Re: [sleuthkit-users] recovering large files using Autopsy
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] recovering large files using Autopsy
|
From: Matthew M. S. <mm...@ta...> - 2003-04-28 23:59:59
|
Terry Fernandez wrote: > In the File Analysis component of Autopsy (v1.70), I can see the deleted file and the size with the metadata information. When I try to export it only 8KB is exported, while the file size shown is around 185MB. I am sure I am missing a step somewhere, Can you assist. The image is a FAT32 partition and the file in question is a pst file. > > Terry Fernandez > > Tel: 312.260.3223 > > Vnet: 894.3223 > Terry- Whoa, I've been here before. Here is the long and short of it.... You most likely won't be able to recover the entire file. As I'm sure you've seen with deleteted NTFS files, it's a rather simple process to export the deleted file. However with deleted FAT32 files, Autopsy does not perform a file re-assembly. A much more through explanation could be provided by the group, however the simple truth is, portions of your deleted file has most likely been reallocated to other files on the disk. Here's the basic problem, you've got a 185 meg file, that's roughly 378,880 (512 byte) sectors. Now, chances are that file has not been written to the disk sequentially, it's rare to find 185 megs of free space in nice simple sequential sectors. However, for our example, let's say it is. Now let's look at what you know, the starting sector and the size, right? Let's say the starting sector is 654321 and you know you need to go 378,880 sectors. You can take this information to the Data Unit tab and punch in the starting sector and number of sectors you need to go and it will return to you the output, your file. Now, quite honestly I don't expect this to give you the completely accurate file. Why? Well there's a very good chance the file was not written sequentially, second, the FAT File allocation Table doesn't retain the any information as to where the rest of the file is. There is a way to figure out how much of the file your are missing. Go to the Metadata tab, you will be provided with a complete file allocation table, you won't find your starting sector there as it is deallocated, however you will see how many sectors within your possible file start and end have been allocated to other files. A good rule of thumb to consider when recovering deleted files from a FAT parition, smaller is better. Honestly, your best course of action may be keyword searches against the drive, I can't remember, but pst files may contain some text based content. Now, this is all based on reading, experience, and luck. Someone on this list may have some better suggestions. Good Luck! Matt mm...@ta... |
