AM, "Dennis Zheleznyak" <de...@es...> wrote: > I'm trying to recover deleted data from an SD card that I pulled out of a smartphone. > > I backed up the image using: > >> dd if=/dev/sdb of=/tmp/disk.img > > > However, when I try to recover the files using the following command: > >> usr/local/sleuthkit/bin/fls -r -p disk.img | less > > > I get the following error: > >> Cannot determine file system type > > Not sure exfat is supported and cannot test right now, but what is the output of `mmls disk.img` May be you need offset (it used partitions) ? Kalin. |
|
From: Dennis Z. <de...@es...> - 2015-01-31 02:11:59
|
Hi,
Thanks for the fast response !
[root@localhost bin]# ./mmls /home/dennis/Documents/disk.img
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000002047 0000002048 Unallocated
02: 00:00 0000002048 0124735487 0124733440 Win95 FAT32 (0x0c)
On Sat, Jan 31, 2015 at 4:08 AM, Kalin KOZHUHAROV <me....@gm...>
wrote:
>
> On Jan 31, 2015 10:41 AM, "Dennis Zheleznyak" <de...@es...>
> wrote:
> > I'm trying to recover deleted data from an SD card that I pulled out of
> a smartphone.
> >
> > I backed up the image using:
> >
> >> dd if=/dev/sdb of=/tmp/disk.img
> >
> >
> > However, when I try to recover the files using the following command:
> >
> >> usr/local/sleuthkit/bin/fls -r -p disk.img | less
> >
> >
> > I get the following error:
> >
> >> Cannot determine file system type
> >
> >
> Not sure exfat is supported and cannot test right now, but what is the
> output of `mmls disk.img`
>
> May be you need offset (it used partitions) ?
>
> Kalin.
>
|
|
From: Kalin K. <me....@gm...> - 2015-01-31 02:15:05
|
On Jan 31, 2015 11:11 AM, "Dennis Zheleznyak" <de...@es...> wrote: > [root@localhost bin]# ./mmls /home/dennis/Documents/disk.img > DOS Partition Table > Offset Sector: 0 > Units are in 512-byte sectors > > Slot Start End Length Description > 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) > 01: ----- 0000000000 0000002047 0000002048 Unallocated > 02: 00:00 0000002048 0124735487 0124733440 Win95 FAT32 (0x0c) > > So add -o 2048 to that fls command. Kalin. |
|
From: Dennis Z. <de...@es...> - 2015-01-31 02:17:20
|
Tried that: [root@localhost bin]# ./fls -o 2048 /home/dennis/Documents/disk.img Cannot determine file system type On Sat, Jan 31, 2015 at 4:14 AM, Kalin KOZHUHAROV <me....@gm...> wrote: > > On Jan 31, 2015 11:11 AM, "Dennis Zheleznyak" <de...@es...> > wrote: > > [root@localhost bin]# ./mmls /home/dennis/Documents/disk.img > > DOS Partition Table > > Offset Sector: 0 > > Units are in 512-byte sectors > > > > Slot Start End Length Description > > 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) > > 01: ----- 0000000000 0000002047 0000002048 Unallocated > > 02: 00:00 0000002048 0124735487 0124733440 Win95 FAT32 (0x0c) > > > > > So add -o 2048 to that fls command. > > Kalin. > |
|
From: Kalin K. <me....@gm...> - 2015-01-31 02:26:51
|
Hmm support was added around July last year.. what is your version? Kalin. |
|
From: Dennis Z. <de...@es...> - 2015-01-31 02:27:35
|
The Sleuth Kit ver 4.1.3 On Sat, Jan 31, 2015 at 4:26 AM, Kalin KOZHUHAROV <me....@gm...> wrote: > Hmm support was added around July last year.. what is your version? > > Kalin. > |
|
From: Dennis Z. <de...@es...> - 2015-01-31 02:33:48
|
0100000: eb76 9045 5846 4154 2020 2000 0000 0000 .v.EXFAT ..... On Sat, Jan 31, 2015 at 4:28 AM, Tim Hoffecker <tho...@gm...> wrote: > What does the VBR look like > > xxd -l 512 -s 1048576 disk.img > > On Jan 30, 2015, at 9:17 PM, Dennis Zheleznyak <de...@es...> > wrote: > > Tried that: > [root@localhost bin]# ./fls -o 2048 /home/dennis/Documents/disk.img > Cannot determine file system type > > > On Sat, Jan 31, 2015 at 4:14 AM, Kalin KOZHUHAROV <me....@gm...> > wrote: > >> >> On Jan 31, 2015 11:11 AM, "Dennis Zheleznyak" <de...@es...> >> wrote: >> > [root@localhost bin]# ./mmls /home/dennis/Documents/disk.img >> > DOS Partition Table >> > Offset Sector: 0 >> > Units are in 512-byte sectors >> > >> > Slot Start End Length Description >> > 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) >> > 01: ----- 0000000000 0000002047 0000002048 Unallocated >> > 02: 00:00 0000002048 0124735487 0124733440 Win95 FAT32 (0x0c) >> > >> > >> So add -o 2048 to that fls command. >> >> Kalin. >> > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. > http://goparallel.sourceforge.net/_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > |
|
From: Kalin K. <me....@gm...> - 2015-01-31 04:26:52
|
On Sat, Jan 31, 2015 at 11:27 AM, Dennis Zheleznyak <de...@es...> wrote: > The Sleuth Kit ver 4.1.3 > https://github.com/sleuthkit/sleuthkit/releases 4.1.3 was released Jan 2014 and has no support for exFAT... You'll need to compile either possibly upcoming 4.2.0 https://github.com/sleuthkit/sleuthkit/tree/release-4.2.0/ or the develop branch https://github.com/sleuthkit/sleuthkit/tree/develop/ You can always check your current support with `-f list` option, like `fls -f list`. Cheers, Kalin. |
|
From: Dennis Z. <de...@es...> - 2015-01-31 08:29:13
|
Thanks again for the quick response and help ! I downloaded both 4.20 and development versions and compiled it using: ./configure --prefix=/usr/local/sl > ./configure --prefix=/usr/local/sldevelop > make -j 4 > make install I get the same result as before, anything I can do to fix it ? On Sat, Jan 31, 2015 at 6:26 AM, Kalin KOZHUHAROV <me....@gm...> wrote: > On Sat, Jan 31, 2015 at 11:27 AM, Dennis Zheleznyak > <de...@es...> wrote: > > The Sleuth Kit ver 4.1.3 > > > https://github.com/sleuthkit/sleuthkit/releases > > 4.1.3 was released Jan 2014 and has no support for exFAT... > > You'll need to compile either possibly upcoming 4.2.0 > https://github.com/sleuthkit/sleuthkit/tree/release-4.2.0/ or the > develop branch https://github.com/sleuthkit/sleuthkit/tree/develop/ > > You can always check your current support with `-f list` option, like > `fls -f list`. > > Cheers, > Kalin. > |
|
From: Dennis Z. <de...@es...> - 2015-01-31 08:47:55
|
This is the SD card: Disk /dev/sdb: 59.5 GiB, 63864569856 bytes, 124735488 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x00000000 Device Boot Start End Sectors Size Id Type /dev/sdb1 * 2048 124735487 124733440 59.5G c W95 FAT32 (LBA) And this is the partition it self: Disk /dev/sdb1: 59.5 GiB, 63863521280 bytes, 124733440 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0xf4f4f4f4 Device Boot Start End Sectors Size Id Type /dev/sdb1p1 ? 4109694196 8219388391 4109694196 1.9T f4 SpeedStor /dev/sdb1p2 ? 4109694196 8219388391 4109694196 1.9T f4 SpeedStor /dev/sdb1p3 ? 4109694196 8219388391 4109694196 1.9T f4 SpeedStor /dev/sdb1p4 ? 4109694196 8219388391 4109694196 1.9T f4 SpeedStor On Sat, Jan 31, 2015 at 10:29 AM, Dennis Zheleznyak <de...@es...> wrote: > Thanks again for the quick response and help ! > > I downloaded both 4.20 and development versions and compiled it using: > > ./configure --prefix=/usr/local/sl >> ./configure --prefix=/usr/local/sldevelop >> make -j 4 >> make install > > > I get the same result as before, anything I can do to fix it ? > > > > On Sat, Jan 31, 2015 at 6:26 AM, Kalin KOZHUHAROV <me....@gm...> > wrote: > >> On Sat, Jan 31, 2015 at 11:27 AM, Dennis Zheleznyak >> <de...@es...> wrote: >> > The Sleuth Kit ver 4.1.3 >> > >> https://github.com/sleuthkit/sleuthkit/releases >> >> 4.1.3 was released Jan 2014 and has no support for exFAT... >> >> You'll need to compile either possibly upcoming 4.2.0 >> https://github.com/sleuthkit/sleuthkit/tree/release-4.2.0/ or the >> develop branch https://github.com/sleuthkit/sleuthkit/tree/develop/ >> >> You can always check your current support with `-f list` option, like >> `fls -f list`. >> >> Cheers, >> Kalin. >> > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X