Re: [sleuthkit-users] Autopsy vs dls

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 15 Jun 2003 12:33 PDT you wrote:

> Hi:
> 
> Having just found this amazing tool kit I'm wondering about what is the 'best' way to go about recovering deleted files. My Debian distro came with older docs which recommended at least 220% free disk space for processing the nonallocated portion of a partition.
> 
> I am processing a 13 gig partition, 9 gig of which is unallocated. I have a 20 gig partion that I can use to process the data on. 
> 
> If I understand the docs correctly I can use Autopsy on a full 'file system image' of the target partition? What I don't know is, does Autopsy also require this 220% free space? If so, then I don't have the necessary space and I will have to use dls. 

220% wouldn't hurt.  There are two ways to do this.  One is to set 
Autopsy up to point to the raw device and run it as root.  Then you
can analyze the disk w/out making an image.  When you add an 
image just use '/dev/hdaX' and do a symlink.  

The other way is to use 'dd' and make an image of it:

  # dd if=/dev/hdaX bs=2k of=blah.dd

Then, import that into autopsy. The 'dd' method may require the
~200%.  

> If I can use Autopsy, will it allow me to retrieve deleted files? Also, what how do I create an image of the target partition? I could create an empty image and then copy the partition data over, but that leaves out the nonallocated data - the part I'm interested in. 

It depends on what you want to recover.  EXT3FS deletes many of
the pointers in deleted files, so recovery is not point and click.  If
there are keywords that you want, then Autopsy can help with
that.  If you want to "carve" out files, then use the 'foremost' tool.
It looks for known headers and footers.  You can run it on just the
unallocated data (the 'dls' output, which can also be created from
the keyword search mode of Autopsy).

   foremost.sourceforge.net

brian
R 