[sleuthkit-users] using sorter to recover files from unallocated inodes, not just r emoved ones
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] using sorter to recover files from unallocated inodes, not just r emoved ones
|
From: Reava, J. [IT/0200] <jef...@ph...> - 2003-07-10 19:40:59
|
Using ils and icat (ver 1.62) on an NTFS partition image I was able to identify and recover an additional 20 files that sorter did not automatically bring back. It seems that since sorter's call to "fls -rp" doesn't see these "lost" files, sorter won't try to retrieve them from the output of ils. It would be great to be able to recover these unallocated inodes en masse with sorter in the same way that removed inodes are handled. Before I go further, is this possible within the current structure of sorter, or will a different approach be needed? Thanks, Jeff Sample output from fls and ils: from "fls -f ntfs -rp ntfs_deleted.dd" ... r/r * 125-128-4: del_ery.html r/r * 126-128-3: del_es.rtf r/r * 127-128-4: del_ican Revolution.doc r/r * 121-128-3: del_ory.xls from "ils -f ntfs -m ntfs_deleted.dd" ... 0|<ntfs_deleted.dd-Df10.xls-dead-121>|0|121|33279|-rwxrwxrwx|1|0|0|0|20992|1 057683497|1057627477|1057683626|512|0 0|<ntfs_deleted.dd-Df9.doc-dead-127>|0|127|33279|-rwxrwxrwx|1|0|0|0|43520|10 57683497|1057627379|1057683626|512|0 This communication is intended solely for the use of the addressee and may contain information that is legally privileged, confidential or exempt from disclosure. If you are not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. Anyone who receives this message in error should notify the sender immediately and delete it from his or her computer. |
