Help with ddrescue and TestDisk to recover deleted Mac filesystem

Firstly, thanks to Wendell for the awesome video on ddrescue and TestDisk over at https://www.youtube.com/watch?v=ddrPnuvFV6E

I have a client who appears to have accidentally deleted her MacOS formatted partition table while trying to access her external HDD from a windows PC.

I’m assuming the file system was HFS+ as the external disk was originally initialized and used on her Mac laptop (either Yosemite or Sierra).

The HDD is undamaged but to be safe I’ve created a raw image of the disk to work on.

$ ddrescue -d -r3 /dev/sdi rawdrive.raw driveclone.log

Now I have a raw clone of the HDD I need to mount it so I can run TestDisk and try to repair the deleted Mac partitions. Here’s where I start getting confused. Since Parted and ‘file’ etc. can only see the NTFS partition, it seems I have to mount rawdrive.raw using the start offset as determined by the NTFS file system which has overwritten the HFS+ partition. Is this a problem?

Here’s what I did: I query parted with ‘parted rawdrive.raw’ which returns:

Number  Start  End            Size           Type     File system  Flags
 1      1024B  750156374015B  750156372992B  primary  ntfs         type=07

$ ‘file rawdrive.raw’ returns:

rawdrive.raw: DOS/MBR boot sector; partition 1 : ID=0x7, start-CHS (0x0,0,3), end-CHS (0x3ff,254,63), startsector 2, 1465149166 sectors, extended partition table (last)

Confirming the startsector is 2 (2 x 512 = 1024).

So I mount rawdrive.raw with:

$ sudo mount -o rw,loop,offset=1024 rawdrive.raw /mnt/loop

After mounting rawdrive.raw I ran TestDisk [Analyse] which returns:

TestDisk 7.1-WIP, Data Recovery Utility, September 2018
Christophe GRENIER <[email protected]>
https://www.cgsecurity.org

Disk /dev/loop0 - 750 GB / 698 GiB - 1465149166 sectors
     Partition               Start        End    Size in sectors
>P Linux filesys. data    359666294  362782449    3116156 [^V~N7~XJZr{ ^A       _ \ ]
 P Linux filesys. data   1282766899 1285883054    3116156 [^V~N7~XJZr{ ^A       _ \ ]
 
Structure: Ok.  Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
                P=Primary  D=Deleted
Keys A: add partition, L: load backup, T: change type,
     Enter: to continue
cramfs, 1595 MB / 1521 MiB

Why does the output say there are Linux filesystems? The HDD has only ever been used to backup a MacBook, until Windows accidentally deleted the partition table.

Thanks for any help.

I just came to admire your avatar pic.

Yours is most handsome also.

Probably because its just reading the partition type label… Its probably not actually looking what file system is there.

after the first run of testdisk it should have an option to run a “deeper scan” or something like this. have you done this?

also it should look at the disk and select the partition table it expects the disk is using, i dont know much about HFS+ but if it is not the same partition table as the one testdisk is searching for it may not show up, try searching for a different partition table

i found this

Not properly, no. I am doing a deeper scan now after scanning for GUID. I will have to check back in the morning to see how it went.

Thanks. I have crossed this stackexchange thread before but will read it again.

Here’s what I get after the deeper scan:

Disk /dev/loop0 - 750 GB / 698 GiB - 1465149166 sectors
     Partition               Start        End    Size in sectors
>D Linux filesys. data    359666294  362782449    3116156 [^V~N7~XJZr{ ^A       _ \ ]
 D Linux filesys. data    359666295  362782450    3116156 [^V~N7~XJZr{ ^A       _ \ ]
 D Linux filesys. data   1282766899 1285883054    3116156 [^V~N7~XJZr{ ^A       _ \ ]
 D Linux filesys. data   1282766900 1285883055    3116156 [^V~N7~XJZr{ ^A       _ \ ]

These don’t appear to be contiguous partitions. Each line entry is exactly 3116156 sectors in size.
Can anyone tell me what I’m looking at here, and what I should try next?