[no2pencil]

I have a customer whom dropped off her iMac. She had a bad run-in with the Mac-store people. They restored her 60gb drive, then sold her a 250gb one. The problem is, they didn't put any of the restored files onto her 250gb drive. So she drops off this hard drive & says she can't use it.

When I take a look at it, it's Linux type 83 file system in fdisk (I think that's ext3?) & I did confirm that her HPFS formatted iMac can not read it, however any of my Slackware workstations can. So I'm trying to recover these files for her, however there is no OS structure on here, only these 2 file formats. They run in a numbered sequence like

0001234.E01
0001234.D01

All of the E01 files have a variation in size. Some really large, some only a couple of megs. The D01 files, however, are all the same size. So my 1st thought was that these were like camera files, the D01 being the thumbnail, & the E01 being the RAW data. However, I've had two people suggest that this is a Mac recovery similar to Microsoft Check Disk files. Unfortunatly none of my Mac friends get to technical about their operating environment, so they offer little insight.

So I'm looking to Dream In Code members to possibly point me in the right direction. I am clueless as to what the Mac store did, & what I'm even looking at here.

Help!

[GWatt]

Mac formats the boot disk with an EFI partition, which is similar to the MSDOS bootsector. If you mounted the first partition that will be the EFI partition. The 2nd partition is actually the one with the OS and everything else on it.
Of course, your kernel must be compiled to handle the EFI stuff. I don't know if your stations are set up that way.

[no2pencil]

Since I've not heard of EFI, I doubt very much that my workstations would be setup that way.

However, wouldn't fdisk at least show me the partition?

Either way, I'm not that concerned about the OS for the iMac, my main concern is what these E01 & D01 files are, & how I can retrieve them for her.

[GWatt]

since fdisk isn't aware of EFI partitions (use parted) if you use the linux fdisk on an EFI system the EFI partition will appear to expand to fill the whole disk. It prevents fdisk from making changes that would compromise the existing partition table.

I think the files you see are actually the EFI stuff that tells the computer how to boot and everything. I wouldn't touch them.

[no2pencil]

GWatt, on 5 Jan, 2009 - 03:16 PM, said:

I think the files you see are actually the EFI stuff that tells the computer how to boot and everything.

There is probably a thousand of them. Would that be normal?

[GWatt]

Ok, nevermind. I now have no idea what those files are. When i finally got into my EFI partition (which took some doing), there was one file called firmware.scap.
I looked around google and there's not much. The consensus seems to be that .E01 files are some sort of encrypted file format. Also, the word forensic appears quite often.
I guess those could be recovery files, but i have no idea what to do with them. Are there any other partitions? I would see if they have anything on them.

This post has been edited by GWatt: 05 January 2009 - 03:01 PM

[no2pencil]

GWatt, on 5 Jan, 2009 - 04:01 PM, said:

Are there any other partitions?

Not that I could see.

[Jarrhed]

I highly doubt Slackware is setup for EFI, try installing Ubuntu or maybe Debian or Fedora or maybe OpenSUSE

[no2pencil]

Jarrhed, on 5 Jan, 2009 - 07:33 PM, said:

I highly doubt Slackware is setup for EFI, try installing Ubuntu or maybe Debian or Fedora or maybe OpenSUSE

If I wanted to setup EFI, I would just compile it into the kernel, yes? Why the need to switch to another distro?

& besides, I want to know what these files are before I start making changes ...

[GWatt]

Based on 5 or so minutes of google time, I'm inclined to agree with the people who thought they were recovery files.
If you have another recent mac lying around, You could stick the old HD in that one, connect the two with a firewire cable, and boot the one with old HD into target disk mode (hold down the 'T' key whilenit's booting) and see if anything interesting happens. If it actually mounts on her mac, You could try to recover the files using the migration assistant in /Applications/Utilites.


As a side note, i have installed slack on my macbook and have determined that it has all of the stuff built into the kernel to run in an EFI environment.

[markhazlett9]

I recommend posting this on discussions.apple.com as there are some extremely knowledgeable people on there. They can probably help you out.

[no2pencil]

Looks like this is Forensic Software called EnCase.

The E01 file is called an evidence file.
The D01 file is called a differential evidence file.

[GWatt]

So, are they some sort of funky backup, or are they just sort of there?