[Cialug] File Recovery on Mac OS-X

Paul Gray gray at cs.uni.edu
Wed May 10 16:42:50 CDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, May 09, 2006 at 11:52:56AM -0500, Claus wrote:
> I'm not a Mac guru at all but I need to help someone to recover some 
> deleted files on a Mac OS-X computer.
> 
> Although the budget for this is $0 the files are important.
> 
> It looks pretty bleak to me so I could use any advice on how to approach 
> this issue.
> 
> Is there any bootable CD with a file recovery tool out there (thinking 
> of Knoppix)?  And how does one go about to use it?
> 

The best approach would be to pull the drive, dd off the contents, and work
with the resulting file. 

How were they deleted?  Using rm? or with a mkfs? Drive errors?

The best approach for an rm-style deletion recovery is to try to locate the
first block of the file (using grep, as was already mentioned).  Then use
dd on the block(s) and pray that the files are small or at least contiguous.
If they're not contiguous, then you'll want to use debugfs + dd to pull 
out the disparate blocks based upon the references in the inode.

This has been quite a term for drives going bad it seems.  My laptop drive went
belly-up in the middle of a backup ... a backup that was underway to preserve
my class grades.  I ended up doing my own platter swap to recover the data 
(pictures available).  At the same time, the doofuses in our campus' building
management thought that it would be a good idea to trip all the breakers on the
floor for an hour, and didn't think anything of the harmony of UPS beeps going
off in my lab during the time.  Two systems not on the not-so-graceful 
shutdown of the UPS had all files in /lost+found after booting to a 
mandatory fsck.  Also this term, a student approached me with a laptop drive
that wasn't booting (Windows NTFS) and asked if I could pull her data off for
her, which I did, and unintentionally learned more than I wanted to about 
her social life in the process.  Aargh!  
- -- 
Paul Gray                                         -o)
323 Wright Hall                                   /\\
University of Northern Iowa                      _\_V
Message void if penguin violated ...  Don't mess with the penguin
No one says, "Hey, I can't read that ASCII attachment ya sent me."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEYl5aOH45TZW7mh4RAsTsAJ9vQFxAZQ4TEltalwh1/EDrV60eXwCfWwya
uXOU39+lbN9fZTld7RvVUbs=
=MbUz
-----END PGP SIGNATURE-----

More information about the Cialug mailing list