Drat is a tool for analysing and recovering data from APFS (Apple File System)
partitions. Its creation was inspired by a personal data loss incident
and Jonathan Levin's closed-source
fsleuth tool, which he demonstrated in this lecture.
The name "Drat" is a loose acronym for "Disaster Recovery APFS Tools", and a bad pun on how one might say "drat!" after discovering that their data is corrupted.
This software is currently in development, and is being implemented with reference
to Apple's official APFS specification (PDF).
Copies of various versions of this spec are included in the spec directory for
archival purposes, particularly in case the online version of the document changes.
Currently, all of Drat's commands (except modify, which is currently disabled
as it is not fit for use) operate in a read-only fashion, as they are intended
to be used in situations involving data recovery or data forensics.
If you're using an Intel machine that's running macOS or Linux, you can find binaries for versioned releases on the releases page.
Documentation for versioned releases and as generated from the main branch
can be viewed online.
-
GNU C Compiler (
gcc) — Required because we use__attribute__((packed)). -
GNU Make (
make). -
GNU Argp library (
<argp.h>) — Part of the GNU C Library (glibc):-
On Ubuntu, ensure that the package
libc6-devis installed. -
On macOS, you can install just Argp via the Homebrew package
argp-standalone. The Makefile will handle this configuration automatically. If you acquire Argp any other way, such as by installing glibc in its entirety, you may need to configureCFLAGSandLDFLAGSas appropriate.
-
-
Ensure that
gccis in your$PATH, or configureCCandLDas appropriate. -
Run
makefrom the project root (where thisREADME.mdfile resides). Anoutdirectory will be created in which the object files will be stored. The final binarydratwill be stored in the project root. -
Run
make cleanto remove the compiled binary (drat) and other output files (outdirectory).
Compilation and execution has been tested on the following platforms:
-
macOS Catalina 10.15.7 (19H524) on an Intel x86-64 machine (MacBookPro9,2), using:
- GCC 11.2.0 (Homebrew GCC 11.2.0)
- GNU Make 3.81 (as included in Xcode Command Line Tools)
- Homebrew package
argp-standalone, version 1.3
-
Ubuntu 20.04.3 on an Intel x86-64 machine (Intel Core i5-4288U), using:
- GCC 9.3.0
- GNU Make 4.2.1
- GNU C Library (glibc) 2.31
Sphinx is used to manage the
documentation. This facilitates usage of Read the Docs,
which hosts the documentation online for you to read easily, both for all
versioned releases and as generated from the main branch.
We use a variant of Markdown called MyST that supports all of the features of reStructuredText.
Sphinx requires Python and its sphinx package. We also require the
Read the Docs theme (sphinx_rtd_theme) and the MyST parser (myst-parser).
If/when you have Python installed, you can install the required packages all at
once with the following: pip install sphinx sphinx_rtd_theme myst-parser.
-
From the project root (the directory where this
README.mdfile resides):-
Run
make docsto generate HTML documentation indocs/_build/html. Opendocs/_build/html/index.htmlin your browser to view the generated documentation. -
Run
make clean-docsto remove the generated documentation (docs/_builddirectory).
-
-
From the
docsdirectory:-
Run
make <format>to generate the documentation in a format other than HTML, where<format>is any of the formats listed in the output ofmake help. You may need to install other software to generate documentation in these other formats. -
Run
make cleanto remove the generated documentation.
-