Re: [sleuthkit-users] wrong filesystem ?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] wrong filesystem ?
|
From: Brian C. <ca...@sl...> - 2003-05-20 14:49:57
|
Antoine Jacoutot <aja...@lp...> said:
> On Monday 19 May 2003 21:20, Brian Carrier wrote:
> > The 'dls -e' should be equivalent to using 'dd'. So, I would expect
> > it to work. What happens if you use 'dd' and grab the first 100 MB
> > and run the sleuth kit tools on that:
>
> It did work, thanks a lot :)
Can you image the partition with 'dd' and compare it with the 'dls' iimage? They
"should" be the same since you gave 'eb'. Are they the same size?
> Now, I don't want to ask stupid questions on the list, so I was
> wondering if there was some kind of howto somewhere for recovering
> files.
> I tried to use the Coroner Toolkit before knowing about your software,
> but I realised that it would take a month of more to recover my data
> (30Go), so I was wondering if there was a way to extract only the
> needed data from the image instead of all.
Actually, there is no "easy" way to recover files. If the file types have a structure that
is known by 'foremost' (on sourceforge), then you can run it (on Linux only) and
recover some of the data.
The 'dls' tool with out the 'eb' will extract the unallocated space, so that will allow you
to just run foremost or keyword searches on just the unallocated space. Freebsd
deletes the pointers from the inode structure to the data fragments, so there is no
easy way to recover. The last issue of the Sleuth Kit Informer had a quick blurb on
using the group layout of a UNIX file system to recover files:
www.sleuthkit.org/informer
brian
|
