Data recovery on a vfs
Hi all, and thanks in advance for a helping hand.
I lost some data on my phone, I am attempting to recover. The file was deleted by Microsoft's Activsync without asking me. (big surprise). The file was not in a memory card, but on the phone's internal memory. I realize this means a few bytes of the header were wiped only, so it will be a snap to recover the files as long as I can get the phone's filesystem mounted correctly. Successfully got FUSE up and running - was able to mount and access my Windows Mobile smartphone's internal filesystem. (not the memory card, but the phone's internal memory) Using fusermount, got it mounted on /media/myphone. Now that I have a mount, my next step would be to scrub the fs for my lost files, using Cristophe Grenier's photorec/testdisk recovery program. However...the program does not recognize the vfs, only my primary and logical partitions /dev/sda1-5 /dev/sdb etcetera. So then my next avenue of approach is to make a raw data dump/disk image of the phone. Have tried to dd if=/media/myphone of=~/Desktop/phonefs.img, dd returns 0 bytes copied b/c /media/myphone is a directory. I can't dd from /dev/fuse as root either, that returns operation not permitted. Tried to hexdump too, no luck. I feel like I'm close, but not quite there -- can anyone help? Thanks again. |
"/media/myphone" is a mountpoint. Does it point to any physical device in /dev? What FUSE FS are you using?
|
Quote:
lsusb returns Bus 007 Device 003: ID 04f2:b036 Chicony Electronics Co., Ltd Bus 007 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 005 Device 002: ID 0a5c:2101 Broadcom Corp. A-Link BlueUsbA2 Bluetooth Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 004 Device 003: ID 04e8:6662 Samsung Electronics Co., Ltd Bus 004 Device 002: ID 04b3:3108 IBM Corp. 800dpi Optical Mouse w/ Scroll Point Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub mount returns /dev/sda2 on / type ext3 (rw,relatime,errors=remount-ro) tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755) /proc on /proc type proc (rw,noexec,nosuid,nodev) sysfs on /sys type sysfs (rw,noexec,nosuid,nodev) varrun on /var/run type tmpfs (rw,nosuid,mode=0755) varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777) udev on /dev type tmpfs (rw,mode=0755) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev) devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620) fusectl on /sys/fs/fuse/connections type fusectl (rw) lrm on /lib/modules/2.6.27-11-generic/volatile type tmpfs (rw,mode=755) /dev/sda6 on /home type ext2 (rw,relatime) securityfs on /sys/kernel/security type securityfs (rw) binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev) gvfs-fuse-daemon on /home/user/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=user) Fur on /media/myphone type fuse.Fur (rw,nosuid,nodev) Fur is FUSE using the librapi library. The phone is Bus 004 Dev 003. I also found a /dev/fuse, but cannot perform operations on it...tried to dd and hexdump from there as well. dd if=/media/myphone of=/home/user/Desktop/imagefile.img returns: dd: reading `/media/myphone': Is a directory 0+0 records in 0+0 records out 0 bytes (0 B) copied, 0.000711962 s, 0.0 kB/s As root: dd if=/dev/fuse of=/home/user/Desktop/imagefile.img returns dd: reading `/dev/fuse': Operation not permitted 0+0 records in 0+0 records out 0 bytes (0 B) copied, 0.000706026 s, 0.0 kB/s So /media/myphone doesn't point to a device node at all...any ideas? |
I don't know how to explain it proper but I doubt 'dd' cares much for representations of filesystems, which I think LibRAPI provides. Unfortunately the only ideas I can come up with would require access to a mcrsft workstation and commercial forensics hardware.
|
You can't get a "raw data" dump of a mounted filesystem. You can only get that if you have access to the raw device.
|
All times are GMT -5. The time now is 12:34 AM. |