Data recovery on a vfs

Hi all, and thanks in advance for a helping hand.

I lost some data on my phone, I am attempting to recover. The file was deleted by Microsoft's Activsync without asking me. (big surprise). The file was not in a memory card, but on the phone's internal memory.

I realize this means a few bytes of the header were wiped only, so it will be a snap to recover the files as long as I can get the phone's filesystem mounted correctly.

Successfully got FUSE up and running - was able to mount and access my Windows Mobile smartphone's internal filesystem. (not the memory card, but the phone's internal memory)

Using fusermount, got it mounted on /media/myphone.

Now that I have a mount, my next step would be to scrub the fs for my lost files, using Cristophe Grenier's photorec/testdisk recovery program.

However...the program does not recognize the vfs, only my primary and logical partitions /dev/sda1-5 /dev/sdb etcetera.

So then my next avenue of approach is to make a raw data dump/disk image of the phone. Have tried to dd if=/media/myphone of=~/Desktop/phonefs.img, dd returns 0 bytes copied b/c /media/myphone is a directory. I can't dd from /dev/fuse as root either, that returns operation not permitted.

Tried to hexdump too, no luck. I feel like I'm close, but not quite there -- can anyone help?

Thanks again.

"/media/myphone" is a mountpoint. Does it point to any physical device in /dev? What FUSE FS are you using?

Quote:

Originally Posted by unSpawn "/media/myphone" is a mountpoint. Does it point to any physical device in /dev? What FUSE FS are you using?

Correct. Mountpoint is /media/myphone. The phone is physically connected via usb port.

lsusb returns

Bus 007 Device 003: ID 04f2:b036 Chicony Electronics Co., Ltd
Bus 007 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 005 Device 002: ID 0a5c:2101 Broadcom Corp. A-Link BlueUsbA2 Bluetooth
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 003: ID 04e8:6662 Samsung Electronics Co., Ltd
Bus 004 Device 002: ID 04b3:3108 IBM Corp. 800dpi Optical Mouse w/ Scroll Point
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

mount returns

/dev/sda2 on / type ext3 (rw,relatime,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
/proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
varrun on /var/run type tmpfs (rw,nosuid,mode=0755)
varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
lrm on /lib/modules/2.6.27-11-generic/volatile type tmpfs (rw,mode=755)
/dev/sda6 on /home type ext2 (rw,relatime)
securityfs on /sys/kernel/security type securityfs (rw)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev)
gvfs-fuse-daemon on /home/user/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=user)
Fur on /media/myphone type fuse.Fur (rw,nosuid,nodev)


Fur is FUSE using the librapi library. The phone is Bus 004 Dev 003. I also found a /dev/fuse, but cannot perform operations on it...tried to dd and hexdump from there as well.

dd if=/media/myphone of=/home/user/Desktop/imagefile.img
returns:

dd: reading `/media/myphone': Is a directory
0+0 records in
0+0 records out
0 bytes (0 B) copied, 0.000711962 s, 0.0 kB/s

As root:
dd if=/dev/fuse of=/home/user/Desktop/imagefile.img
returns

dd: reading `/dev/fuse': Operation not permitted
0+0 records in
0+0 records out
0 bytes (0 B) copied, 0.000706026 s, 0.0 kB/s


So /media/myphone doesn't point to a device node at all...any ideas?

I don't know how to explain it proper but I doubt 'dd' cares much for representations of filesystems, which I think LibRAPI provides. Unfortunately the only ideas I can come up with would require access to a mcrsft workstation and commercial forensics hardware.

You can't get a "raw data" dump of a mounted filesystem. You can only get that if you have access to the raw device.