Re: [sleuthkit-users] Unallocated files in Solaris
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Unallocated files in Solaris
|
From: Brian C. <ca...@sl...> - 2003-05-06 04:16:10
|
brian hutson <bh...@ne...> said: > hello > i am at present examining a Solaris 8 system that has a large number > of files > deleted around the period of a possible break in. My understanding > is that > Solaris unlinks deleted filenames from metadata thus making retrieval of > unallocated data very difficult. Is this correct? Yes, that is correct. Solaris removes the link between the file name and meta data structure and the link between meta data structure (inode) and the fragments. > Apart from doing string searches etc. is there anything else I can do? Using the > data unit menu to display the data in autopsy does not show anything readable e.g Looking at random fragments takes a LONG time and is usually not useful. The first thing is to extract the unallocated space, which can be done from the keyword search mode. That file can than be examined fragment by fragment in the data unit mode. A more useful approach would be to run tools like 'foremost' on the unallocated data. If you are very desperate and the data of found files is very important, try the following (not intended for the average user): - Get the inode number of the parent directory where the deleted files are located - Identify which Cylinder Group the parent directory is in (meta data mode) - Identify the fragments that are in the same cylinder group - Run 'dls' by hand for the fragments in the range: # dls -f solaris img.dd 123456-2345678 - Examine the unallocated data for just that group. brian |
