Re: [sleuthkit-users] wrong filesystem ?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] wrong filesystem ?
|
From: Brian C. <ca...@sl...> - 2003-05-19 19:20:08
|
Antoine Jacoutot <aja...@lp...> said: > Hi ! > > I am new to data recovery. > I stupidly "rm" the content of an entire partition under FreeBSD. > Of course, the data was very important, so I decided using the > sleuthkit+autopsy. > Now, after issuing the command: > "bin/dls -be -f freebsd /dev/ad5s1e > /mnt/image.dd", > I have after a couple of hours, an image.dd file that's 28Go big. Until > that, no problem. > After that, I want to use autopsy to search the image content, but when > I tell him to add /mnt/image.dd it tells me this is not a freebsd > filesystem image ... > What did I do wrong ? Antoine, The 'dls -e' should be equivalent to using 'dd'. So, I would expect it to work. What happens if you use 'dd' and grab the first 100 MB and run the sleuth kit tools on that: # dd if=/dev/ad5s1e of=/mnt/image2.dd bs=1m count=100 # bin/fls -f freebsd /mnt/image2.dd It will likely report a read error, but it should pass the initial sanity check. If so, then the 'dls' did not make the right image. You may want to run 'fls' on the image.dd file as well because there could be an error in the autopsy check (It was just added to the last release). thanks, brian |
