RE: [sleuthkit-users] Problems Recovering EXT3 File Sleuthkit 1.7 /Autopsy 2.0.1
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] Problems Recovering EXT3 File Sleuthkit 1.7 /Autopsy 2.0.1
|
From: Altheide, C. B. (IARC) <Alt...@nv...> - 2004-07-22 22:51:32
|
> -----Original Message----- > When I try to export, I get a zero length JPEG file. Is it > possible to recover EXT3 files? Or is this going to be an > RTFM post? :) EXT3 zeroes the block pointers in the inode when a file is deleted, so logical file recovery is basically impossible. If it's JPEGs (or anything else with reliable headers/footers) you can use foremost or SMART to carve the data out of unallocated space, but you won't have any of the associated metadata (file name, MAC times, etc). Cory Altheide Senior Network Forensics Specialist NNSA Information Assurance Response Center (IARC) alt...@nv... |
