[sleuthkit-users] Recovering unallocated using Autopsy
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Recovering unallocated using Autopsy
|
From: A Z <fbs...@er...> - 2003-11-08 20:45:07
|
I am a first time user of this software, so far it seems fairly easy. I have a situation where I had a 80gb drive mount mistakenly rm -rf'd on. This drive was immidiately taken offline (unmounted End of March 2003 ). So nothing new would have been written to it. I only need to recover one portion of it. I'll cut paste the info on this Directory: ------------------------- Pointed to by file: /home/share/80gb1/CF-dls (deleted) File Type: empty MD5: d41d8cd98f00b204e9800998ecf8427e Details: inode: 18429696 Not Allocated Group: 1684 uid / gid: 0 / 0 mode: ---------- size: 0 num of links: 0 Inode Times: Accessed: Sun Mar 23 05:48:25 2003 File Modified: Sun Mar 23 05:48:25 2003 Inode Modified: Sun Mar 23 05:48:25 2003 -------------------------- On the File Analysis list, it says this directory cannot be expanded into. I Can't seem to export anything either. When I tried to use sorter via file type on the entire drive image, it skips all unallocated: -------------------------- Files (38911) Allocated (123) Unallocated (38788) Files Skipped (38911) Non-Files (38911) 'ignore' category (0) -------------------------- My question is what is the best method to recover all the file that had existed under the CF-dl's directory ( about 4gb worth of JPGs ) Any guidance will be appreciated. Thanks! |
