Re: [sleuthkit-users] Overwritten parition and filesystem and some Autopsy trouble

[Brian C. <ca...@sl...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jul 6, 2004, at 6:06 PM, Christof Baumg=E4rtner wrote:

> Hello,
> I have a harddisk which has two partitions on it (one of type 0x41, =
one
> of type 0x83 which is Linux ext2). By accident I started a script =
which
> recreated the two partitions, recreated the two filesystems and
> recreated the directory structure the same way as it was before. So I
> can still mount the ext2 partition and have access to all my previous
> directories. But now they are empty :(
> I tried to search for the inodes of the missing files without success.
> How do I actually have to proceed?

If the file system data is gone (which probably occured when your=20
recreated the file systems), then your only bet is to use the=20
"application-level" techniques for recovery and use a tool like=20
foremost or another tool that looks at file headers.

> My second question concerns autopsy. I start autopsy with "./autopsy
> 9999 192.168.1.109" (192.168.1.109 is the IP address of another
> machine). I enter the long URL into a browser on the other machine but
> get HTTP 403 denied. Am I missing something?

<later>

> Anyway: I just receive "document contains no data" with this
> modification :(

If using '-C' helped, then you were probably copying the cookie value=20
incorrectly.  Are you using IE as a client?  I have had bad luck with=20
IE giving the document contains no data errors and use Mozilla. I=20
thought I fixed most of the problems a long time ago though.  I also=20
seen those errors from running autopsy from within some versions of=20
Cygwin.

Check the autopsy log  in the evidence locker for more information on=20
why the original connection was being denied.

brian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFA7CuGOK1gLsdFTIsRAi8PAJ9iKte0sRi6iJEBxQa1pSamrxejRQCdHK5x
ad8Wza3uoLN2othykM15Jw8=3D
=3DrxqN
-----END PGP SIGNATURE-----