recover
The recover command allows you to easily recover a file or
entire directory tree and all the files within it. You must specify the same set
of parameters required by explore-fs, namely:
a filesystem tree in the same manner as
explore-fs-tree; andan object map in the same manner as
explore-fs-tree; andan entry point, which is the item you wish to recover, and is either:
an absolute filesystem path via
--path, like/,/Users/john,/Users/john/Documents/my document.txt, or/..; ora filesystem object ID via
--fsoid, like0x7563.
If no filesystem tree or object map is specified, the default is --volume 1.
The simplest usage thus involves only specifying --path, in which case
the item at that path within the first volume will be recovered. You can
additionally specify --volume or --volume-name if the item
you wish to recover is not within the first volume.
Specify the output path (the path to write the recovered data to) with
--output. If the output path is a directory and ends with /, the
item you wish to recover will be stored within that directory, and the item name
as determined by --path or --fsoid will be used as the
recovered item’s name. The default is --output ./, so the recovered item will
be written to the current working directory. Specifying --output - when the
entry point is a file will result in the file data being sent to stdout,
and all normal informational output will be sent to stderr rather than
stdout.
Whilst files are being recovered, they are temporarily named
_com.dratapp.recover_<target name>, and then renamed to <target name> once
they have been fully recovered.
If the item you wish to recover is a file, and a directory with the target name
already exists, an error will occur. If a file with the target name already
exists, it will not be overwritten unless you specify --overwrite.
If the item you wish to recover is a directory, and a file with the target name
already exists, an error will occur. If a directory with the target name already
exists, the recovered directoy tree will be merged with the existing directory
tree. Any existing files that have the same relative path as recovered files
will not be overwritten unless you specify --overwrite. This behaviour
means that if a directory tree recovery process gets interrupted or encounters
an error, you can issue the same command without --overwrite to
effectively resume the recovery process from where it stopped, or with
--overwrite to effectively restart the process from scratch.
Example usage and output
$ drat --container /dev/disk0s2 recover --path /Users/john/Desktop/my-file.txt
$ drat --container /dev/disk0s2 recover --path /Users/john/Desktop/my-file.txt --output recovered-file.txt
$ drat --container /dev/disk0s2 recover --path /Users/john/Desktop/my-file.txt --output - | grep 'lorem ipsum'
$ drat --container /dev/disk0s2 recover --path /Users/john
$ drat --container /dev/disk0s2 recover --path /Users/john --output recovered-john --overwrite
$ drat --container /dev/disk0s2 recover --volume-name macOS --path /System
$ drat --container /dev/disk0s2 recover --volume 5 --path /System
Todo
Provide example output