I have been tasked with recovering a 4TB removable HD that uses the HFS file system.
Apparently, the user re-partitioned the drive. Luckily, I can still see the raw data in the unallocated area within the newly partitioned space.
I am an EnCase user using a Windows platform. I would rather avoid file carving if possible but if that's all I can do at this point, I'm guestimating a month of recovery.
Is there any way the original directory/file structure can be recovered? I'm really not familiar with HFS so any helpful advice is appreciated.
BlackBag Forensics is the source for OSX and iOS. You may start here
https://
Maybe give TestDisk a try (http//
TestDisk is free. From the website
"TestDisk can
Fix partition table, recover deleted partition
Recover FAT32 boot sector from its backup
Rebuild FAT12/FAT16/FAT32 boot sector
Fix FAT tables
Rebuild NTFS boot sector
Recover NTFS boot sector from its backup
Fix MFT using MFT mirror
Locate ext2/ext3/ext4 Backup SuperBlock
Undelete files from FAT, exFAT, NTFS and ext2 filesystem
Copy files from deleted FAT, exFAT, NTFS and ext2/ext3/ext4 partitions.
TestDisk has features for both novices and experts. For those who know little or nothing about data recovery techniques, TestDisk can be used to collect detailed information about a non-booting drive which can then be sent to a tech for further analysis. Those more familiar with such procedures should find TestDisk a handy tool in performing onsite recovery."
What makes you say it was repartitioned rather than reformatted? Do you have any idea what the previous partition scheme looked like?
EnCase can recover a deleted partition if the volume header is still intact. So, if the drive was originally partitioned as two paritions A|B and was repartitioned to one large partition A, the volume header (or alternate volume header) for B may still exist on the drive. You can get details on the volume header here
Assuming that other important data such as the allocation and catalog files are still intact, you should be able to rebuild the partition from the Disk View in EnCase.
If the user deleted the partition then created a new partition of the same size, the new volume headers will overwrite the old headers and the allocation and catalog files will also at least partially overwrite the old files. In this case, you're probably going to have to carve.
-tracedf
My (biased answer) CnW Recovery has a mode to scan the hard drive for all Catalog entries. If partially overwritten the resulting directory structure may be a mess, but will find files with the correct names.
ie better than carving, but not always perfect.