RE: [sleuthkit-users] Problems Recovering EXT3 File Sleuthkit 1.7 /Autopsy 2.0.1

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Along these lines, does anyone know of a good resource (book, web site, =
etc.) that discusses various file systems and how they operate?  Even =
better, is there a resource that does that with forensics in mind?
=20
Thanks,
=20
Kevin B. Fiscus, CISSP
GIAC Certified Forensics Analyst
CCNA, SCSA, RCSE
Senior Information Security Engineer
Alliant Technologies, LLC.
____________________________________
=20
Phone: (973) 267-5236 x 4224
Cell: (201) 650-4172
mailto:kf...@al...
http://www.allianttech.com
=20

________________________________

From: sle...@li... on behalf of Altheide, =
Cory B. (IARC)
Sent: Thu 7/22/2004 6:51 PM
To: 'dar...@li...'
Cc: 'sle...@li...'
Subject: RE: [sleuthkit-users] Problems Recovering EXT3 File Sleuthkit =
1.7 /Autopsy 2.0.1

> -----Original Message-----
> When I try to export, I get a zero length JPEG file. Is it
> possible to recover EXT3 files? Or is this going to be an
> RTFM post? :)

EXT3 zeroes the block pointers in the inode when a file is deleted, so
logical file recovery is basically impossible.  If it's JPEGs (or =
anything
else with reliable headers/footers) you can use foremost or SMART to =
carve
the data out of unallocated space, but you won't have any of the =
associated
metadata (file name, MAC times, etc).

Cory Altheide
Senior Network Forensics Specialist
NNSA Information Assurance Response Center (IARC)
alt...@nv...

-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=3D4721&alloc_id=3D10040&op=3Dclick
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org