RecuperaBit, a tool for Forensic File System Reconstruction

A python script that reconstruct filesystem structures and recover files on NTFS filesystems

RecuperaBit is a python script developed by Andrea Lazzarotto useful for attempting to reconstruct a corrupted NTFS filesystem.

RecuperaBit attempts reconstruction of the directory structure regardless of:

missing partition table
unknown partition boundaries
partially-overwritten metadata
quick format

The project and the reconstruction algorithms, are part of Andrea’s MSc thesis:

https://www.scribd.com/doc/309337813/RecuperaBit-Forensic-File-System-Reconstruction-Given-Partially-Corrupted-Metadata

And below a brief presentation on Slideshare:

Usage

usage: main.py [-h] [-s SAVEFILE] [-w] [-o OUTPUTDIR] path

Reconstruct the directory structure of possibly damaged filesystems.

positional arguments:
  path                  path to the disk image

optional arguments:
  -h, --help            show this help message and exit
  -s SAVEFILE, --savefile SAVEFILE
                        path of the scan save file
  -w, --overwrite       force overwrite of the save file
  -o OUTPUTDIR, --outputdir OUTPUTDIR
                        directory for restored contents and output files

RecuperaBit does not modify the disk image, however it does read some parts of it multiple times through the execution. It should also work on real devices, such as /dev/sda but this is not advised.

A python script that reconstruct filesystem structures and recover files on NTFS filesystems

More info and downloads