Re: [sleuthkit-users] Recovering deleted files using autopsy
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Recovering deleted files using autopsy
|
From: Brian C. <ca...@sl...> - 2003-12-05 19:34:09
|
On Thursday, December 4, 2003, at 03:44 PM, Thanh Tran wrote: > Hi, > I'm using Autopsy and Sleuthkit to test the recovery > of a deleted file on a Linux file system. However, > when I got to the "File Analysis" part of Autopsy, > even though I saw the deleted file in red, I don't see > any info regarding "inode", and the date showed up as > 0000.00...GMT. How do I view the content of the > deleted file if I don't know the inode number? You don't :) EXT3FS stores the file name in a different structure than the inode (where the block pointers are located). When a file is deleted in Linux, the link between the name structure and the inode is deleted (older versions of Linux didn't do this). So, everything is 0 for the deleted file because there is no way to get that information from the file name. > Using > Meta Data I could view the content at a particular > inode but I don't know the inode of the deleted file. Even if you had the inode number, the link between the fragments (where the deleted data is located) and the inode are also cleared, so you won't get much that way either. Another way to find the inode (not that it will help much though) is to make a timeline and figure out the inode based on deletion time (if you know roughly when that was). It was much easier before they changed the way that Linux deleted files... > Does anyone know how the recovering and viewing > content of a deleted file is possible using Autopsy? > Do I need to use "lazarus" instead? You can try lazarus, or foremost. foremost is much faster and the results are easier to parse through for common file formats that it has a configuration file for. Extract the unallocated space (in the image details of Autopsy from the Case Gallery view) and run one of the carving tools on that. > Thanks. > P.S: I was able to guess the inode number of the > deleted file by looking at the allocation list and was > able to see the content. However, I wonder if there > is an "automatic" way for this. Inodes are allocated by block group, so that can help you narrow down the ones you look at. you can find the inode ranges per group in the file system details view. brian |
