This comes from a long story of trying to recovering a TrueCrypt volume from a hardware failure (thanks, WD). I ended up with an unencrypted 3TB image that had the files that I want to recover.
Unfortunately, after using
testdisk and extundelete, I guessed the directory entry that leads to the descriptors (of the additional directories) that I want to recover has been overwritten.
However, I think that its subdirectories may have their entries still intact. I would like to know how can I search throughout the disk image for directory entries in unallocated blocks, in order to recover their files (with their proper names, which would be much better than using foremost, photorec and the like).
I know that extundelete with a default --recover-all doesn't look further than the tree that spawns from the root directory. Okay, what if one of the branches is broken but I know that the subfolders entries are somewhere?
Just in case I didn't express myself clearly, imagine that the entry lost is [root]/information. The root directory has the 'information' entry, but it points to overwritten data. Its directory entry is gone, but I want to scan for its subdirectories, [root]/information/personal, and [root]/information/business, and so on. (the name of those subdirectories was in the 'information' entry- I don't care about that name but their whole structure)
Asked by huff
(131 rep)
Mar 4, 2014, 12:14 AM
Last activity: May 7, 2025, 03:07 AM
Last activity: May 7, 2025, 03:07 AM