[sleuthkit-users] Undeleting files on ext3
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Undeleting files on ext3
|
From: Andrass Z. D. <az...@li...> - 2004-10-06 12:45:19
|
Dear sleuthkit-users,
I have a disk image from which I need to recover deleted files. The
system is ext3fs. I have The Sleuth Kit and Autopsy up and running.
(I would like to excuse my bad knowledge of the terminology.)
I am aware that inode pointers are nulled at deletion, therefore I have
no info on how the blocks are (were) joined.
I have made a timeline around when the files were deleted. The entries
are like in the following excerpt (might look bad due to word wrapping):
0 .a. drwxrwxrwx 115 100 12451900 <sdb1.img-dead-12451900>
0 .a. drwxrwxrwx 509 100 2998404 <sdb1.img-dead-2998404>
0 .a. d/drwxrwxrwx 115 100 5554256 /home/samba/pub/Projects/0412/doc/Memo (deleted)
0 .a. d/drwxrwxrwx 115 100 8257636 /home/samba/pub/Projects/0331/NONLIN (deleted)
0 .a. drwxrwxrwx 524 100 13877367 <sdb1.img-dead-13877367>
0 .a. drwxrwxrwx 115 100 8257636 <sdb1.img-dead-8257636>
0 .a. drwxrwxrwx 504 100 12812364 <sdb1.img-dead-12812364>
0 .a. drwxrwxrwx 505 100 12255345 <sdb1.img-dead-12255345>
0 .a. drwxrwxrwx 504 100 11223152 <sdb1.img-dead-11223152>
Fri Oct 01 2004 11:42:36 0 .a. drwxrwxrwx 505 100 7553144 <sdb1.img-dead-7553144>
0 .a. drwxrwxrwx 507 100 4423788 <sdb1.img-dead-4423788>
0 .a. drwxrwxrwx 510 100 12812405 <sdb1.img-dead-12812405>
0 .a. drwxrwxrwx 505 100 11534455 <sdb1.img-dead-11534455>
0 .a. drwxrwxrwx 504 100 12812410 <sdb1.img-dead-12812410>
0 .a. drwxrwxrwx 505 100 6733944 <sdb1.img-dead-6733944>
0 .a. drwxrwxrwx 505 100 6389880 <sdb1.img-dead-6389880>
0 .a. drwxrwxrwx 505 100 3981345 <sdb1.img-dead-3981345>
0 .a. drwxrwxrwx 505 100 11305068 <sdb1.img-dead-11305068>
0 .a. drwxrwxrwx 507 100 7913597 <sdb1.img-dead-7913597>
0 .a. drwxrwxrwx 505 100 9732192 <sdb1.img-dead-9732192>
0 .a. drwxrwxrwx 505 100 12206157 <sdb1.img-dead-12206157>
0 .a. drwxrwxrwx 504 100 2867317 <sdb1.img-dead-2867317>
0 .a. drwxrwxrwx 505 100 3162206 <sdb1.img-dead-3162206>
0 .a. drwxrwxrwx 504 100 2621515 <sdb1.img-dead-2621515>
0 .a. d/drwxrwxrwx 511 100 3899448 /home/samba/pub/Projects/0412/etc/0412 Clamp (deleted)
0 .a. drwxrwxrwx 505 100 12468314 <sdb1.img-dead-12468314>
0 .a. d/drwxrwxrwx 507 100 4423788 /home/samba/pub/Projects/0416/dwg/Refs (deleted)
0 .a. drwxrwxrwx 505 100 8683640 <sdb1.img-dead-8683640>
0 .a. drwxrwxrwx 500 500 5046321 <sdb1.img-dead-5046321>
0 .a. drwxrwxrwx 505 100 6094953 <sdb1.img-dead-6094953>
My question is then: Is there any guarantee for that the inodes are deleted sequentially and in the same order as in the log?
Or: Is it possible that the inodes from line 5 to 24 all belong to the same dir (...0331/NONLIN or ...etc/0412 Clamp)?
(The log is from rsync stdout which caused the deletion (due to my misunderstanding of some flags))
At least I know that the incident happened somewhere between 11:42 and 11:46, but the number of files is 10000+. The backup procedures have been off for some time, but we have recovered around 9000 of the files. I need to get the last 1000 as well, and they were only stored on that disk.
Should I from the information in the timeline use `dls` to extract the blocks mentioned between 11:42 and 11:46 and then try to analyse the blocks with `foremost` (or similar)? Or should I do a
dls -f ext3fs /mnt/image.dd start-stop
where start is, say, lowest block number (7th column) within window and stop is highest block number within window?
Please give me som advice, as this is my first (and last)?
regards
andrass
--
Andrass Ziska Davidsen
LICengineering A/S
Ehlersvej 24
DK-2900 Hellerup
DENMARK
tel. (+45) 39 62 16 42
fax. (+45) 39 62 54 80
|
