GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → cblichmann → btrfscue

cblichmann / btrfscue

Licence: other
Recover files from damaged BTRFS filesystems

Programming Languages

go
31211 projects - #10 most used programming language
Makefile
30231 projects

Labels

forensicsrecoverybtrfsrescueforensic-analysisdata-recovery

Projects that are alternatives of or similar to btrfscue

sqbrite
SQBrite is a data recovery tool for SQLite databases
Stars: ✭ 27 (-3.57%)
Mutual labels:  forensics, recovery
dcfldd
Enhanced version of dd for forensics and security
Stars: ✭ 27 (-3.57%)
Mutual labels:  forensics, forensic-analysis
ForensicsTools
A list of free and open forensics analysis tools and other resources
Stars: ✭ 392 (+1300%)
Mutual labels:  forensics, forensic-analysis
pyaff4
The Python implementation of the AFF4 standard.
Stars: ✭ 37 (+32.14%)
Mutual labels:  forensics, forensic-analysis
blockyarchive
Blocky archive - multithreaded archiver offering bit rot protection and sector level recoverability
Stars: ✭ 88 (+214.29%)
Mutual labels:  recovery, data-recovery
vminspect
Tools for inspecting disk images
Stars: ✭ 25 (-10.71%)
Mutual labels:  forensics, forensic-analysis
lsrootkit
Rootkit Detector for UNIX
Stars: ✭ 53 (+89.29%)
Mutual labels:  forensics, forensic-analysis
Backup And Recovery Howtos
Guides to setting up a media storage system, backing it up, and recovering from failures
Stars: ✭ 235 (+739.29%)
Mutual labels:  recovery, btrfs
Judge-Jury-and-Executable
A file system forensics analysis scanner and threat hunting tool. Scans file systems at the MFT and OS level and stores data in SQL, SQLite or CSV. Threats and data can be probed harnessing the power and syntax of SQL.
Stars: ✭ 66 (+135.71%)
Mutual labels:  forensics, forensic-analysis
Fatcat
FAT filesystems explore, extract, repair, and forensic tool
Stars: ✭ 201 (+617.86%)
Mutual labels:  forensics, recovery
Seqbox
A single file container/archive that can be reconstructed even after total loss of file system structures
Stars: ✭ 480 (+1614.29%)
Mutual labels:  forensics, recovery
BlockHashLoc
Recover files using lists of blocks hashes, bypassing the File System entirely
Stars: ✭ 45 (+60.71%)
Mutual labels:  forensics, recovery
Palmprint-Recognition-in-the-Wild
No description or website provided.
Stars: ✭ 22 (-21.43%)
Mutual labels:  forensics, forensic-analysis
btrForensics
Forensic Analysis Tool for Btrfs File System.
Stars: ✭ 15 (-46.43%)
Mutual labels:  btrfs, forensic-analysis
hayabusa
Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
Stars: ✭ 908 (+3142.86%)
Mutual labels:  forensics
emergency-kexec
Kexec into an in-memory emergency system
Stars: ✭ 21 (-25%)
Mutual labels:  recovery
RemoteNET
Examine, create and interact with remote objects in other .NET processes.
Stars: ✭ 29 (+3.57%)
Mutual labels:  forensics
vframe
VFRAME: Visual Forensics and Metadata Extraction
Stars: ✭ 41 (+46.43%)
Mutual labels:  forensic-analysis
recovery
Create recovery/backup codes for 2FA
Stars: ✭ 72 (+157.14%)
Mutual labels:  recovery
INDXRipper
Carve file metadata from NTFS index ($I30) attributes
Stars: ✭ 32 (+14.29%)
Mutual labels:  forensics
View All Similar Projects ➔

btrfscue Build Status

btrfscue is an advanced data recovery tool for the BTRFS filesystem. Despite being a state of the art filesystem, at the time when I started writing this (Q2 2011), BTRFS did not have a stable fsck tool that is capable of restoring a filesystem to a mountable state after a power failure or system crash. Recently, this situation has somewhat improved with the btrfs restore command. Unlike this official tool, btrfscue is designed to be able to restore data from disk images that were obtained from faulty storage devices or if all superblocks were overwritten inadvertently.

Being a recovery tool, btrfscue works best on disk images and will write recovered data to a directory. It can thus be used to convert BTRFS filesystems to any other filesystem supported by the host OS. It will also recover recently deleted files and directories and aid in BTRFS filesystem forensics.

Table of Contents

Development State

As the version number 0.5 implies, this software is pretty much in alpha state. In fact, the repository you're looking at now is a complete rewrite of an earlier attempt that was written in C++ as early as 2011 (so don't let the copyright years fool you :)).

This works:

  • Heuristic detection of filesystem identifiers
  • Dump meta data to file
  • Listing of files and directories in the metadata
  • FUSE-mounting a "rescue" view of the metadata

This definitely does not work:

  • Actually restoring files bigger than the filesystem block size
  • Running on big-endian machines
  • BTRFS RAID levels, multi-device FS. These are planned for later.

Requirements

  • Go 1.18 or higher
  • Git version 1.7 or later
  • Optional: CDBS (to build the Debian packages)
  • Optional: GNU Make

Recommended Tools

How to Build

General way to build from source via go get:

go get blichmann.eu/code/btrfscue

Build using Make

To build from a specific revision/branch/tag, not using go get:

mkdir -p btrfscue && cd btrfscue
git clone --recurse-submodules https://github.com/cblichmann/btrfscue.git .
# Optional: checkout a specific rev./branch/tag using i.e. git checkout
make

You may want to create a symlink to the binary somewhere in your path.

Packages

At the moment, only building Debian packages is supported. Just run make deb to build.

Usage

btrfscue command-line syntax is generally as follows:

btrfscue SUBCOMMAND OPTION...

Data recovery with btrfscue is divided in stages:

  1. If you suspect physical damage, use a tool like ddrescue to dump the contents of the damaged filesystem to another disk. Otherwise, the standard dd utility will do just fine. The following steps assume the disk image is named DISKIMAGE. If you don't have enough physical storage space, btrfscue will also directly work with the device file. However, THIS IS NOT RECOMMENDED IN CASE OF SUSPECTED PHYSICAL DAMAGE. Although btrfscue never writes to the device, it may stress the drive too much and may render further recovery attempts impossible. This is even true of damaged SSDs since the flash controller may decide at any time to shutdown the device for good.

  2. Build a list of possible ids to help identify the filesystem id for the filesystem that is to be restored by applying a heuristic. This will output a list of filesystem ids along with the number of times the respective id was found while sampling the disk image.

    btrfscue identify DISKIMAGE

  3. Save metadata for later analysis. This may take a long time to finish as the whole image is being scanned. You need to specify the filesystem to look for by using the --id parameter with a filesystem id FSID.

    btrfscue recon --id FSID --metadata metadata.db DISKIMAGE

  4. Inspect the metadata dump to help decide what to restore later.

    btrfscue --metadata metadata.db ls /
...

    Alternatively, if you're on Linux or macOS, you can FUSE-mount a "rescue" of the filesystem metadata:

    btrfscue --metadata metadata.db mount MOUNTPOINT

    Explore the metadata from another shell. Type CTRL+C to unmount.

  5. Restore the actual data. This is work-in-progress. You can use the mount command to copy files that are no bigger than the filesystem block size.

Copyright/License

btrfscue version 0.6 Copyright (c)2011-2022 Christian Blichmann [email protected]

btrfscue is licensed under a two-clause BSD license, see the LICENSE file for details.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].