The background: thought I had everything backed up but didn't realize there was something I missed. A quick wipe of all partitions on the phone has removed the data partition's file index. Then I realized I was missing data from my backup.
The problem: file recovery tools I've come across thus far don't seem to want to look for this particular type of file... simple XML. I'm also trying to limit use of the phone itself because installing of new apps to try and recover the data may overwrite sectors that are needed for the recovery. I'm already feeling sort of lucky that this is a 32GB internal memory device and my estimate of the file size is going to be <200MB. In that respect odds of data already having been overwritten in the minimal use I've had since should be slim, and if it has occurred it is probably something I can fake my way around.
Steps taken so far: from TWRP recovery's terminal I performed a dd of /dev/block/mmcblk0p38 (data partition on my Moto XT926M) to a file on an external card. This has enabled me to more easily work with the data from my Ubuntu desktop and also to not have to worry about further changes of the data from phone usage. I've already located via grep and parsed out via dd two XML files that I lost but those were easy as they were each under 100KB. I've located the start of the last XML file I want to recover but after about 1.5MB the trail goes cold. Either the data was contiguous and has already been overwritten at that point or the original file was being written, encountered a next block that was already occupied and continued writing elsewhere. I'm hoping for the latter.
SO...
With this image of the data partition and the knowledge of "this is where the file starts" does anyone have thoughts on how I can continue to work to find the missing pieces of this file? Assuming that from the staring point I've found that the original write just had to skip and continue writing at a different block, in f2fs is there a way to see that from the vicinity of the data I've located? I seem to think when looking at low-level data for some disk format method that the last handful of bytes (or maybe in some sort of header bytes?) of one file segment would indicate what block/sector/offset the next file segment would start but I don't know if that is the case here. Better yet any Linux based utilities that can take an f2fs partition dump and do advanced forensic recovery? I'm able to instruct it that the file starts at byte X of the image. I could try an Android app based solution but 1) that partition will continue to evolve and risk further destruction of desired data and 2) apps I've examined so far are great for finding pictures and videos, not so much at anything else.
My alternative is going to be to continue grepping through the image searching for known XML tags and manually trying to piece things together. At that point the 32GB MMC size changes from a blessing to a curse. Needle, meet haystack.
The problem: file recovery tools I've come across thus far don't seem to want to look for this particular type of file... simple XML. I'm also trying to limit use of the phone itself because installing of new apps to try and recover the data may overwrite sectors that are needed for the recovery. I'm already feeling sort of lucky that this is a 32GB internal memory device and my estimate of the file size is going to be <200MB. In that respect odds of data already having been overwritten in the minimal use I've had since should be slim, and if it has occurred it is probably something I can fake my way around.
Steps taken so far: from TWRP recovery's terminal I performed a dd of /dev/block/mmcblk0p38 (data partition on my Moto XT926M) to a file on an external card. This has enabled me to more easily work with the data from my Ubuntu desktop and also to not have to worry about further changes of the data from phone usage. I've already located via grep and parsed out via dd two XML files that I lost but those were easy as they were each under 100KB. I've located the start of the last XML file I want to recover but after about 1.5MB the trail goes cold. Either the data was contiguous and has already been overwritten at that point or the original file was being written, encountered a next block that was already occupied and continued writing elsewhere. I'm hoping for the latter.
SO...
With this image of the data partition and the knowledge of "this is where the file starts" does anyone have thoughts on how I can continue to work to find the missing pieces of this file? Assuming that from the staring point I've found that the original write just had to skip and continue writing at a different block, in f2fs is there a way to see that from the vicinity of the data I've located? I seem to think when looking at low-level data for some disk format method that the last handful of bytes (or maybe in some sort of header bytes?) of one file segment would indicate what block/sector/offset the next file segment would start but I don't know if that is the case here. Better yet any Linux based utilities that can take an f2fs partition dump and do advanced forensic recovery? I'm able to instruct it that the file starts at byte X of the image. I could try an Android app based solution but 1) that partition will continue to evolve and risk further destruction of desired data and 2) apps I've examined so far are great for finding pictures and videos, not so much at anything else.
My alternative is going to be to continue grepping through the image searching for known XML tags and manually trying to piece things together. At that point the 32GB MMC size changes from a blessing to a curse. Needle, meet haystack.
