FR: Extract deleted files about ubidump HOT 5 CLOSED

Do you have a sample file which shows such behaviour?

from ubidump.

Sure, here it is:
https://mega.nz/#!kMNG0aZJ!4BUpubhBGvQsFkAyVTGSoH-haQSiwmHY1BljSHPkYwA

It is a raw image dd'ed from NAND. If you grep it, you will find directory entry with files like "gs_ofdm.bin" and "usbupdate.tar.gz". These files do not exist in extracted tree.

from ubidump.

in an ubifs image you can sort of go back in time by starting from an older master block.
I will think of a way to implement this.

The find_most_recent_master function is there to find the most recent masterblock.

from ubidump.

I investigated, using older master blocks works only up to a point where essential blocks got overwritten. There are obviously several unreachable directory trees present in your image. This would require more extensive analysis of unused blocks to be able to recover those. And i think you would be able to extract only partial data, since parts would already be overwritten by newer data.

from ubidump.

Yes, that's what most recovery tools allow (there's no tool for UbiFS though) - scanning the surface for directory entries, then removing duplicates and cutting files which blocks are now reused, then allowing to write the remaining structure. Directories without parent have some replacement name given, ie. "foundNNN".

This way some recovered files end abruptly, other have invalid content as it was overwritten and freed more times; but many files can be recovered.

There are even tools which go as far as scanning for known file types, to recover files which are no longer pointed by any directory entry. I don't think we need this here, but there is a possibility - ie. search for "RIFF" to find WAVes and AVIs, or for "JFIF"/"PNG" to find images - or just use linux 'file' utility to find the known types for you.

from ubidump.