[sleuthkit-users] recover $orphaned files
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] recover $orphaned files
|
From: ewaldo s. <ewa...@gm...> - 2014-02-22 09:44:36
|
Dear sleuthkit user mailing list, can anyone help me with this, I am trying to recover some orphan files. 1. first, using fls, I've found some orphaned files: Code: fls -o 63 -r F imagename.001 | grep -i file_name -/r * 649873: $OrphanFiles/TAGIHAN.xls r/r * 122506: $OrphanFiles/PT8D15~1.NUG/REKAP TAGIHAN MAR'11.xls -/r * 1212051: $OrphanFiles/TAGIHA~1.XLS -/r * 1282702: $OrphanFiles/TAGIHA~1.XLS -/r * 1374865: $OrphanFiles/TAGIHA~1.XLS -/r * 1472145: $OrphanFiles/TAGIHA~1.XLS -/r * 1519249: $OrphanFiles/TAGIHA~1.XLS -/r * 1571469: $OrphanFiles/TAGIHA~1.XLS 2. then, using istat to see the metadata of the last file listed before (this is the part that I got wrong the last time) Code: istat -o 63 imagename 1571469 Directory Entry: 1571469 Not Allocated File Attributes: File, Archive Size: 24064 Name: TAGIHA~1.XLS Directory Entry Times: Written: Mon Aug 24 14:26:16 2009 Accessed: Tue Aug 7 00:00:00 2012 Created: Tue Aug 7 09:40:58 2012 Sectors: 20896 20897 20898 20899 20900 20901 20902 20903 20904 20905 20906 20907 20908 20909 20910 20911 20912 20913 20914 20915 20916 20917 20918 20919 20920 20921 20922 20923 20924 20925 20926 20927 20928 20929 20930 20931 20932 20933 20934 20935 20936 20937 20938 20939 20940 20941 20942 20943 it means that the directory entry still points to the FAT entries and in the end points to the sectors used by that file. 3. now I don't get how to recover the TAGIHA~1.XLS I've tried using dd: Code: dd if=imagefile of=outputfile bs=4096 skip=20896 count=6 and also icat icat -o 63 imagename.001 1571496 > TAGI~1.xls again to no avail. I've tried recovering with foremost, and it does recover some files, but I need the name of the files, that's why I'm trying to use this method. Please correct me if I'm wrong, and give me the hint where to go from here. I really appriciate your help, thank you. -- Regards, Ewaldo Simon |
