{"id":13698610,"url":"https://github.com/Lazza/RecuperaBit","last_synced_at":"2025-05-04T03:31:39.209Z","repository":{"id":41176288,"uuid":"50295498","full_name":"Lazza/RecuperaBit","owner":"Lazza","description":"A tool for forensic file system reconstruction.","archived":false,"fork":false,"pushed_at":"2024-04-08T18:02:06.000Z","size":106,"stargazers_count":499,"open_issues_count":31,"forks_count":71,"subscribers_count":21,"default_branch":"master","last_synced_at":"2024-04-08T21:38:03.072Z","etag":null,"topics":["dfir","disk","forensics","ntfs","partition","recover-files"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Lazza.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-01-24T16:08:23.000Z","updated_at":"2024-06-19T03:02:48.767Z","dependencies_parsed_at":"2022-07-14T09:22:35.103Z","dependency_job_id":"6fadde90-7cc2-4fad-9f67-8203b4ae522b","html_url":"https://github.com/Lazza/RecuperaBit","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Lazza%2FRecuperaBit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Lazza%2FRecuperaBit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Lazza%2FRecuperaBit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Lazza%2FRecuperaBit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Lazza","download_url":"https://codeload.github.com/Lazza/RecuperaBit/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252283623,"owners_count":21723511,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dfir","disk","forensics","ntfs","partition","recover-files"],"created_at":"2024-08-02T19:00:50.861Z","updated_at":"2025-05-04T03:31:39.203Z","avatar_url":"https://github.com/Lazza.png","language":"Python","readme":"\n\n# ![RecuperaBit](http://i.imgur.com/Q6mM385.jpg)\n\n\u003cp\u003e\u003ca class=\"badge-chip\" href=\"https://github.com/Lazza/RecuperaBit/blob/master/LICENSE.md\"\u003e\u003cimg alt=\"GPL-3.0 license\" src=\"https://badgen.net/github/license/Lazza/RecuperaBit\"\u003e\u003c/a\u003e\n\u003ca class=\"badge-chip\" href=\"https://github.com/Lazza/RecuperaBit/releases\"\u003e\u003cimg alt=\"Latest release\" src=\"https://badgen.net/github/release/Lazza/RecuperaBit\"\u003e\u003c/a\u003e\n\u003ca class=\"badge-chip\" href=\"https://github.com/Lazza/RecuperaBit/stargazers\"\u003e\u003cimg alt=\"Stars counter\" src=\"https://badgen.net/github/stars/Lazza/RecuperaBit\"\u003e\u003c/a\u003e\n\u003ca class=\"badge-chip\" href=\"https://project-types.github.io/#stadium\"\u003e\u003cimg alt=\"Stadium badge\" src=\"https://badgen.net/static/project type/stadium/orange\"\u003e\u003c/a\u003e\n\u003ca class=\"badge-chip\" href=\"https://ko-fi.com/thelazza\"\u003e\u003cimg alt=\"Donate on Ko-fi\" src=\"https://badgen.net/static/ko-fi/donate/yellow\"\u003e\u003c/a\u003e\u003c/p\u003e\n\nA software which attempts to reconstruct file system structures and recover\nfiles. Currently it supports only NTFS.\n\nRecuperaBit attempts reconstruction of the directory structure regardless of:\n\n- missing partition table\n- unknown partition boundaries\n- partially-overwritten metadata\n- quick format\n\nYou can get more information about **the reconstruction algorithms** and the\narchitecture used in RecuperaBit by reading\n[my MSc thesis](https://www.scribd.com/doc/309337813/) or checking out [the\nslides](http://www.slideshare.net/TheLazza/recuperabit-forensic-file-system-reconstruction-given-partially-corrupted-metadata).\n\n## Usage\n\n    usage: main.py [-h] [-s SAVEFILE] [-w] [-o OUTPUTDIR] path\n\n    Reconstruct the directory structure of possibly damaged filesystems.\n\n    positional arguments:\n      path                  path to the disk image\n\n    optional arguments:\n      -h, --help            show this help message and exit\n      -s SAVEFILE, --savefile SAVEFILE\n                            path of the scan save file\n      -w, --overwrite       force overwrite of the save file\n      -o OUTPUTDIR, --outputdir OUTPUTDIR\n                            directory for restored contents and output files\n\nThe main argument is the `path` to a bitstream image of a disk or partition.\nRecuperaBit automatically determines the sectors from which partitions start.\n\nRecuperaBit does not modify the disk image, however it does read some parts of\nit multiple times through the execution. It should also work on real devices,\nsuch as `/dev/sda` but **this is not advised** for damaged drives. RecuperaBit\nmight worsen the situation by \"stressing\" a damaged drive or it could crash due\nto an I/O error.\n\nOptionally, a save file can be specified with `-s`. The first time, after the\nscanning process, results are saved in the file. After the first run, the file\nis read to only analyze interesting sectors and speed up the loading phase.\n\nOverwriting the save file can be forced with `-w`.\n\nRecuperaBit includes a small command line that allows the user to recover files\nand export the contents of a partition in CSV or\n[body file](http://wiki.sleuthkit.org/index.php?title=Body_file) format. These\nare exported in the directory specified by `-o` (or `recuperabit_output`).\n\n### Limitation\n\nCurrently RecuperaBit does not work with compressed files on an NTFS filesystem.\nIf you have deep knowledge of the inner workings of file compression on NTFS\nfilesystem, your help would be much appreciated, as available documentation is\nquite sparse on the topic.\n\n### Pypy\n\nRecuperaBit can be run with the standard cPython implementation, however speed\ncan be increased by using it with the Pypy interpreter and JIT compiler:\n\n    pypy3 main.py /path/to/disk.img\n\n### Recovery of File Contents\n\nFiles can be restored one at a time or recursively, starting from a directory.\nAfter the scanning process has completed, you can check the list of partitions\nthat can be recovered by issuing the following command at the prompt:\n\n    recoverable\n\nEach line shows information about a partition. Let's consider the following\noutput example:\n\n    Partition #0 -\u003e Partition (NTFS, 15.00 MB, 11 files, Recoverable, Offset: 2048, Offset (b): 1048576, Sec/Clus: 8, MFT offset: 2080, MFT mirror offset: 17400)\n\nIf you want to recover files starting from a specific directory, you can either\nprint the tree on screen with the `tree` command (very verbose for large drives)\nor you can export a CSV list of files (see `help` for details).\n\nIf you rather want to extract all files from the *Root* and the *Lost Files*\nnodes, you need to know the identifier for the root directory, depending on\nthe file system type. The following are those of file systems supported by\nRecuperaBit:\n\n| File System Type | Root Id |\n|------------------|---------|\n| NTFS             | 5       |\n\nThe id for *Lost Files* is -1 **for every file system.**\n\nTherefore, to restore `Partition #0` in our example, you need to run:\n\n    restore 0 5\n    restore 0 -1\n\nThe files will be saved inside the output directory specified by `-o`.\n\n## License\n\nThis software is released under the GNU GPLv3. See `LICENSE` for more details.\n","funding_links":["https://ko-fi.com/thelazza"],"categories":["Challenges","Tools"],"sub_categories":["Windows Artifacts","Analysis / Gathering tool (Know your ennemies)"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FLazza%2FRecuperaBit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FLazza%2FRecuperaBit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FLazza%2FRecuperaBit/lists"}