Hi all.
I have fd up the first 10Mb of the 3Gb fat disk
(not partition, the whole 3Gb disk) full of windoze
****. Then, due to time limits, made some of sort
of backup of the mess with dd and put Puffy into
that disk (dedicated install). The problem is that
management needs some of that stuff back <>.
I would be grateful if anybody could give any hints
on how to grep the 3Gb backup image for any msdosfs
patterns so that I could get at least some of the
individual files back. Sorry for asking it like that
instead of just reading mount_msdos src silently
- maybe someone had this before
I am posting this to misc@ because Puffy is the
only S I run.
Would be grateful for any hint etc.

7/6/06, vladas <vladas.urbonas (AT) gmail (DOT) comwrote:
I have fd up the first 10Mb of the 3Gb fat disk
(not partition, the whole 3Gb disk) full of windoze
****. Then, due to time limits, made some of sort
of backup of the mess with dd and put Puffy into
that disk (dedicated install). The problem is that
management needs some of that stuff back <>.

if there was only one partion with FAT, you#re out
of luck with any standard tool because the
fat is within the first 10 mb.

the are tools out there (google something like 'file
recovery FAT'), but I don't know whether such exist for
BSD: In any case, the more fragmented the
FAT was, the less is the chance of reviving something
meaningful.

>if there was only one partion with FAT, you#re out
>of luck with any standard tool because the
>fat is within the first 10 mb.

>the are tools out there (google something like 'file
>recovery FAT'), but I don't know whether such exist for
>BSD: In any case, the more fragmented the
>FAT was, the less is the chance of reviving something
>meaningful.

Seriously. Recovering messed up file systems is not something you
can do if you don't know how to do it. You can't learn it when you
need it nownownow. And noone will do it for you unless you pay them.
ibas are the best.

And reading the source to mount_msdos won't help you a bit since it
doesn't do much more than setup some trivial arguments and call
mount(2).

Thank you for your replies. I was not clear enough in the first place:
due to the first 10Mb being gone, I do not expect to find any valid fs
anymore. What I still hope for are individual files from the 3Gb image
file that I have. I mean e.g. exe's, or dll's, zip's, lha's etc should have
their size written in them or their data structures, not only fs, as well.

So that e.g. for exe's I would find their "MZ" beginning chars, size
after them and seek until the end by the size. Its gonna be time
consuming, I know. That is why I asked in the first place.

I dared to ask about it on misc@ because I thought that mount_msdos
might be more helpful in this case.

Thank you so much for the time.

Thank you all for your really informative replies.

Hello Vladas,

2006.07.06, at 9:56 PM, vladas wrote:

I have fd up the first 10Mb of the 3Gb fat disk
(not partition, the whole 3Gb disk) full of windoze
****. Then, due to time limits, made some of sort
of backup of the mess with dd and put Puffy into
that disk (dedicated install). The problem is that
management needs some of that stuff back <>.

I would be grateful if anybody could give any hints
on how to grep the 3Gb backup image for any msdosfs
patterns so that I could get at least some of the
individual files back. Sorry for asking it like that
instead of just reading mount_msdos src silently
- maybe someone had this before

I am posting this to misc@ because Puffy is the
only S I run.

Do you have access to a Windows machine? The best file recovery
applications for FAT file systems I have found, are Windows apps,
oddly enough.

I have had great success with "Get Data Back". It is comparatively
very cheap yet was the best I have tried even amongst file recovery
apps costing thousands. They sell the FAT and NTFS versions
separately. In fact it finds files from multiple old file-systems
which even the "Forensic Tool Kit" does not find. I have used GDB ($
$) to compliment FTK ($$$$) in the past.

Last time I tried GDB, I believe it accepted images as one large
image, or images broken up into portions, but with the limitation
that the portions must be 688,128,000 bytes in size. If you need to
run GDB on a system limited to 2GB files, then use split(1) to break
the big dd image into the size GDB needs. The standard suffix split
uses is fine for GDB.

Run GDB against the files, answer a few simple questions and after a
while you might find a file listing of the old files, ready to be
copied off.

BTW, GDB *can* get data back even if both FAT's are completely gone
(it has for me).

http://www.runtime.org/gdb.htm

BTW, I have no affiliation with Runtime. It just saved my bacon once
under a pretty bleak situation (girlfriends data! Yikes). I've since
recommended it to others who also found it to get their data back. A
friend of mine had a motherboard die, he was using the motherboards
built in IDE "RAID" 0. I told him about GDB, I thought he tried it
and it worked for him. But I've since noticed that Runtime now has
recovery software specifically for disks used in a RAID, which might
have been what he used. Regardless, Runtime even got his files back.

Good luck,

Shane

7/6/06, Shane J Pearson <shanejp (AT) netspace (DOT) net.auwrote:
Hello Vladas,

2006.07.06, at 9:56 PM, vladas wrote:

I have fd up the first 10Mb of the 3Gb fat disk
(not partition, the whole 3Gb disk) full of windoze
****. Then, due to time limits, made some of sort
of backup of the mess with dd and put Puffy into
that disk (dedicated install). The problem is that
management needs some of that stuff back <>.

I would be grateful if anybody could give any hints
on how to grep the 3Gb backup image for any msdosfs
patterns so that I could get at least some of the
individual files back. Sorry for asking it like that
instead of just reading mount_msdos src silently
- maybe someone had this before

I am posting this to misc@ because Puffy is the
only S I run.

Do you have access to a Windows machine? The best file recovery
applications for FAT file systems I have found, are Windows apps,
oddly enough.

I have had great success with "Get Data Back". It is comparatively
very cheap yet was the best I have tried even amongst file recovery
apps costing thousands. They sell the FAT and NTFS versions
separately. In fact it finds files from multiple old file-systems
which even the "Forensic Tool Kit" does not find. I have used GDB ($
$) to compliment FTK ($$$$) in the past.

http://www.runtime.org/gdb.htm

BTW, I have no affiliation with Runtime. It just saved my bacon once
under a pretty bleak situation (girlfriends data! Yikes). I've since
recommended it to others who also found it to get their data back. A
friend of mine had a motherboard die, he was using the motherboards
built in IDE "RAID" 0. I told him about GDB, I thought he tried it
and it worked for him. But I've since noticed that Runtime now has
recovery software specifically for disks used in a RAID, which might
have been what he used. Regardless, Runtime even got his files back.

I've used R-Studio and it works quite well (and quickly so long as you
keep your computer out of screensavers and things). It's somewhat
expensive at 100$. It works by just scanning the disk for signatures
of files, and is usually able to recover a lot.

http://www.r-studio.com/
-Nick

Hi Nick,

2006.07.07, at 2:51 PM, Nick Guenther wrote:

I've used R-Studio and it works quite well (and quickly so long as you
keep your computer out of screensavers and things). It's somewhat
expensive at 100$. It works by just scanning the disk for signatures
of files, and is usually able to recover a lot.

http://www.r-studio.com/

$100 seems cheap to me for something which works, given the
desperation when it's needed. Seems like a small tax on people who
don't keep decent backups. Like me, once upon a time. ; )

I've been wanting to try R-Studio, since it has FFS support. I'll
switch to it if it's as good as GDB.

Shane

Seems like a small tax on people who
don't keep decent backups.
Yeah, thats thats me.
Thank you all so much for the links.
vladas

07/07/06, Joachim Schipper <j.schipper (AT) math (DOT) uu.nlwrote:
Thu, Jul 06, 2006 at 08:56:55PM +0900, vladas wrote:
Hi all.

I have fd up the first 10Mb of the 3Gb fat disk
(not partition, the whole 3Gb disk) full of windoze
****. Then, due to time limits, made some of sort
of backup of the mess with dd and put Puffy into
that disk (dedicated install). The problem is that
management needs some of that stuff back <>.

I would be grateful if anybody could give any hints
on how to grep the 3Gb backup image for any msdosfs
patterns so that I could get at least some of the
individual files back. Sorry for asking it like that
instead of just reading mount_msdos src silently
- maybe someone had this before

I am posting this to misc@ because Puffy is the
only S I run.

Would be grateful for any hint etc.

'Keep backups' is the best one, but probably a bit late. (Unless you
were told you could delete the data, in which case a clue by four might
be appropriate.)

Several good suggestions have already been given, so I'll not repeat
them.

Aside from Wietse Venema's The Coroner's Toolkit (TCT), there is also
the Sleuth Kit. It's more modern and presumably has a more friendly
interface (TCT, while a good tool, does not quite shine there). I am
fairly certain it does FAT as well, but I have no clue if it would work
in this case - it's really meant for finding deleted/hidden files in
intact filesystems. However, at least 'sigfind' from the Sleuth Kit
might be useful, if you know what you are looking for (and willing to
spend lots of time).

However, in case you only destroyed the partition table, but not the
partition in question (i.e., the partition you want to recover data
from), I have had personal success with a Knoppix disk, a loopback
device with an offset

Tried this in the very first place with no result. First 10Mb appeared
to be a lot:)

(this does not seem to be supported on BSD),
and just mounting it. course, one could simulate this on BSD by
exploiting the magic of dd(1), vnd(4), and mount_msdos(8), too.

course, this requires you to know the exact starting byte of the
filesystem, but other tools exist to help with that. In this case,
someone who shut down Partition Magic because it was taking too long,
it worked just fine, over the phone no less.

Joachim

Thank you for all these good ideas.
I will check them out.

vladas

Thu, Jul 06, 2006 at 08:56:55PM +0900, vladas wrote:
Hi all.

I have fd up the first 10Mb of the 3Gb fat disk
(not partition, the whole 3Gb disk) full of windoze
****. Then, due to time limits, made some of sort
of backup of the mess with dd and put Puffy into
that disk (dedicated install). The problem is that
management needs some of that stuff back <>.

I would be grateful if anybody could give any hints
on how to grep the 3Gb backup image for any msdosfs
patterns so that I could get at least some of the
individual files back. Sorry for asking it like that
instead of just reading mount_msdos src silently
- maybe someone had this before

I am posting this to misc@ because Puffy is the
only S I run.

Would be grateful for any hint etc.

'Keep backups' is the best one, but probably a bit late. (Unless you
were told you could delete the data, in which case a clue by four might
be appropriate.)

Several good suggestions have already been given, so I'll not repeat
them.

Aside from Wietse Venema's The Coroner's Toolkit (TCT), there is also
the Sleuth Kit. It's more modern and presumably has a more friendly
interface (TCT, while a good tool, does not quite shine there). I am
fairly certain it does FAT as well, but I have no clue if it would work
in this case - it's really meant for finding deleted/hidden files in
intact filesystems. However, at least 'sigfind' from the Sleuth Kit
might be useful, if you know what you are looking for (and willing to
spend lots of time).

However, in case you only destroyed the partition table, but not the
partition in question (i.e., the partition you want to recover data
from), I have had personal success with a Knoppix disk, a loopback
device with an offset (this does not seem to be supported on BSD),
and just mounting it. course, one could simulate this on BSD by
exploiting the magic of dd(1), vnd(4), and mount_msdos(8), too.

course, this requires you to know the exact starting byte of the
filesystem, but other tools exist to help with that. In this case,
someone who shut down Partition Magic because it was taking too long,
it worked just fine, over the phone no less.

Joachim