> I am interested to know if any of you out there have been > successful at recovering a GPT volume. The "partition style" > as listed under the Volume tab within the disk device > properties states "GUID Partition Table (GPT)". > I am working with a Promise VTrak M500p SCSI RAID device > using the following configuration: > RAID Level: RAID-5 > Capacity: 5.9 TB > Stripe: 64KB > Sector: 2KB > Number of Used Physical Drives: 14 > I've used Guidance Software's EnCase and AccessData's FTK > Imager (and some random data recovery applications), all are > unable to read the partition information. As mentioned > above, I'm just putting some feelers out to discover your > experiences with GPT. I am mostly interested in reviewing > deleted information (without having to data carve) and > viewing folder structure. I can provide additional > information if required.
This issue was reported and some answers given on the MacOS forensics list, as the new i386 MacBooks apparently use the GPT partition. Below are two relevant emails on the topic, with the second email from a Guidance software person that might provide your solution. Dave B. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gordon Beatty > Sent: Wednesday, October 25, 2006 10:34 AM > To: [EMAIL PROTECTED] > Subject: RE: [macos_forensics] Imaging Macbook > > You've most likely stumbled over the problem that the > drive is using the GPT partitioning scheme. The Intel-based > Macs are using this partitioning scheme instead of the > standard Apple partitioning scheme. Currently, most versions > of Encase cannot interpret the GPT partition tables, where > they do understand the Apple one. As such, Encase considers > the entire drive as unallocated since it can't decipher the > partition tables. > > One solution that I have recommended to others in a similar > situation is to connect the drive (using the write-blocker of > course) to a Mac and use the hdiutil command line tool to > tell you where the filesystem partitions are physically > located on the drive i.e. what sector. Then, in Encase, you > can point it to that sector and tell it to interpret the data > from that point on as a Mac filesystem partition. Typically, > Encase has done a good job of deciphering the filesystem > partition once it knows where it starts. This solution, > however, may not work for you if you don't have a Mac available. > > There's probably other ways to tackle the problem, but it will > depend on what tools and equipment you have available. At > the end of it, no matter how you image the drive, the version > of Encase you have will not automatically interpret the > partitions for you. I would think Guidance is working on > something to solve the problem. Maybe you can call them and > see where they're at. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of azariah_2000 > Sent: Wednesday, October 25, 2006 11:57 AM > To: [EMAIL PROTECTED] > Subject: [macos_forensics] Re: Imaging Macbook > > Okay, here it is. > > From within EnCase,if you run a keyword search of the drive for HFS. > Then take the first keyword hit (The one closest to the starting > sector of the drive). Go back to sectors from that keyword. You can > then rebuild the partition. > > Good Luck and Happy Hunting! > > Rodney Smith > Guidance Software, Inc. > Professional Services Division
