Re: [sleuthkit-users] Autopsy vs dls
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy vs dls
|
From: Brian C. <ca...@sl...> - 2003-06-16 16:25:38
|
On 15 Jun 2003 12:33 PDT you wrote: > Hi: > > Having just found this amazing tool kit I'm wondering about what is the 'best' way to go about recovering deleted files. My Debian distro came with older docs which recommended at least 220% free disk space for processing the nonallocated portion of a partition. > > I am processing a 13 gig partition, 9 gig of which is unallocated. I have a 20 gig partion that I can use to process the data on. > > If I understand the docs correctly I can use Autopsy on a full 'file system image' of the target partition? What I don't know is, does Autopsy also require this 220% free space? If so, then I don't have the necessary space and I will have to use dls. 220% wouldn't hurt. There are two ways to do this. One is to set Autopsy up to point to the raw device and run it as root. Then you can analyze the disk w/out making an image. When you add an image just use '/dev/hdaX' and do a symlink. The other way is to use 'dd' and make an image of it: # dd if=/dev/hdaX bs=2k of=blah.dd Then, import that into autopsy. The 'dd' method may require the ~200%. > If I can use Autopsy, will it allow me to retrieve deleted files? Also, what how do I create an image of the target partition? I could create an empty image and then copy the partition data over, but that leaves out the nonallocated data - the part I'm interested in. It depends on what you want to recover. EXT3FS deletes many of the pointers in deleted files, so recovery is not point and click. If there are keywords that you want, then Autopsy can help with that. If you want to "carve" out files, then use the 'foremost' tool. It looks for known headers and footers. You can run it on just the unallocated data (the 'dls' output, which can also be created from the keyword search mode of Autopsy). foremost.sourceforge.net brian R |
