Re: [sleuthkit-users] Undeleting files on ext3
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Undeleting files on ext3
|
From: Brian C. <ca...@sl...> - 2004-10-06 15:54:39
|
On Oct 6, 2004, at 7:45 AM, Andrass Ziska Davidsen wrote: > Dear sleuthkit-users, > > I have a disk image from which I need to recover deleted files. The > system is ext3fs. I have The Sleuth Kit and Autopsy up and running. > My question is then: Is there any guarantee for that the inodes are > deleted sequentially and in the same order as in the log? Nope. They are deleted in the order that they are in the directory and the timeline is accurate to only the second. The ordering in the timeline in that second is based on how Perl sorts them in the internal 'mactime' data structure. There is nano-second resolution in the inode, but TSK currently ignores that. > Or: Is it possible that the inodes from line 5 to 24 all belong to the > same dir (...0331/NONLIN or ...etc/0412 Clamp)? I would say that it is unlikely. The inode value (the number before the name) of files in the same directory should be somewhat close (inodes are allocated in the same block group as their parent directory). So, based on the above range I would guess that there are a few directories (I would need the 'fsstat' output though that contains the block group sizes). > Should I from the information in the timeline use `dls` to extract the > blocks mentioned between 11:42 and 11:46 and then try to analyse the > blocks with `foremost` (or similar)? Or should I do a > dls -f ext3fs /mnt/image.dd start-stop Well, you don't know which blocks were allocated by those files... You can identify the block groups that were used by those files (using the inode numbers and the 'fsstat' output) and extract the unallocated blocks from those groups. Then run 'foremost'. If your files do not have a known header and footer though, 'foremost' will not help. brian |
