Grepping filesystem, raw disk drive: permission denied, bad address

[Vesselin Peev]

Hello,

I'm helping friends recover a deleted manuscript on their Mac running Panther. We tried a couple of recovery utilities with no success, but I would also like to try using grep on the drive. The problem is that the command, run in "Terminal"

sudo grep "some text from the deleted file" <mount point>

where mount point is the mount point of the partition the deleted file is in, gives:

"Permission denied"

As you can see, I run the command as root.

I try to execute grep in its simplest form, once that succeeds (hopefully), I'll try with different options.

Listing the directory structure through the same mount point, i.e.

ls <mount point>

works, i.e. gives a listing of various files

If so, what could be the reason for the "Permission denied"? By the way, the mount point directory does not contain spaces, it's /Volumes/My_disk

Because grepping the filesystem has failed, I've tried grep on the raw disk drive, e.g. instead of the mount point I supply /dev/rdisk0 as a parameter to grep (which I run again as a root through sudo), but then I get

"Bad address"

I've read about this particular error that it can be caused when the disk is not present (but this is an internal disk, so that can't be, unless the disk is damaged, but the disk drive seems fine); if the drive does not support the operation -- but running grep just does simple reads on the drive, so that shouldn't be, either; or if there are driver problems (but other recovery programs seem to do reads on the drive just fine).

Thank you in advance for your consideration and help.

 

[fryke]

I thought grep wouldn't find stuff in _deleted_ files, anyway. Am I wrong?

 

[Vesselin Peev]

Hello Fryke,

Thanks for replying.

Because the above commands (attempt to) run over the filesystem or the disk drive partition, and not an actual file residing the filesystem or the partition, it can actually find data in any deleted file (of course, as long as it hadn't been overwritten or deleted via some secure technique effectively overwritting it).

You can see this done with GNU/Linux and FreeBSD:

http://www.cyberciti.biz/tips/linuxunix-recover-deleted-files.html
http://bluesmoon.blogspot.com/2004/08/undelete-in-freebsd.html

This can be a last-resort lifesaver.

I should have added that I tried the above operations on OpenDarwin 7.x (which corresponds to Mac OS X Panther /10.3/), and they do work as expected. But not on the real machine.

I find especially strange the "Permission denied" error. Again, I'm running the command as root.

-Vesselin.

 

[lurk]

Well the "/Volumes/" case fails because you are just giving the root mount point for the volume, not the device. This is the parallel to the /mnt directory under Linux. In the second case you are not grepping what you think you are. You need to specify the proper slice (er partition in Linuxees) so use something like disk0s10

I don't know if disk or raw disk (rdisk) is most appropriate here.

I wish you luck but really what to you think you will recover? If it was not a text or latex file you will not recover anything useful, there is no cramming things back into a Word document for instance.