Re: [sleuthkit-users] Undeleting files on ext3

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Oct 6, 2004, at 7:45 AM, Andrass Ziska Davidsen wrote:

> Dear sleuthkit-users,
>
> I have a disk image from which I need to recover deleted files. The 
> system is ext3fs. I have The Sleuth Kit and Autopsy up and running.

> My question is then: Is there any guarantee for that the inodes are 
> deleted sequentially and in the same order as in the log?

Nope. They are deleted in the order that they are in the directory and 
the timeline is accurate to only the second.  The ordering in the 
timeline in that second is based on how Perl sorts them in the internal 
'mactime' data structure.   There is nano-second resolution in the 
inode, but TSK currently ignores that.

> Or: Is it possible that the inodes from line 5 to 24 all belong to the 
> same dir (...0331/NONLIN or ...etc/0412 Clamp)?

I would say that it is unlikely.  The inode value (the number before 
the name) of files in the same directory should be somewhat close 
(inodes are allocated in the same block group as their parent 
directory).  So, based on the above range I would guess that there are 
a few directories (I would need the 'fsstat' output though that 
contains the block group sizes).

> Should I from the information in the timeline use `dls` to extract the 
> blocks mentioned between 11:42 and 11:46 and then try to analyse the 
> blocks with `foremost` (or similar)? Or should I do a
> dls -f ext3fs /mnt/image.dd start-stop

Well, you don't know which blocks were allocated by those files...  You 
can identify the block groups that were used by those files (using the 
inode numbers and the 'fsstat' output) and extract the unallocated 
blocks from those groups.  Then run 'foremost'.  If your files do not 
have a known header and footer though, 'foremost' will not help.

brian