Re: [sleuthkit-users] Recovering unallocated using Autopsy
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Recovering unallocated using Autopsy
|
From: Brian C. <ca...@sl...> - 2003-11-09 20:24:19
|
On Saturday, November 8, 2003, at 05:00 PM, A Z wrote: > On the File Analysis list, it says this directory cannot be expanded > into. > I Can't seem to export anything either. > When I tried to use sorter via file type on the entire drive image, it > skips all unallocated: I'm assuming that you are using a UFS or EXT?FS file system. Most file systems now clear out the values in the data structures when a file is deleted and therefore you cannot see the directory contents and sorter cannot examine the deleted files. > My question is what is the best method to recover all the file that had > existed under the CF-dl's directory ( about 4gb worth of JPGs ) Your best bet would be to try 'foremost', foremost.sourceforge.net. Normally, you would be able to restrict the amount of disk space that you would have to search because you could just look at one block group, but because you have 4GB, that is likely bigger than just one block group and the images are all over the disk. So, I would extract the unallocated space (which an be done in Autopsy) and then run foremost on the resulting file (which will be in the 'output' folder in the evidence locker and have an extension of '.dls'. brian |
