Re: [sleuthkit-users] Find deleted folder for $OrphanFiles
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Find deleted folder for $OrphanFiles
|
From: Brian C. <ca...@sl...> - 2014-01-30 14:27:20
|
No, Ext3 deleted files do not retain the link between the name and the metadata. So, that is as good as you'll get with TSK. Other tools use the journal / log to recover recently deleted info, but we've never integrated that into TSK. On Jan 29, 2014, at 6:15 PM, Aribird <ari...@gm...> wrote: > I have a bunch of files under $OrphanFiles/ and I wonder if there is any way > to determine the original directory that contained each of them. > This is a EXT3 image . > > fls "image" "inode of deleted folder or file" shows nothing in the > terminal. > Any idea in how to proceed from here ??? > Thanks in advance for any help... > > root@arielc-helix:/home/arielc/Desktop# fls -rpd extfs.dd > d/d * 10084: dir1/index_files > r/r * 22179: dir2/dir3/test1.txt > d/d * 18145(realloc): dir4 > r/r * 12102(realloc): .Trash-999/info/dir4.trashinfo.J3GPPV > r/r * 22179: .Trash-999/expunged/3021210733 > d/d * 10085: $OrphanFiles/OrphanFile-10085 > r/r * 10086: $OrphanFiles/OrphanFile-10086 > r/r * 10087: $OrphanFiles/OrphanFile-10087 > r/r * 10088: $OrphanFiles/OrphanFile-10088 > r/r * 10089: $OrphanFiles/OrphanFile-10089 > r/r * 10090: $OrphanFiles/OrphanFile-10090 > r/r * 10091: $OrphanFiles/OrphanFile-10091 > r/r * 10092: $OrphanFiles/OrphanFile-10092 > r/r * 10093: $OrphanFiles/OrphanFile-10093 > r/r * 10094: $OrphanFiles/OrphanFile-10094 > r/r * 10095: $OrphanFiles/OrphanFile-10095 > r/r * 10096: $OrphanFiles/OrphanFile-10096 > r/r * 10097: $OrphanFiles/OrphanFile-10097 > r/r * 10098: $OrphanFiles/OrphanFile-10098 > r/r * 10099: $OrphanFiles/OrphanFile-10099 > r/r * 10100: $OrphanFiles/OrphanFile-10100 > r/r * 10101: $OrphanFiles/OrphanFile-10101 > r/r * 10102: $OrphanFiles/OrphanFile-10102 > r/r * 10103: $OrphanFiles/OrphanFile-10103 > r/r * 10104: $OrphanFiles/OrphanFile-10104 > r/r * 10105: $OrphanFiles/OrphanFile-10105 > r/r * 10106: $OrphanFiles/OrphanFile-10106 > r/r * 10107: $OrphanFiles/OrphanFile-10107 > r/r * 10108: $OrphanFiles/OrphanFile-10108 > r/r * 10109: $OrphanFiles/OrphanFile-10109 > r/r * 10110: $OrphanFiles/OrphanFile-10110 > r/r * 10111: $OrphanFiles/OrphanFile-10111 > r/r * 10112: $OrphanFiles/OrphanFile-10112 > r/r * 10113: $OrphanFiles/OrphanFile-10113 > r/r * 10115: $OrphanFiles/OrphanFile-10115 > r/r * 10116: $OrphanFiles/OrphanFile-10116 > r/r * 12101: $OrphanFiles/OrphanFile-12101 > root@arielc-helix:/home/arielc/Desktop# > > > > > -- > View this message in context: http://filesystems.996266.n3.nabble.com/Find-deleted-folder-for-OrphanFiles-tp8409.html > Sent from the sleuthkit-users mailing list archive at Nabble.com. > > ------------------------------------------------------------------------------ > WatchGuard Dimension instantly turns raw network data into actionable > security intelligence. It gives you real-time visual feedback on key > security issues and trends. Skip the complicated setup - simply import > a virtual appliance and go from zero to informed in seconds. > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
