[sleuthkit-users] Recovering deleted files using autopsy
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Recovering deleted files using autopsy
|
From: Thanh T. <ttr...@ya...> - 2003-12-04 20:44:47
|
Hi, I'm using Autopsy and Sleuthkit to test the recovery of a deleted file on a Linux file system. However, when I got to the "File Analysis" part of Autopsy, even though I saw the deleted file in red, I don't see any info regarding "inode", and the date showed up as 0000.00...GMT. How do I view the content of the deleted file if I don't know the inode number? Using Meta Data I could view the content at a particular inode but I don't know the inode of the deleted file. Does anyone know how the recovering and viewing content of a deleted file is possible using Autopsy? Do I need to use "lazarus" instead? Thanks. P.S: I was able to guess the inode number of the deleted file by looking at the allocation list and was able to see the content. However, I wonder if there is an "automatic" way for this. __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ |
