Re: [sleuthkit-users] recover $orphaned files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] recover $orphaned files
|
From: Alex N. <ajn...@cs...> - 2014-02-22 18:13:22
|
Hi Ewaldo, Your dd should work given the sector offsets. However, you passed a sector size of 4096 (bs=4096). I'm guessing because -o63 worked in istat, you should have passed bs=512 in dd. --Alex On Feb 22, 2014, at 01:44 , ewaldo simon <ewa...@gm...> wrote: > Dear sleuthkit user mailing list, can anyone help me with this, I am trying to recover some orphan files. > > > 1. first, using fls, I've found some orphaned files: > > Code: > fls -o 63 -r F imagename.001 | grep -i file_name > > -/r * 649873: $OrphanFiles/TAGIHAN.xls > r/r * 122506: $OrphanFiles/PT8D15~1.NUG/REKAP TAGIHAN MAR'11.xls > -/r * 1212051: $OrphanFiles/TAGIHA~1.XLS > -/r * 1282702: $OrphanFiles/TAGIHA~1.XLS > -/r * 1374865: $OrphanFiles/TAGIHA~1.XLS > -/r * 1472145: $OrphanFiles/TAGIHA~1.XLS > -/r * 1519249: $OrphanFiles/TAGIHA~1.XLS > -/r * 1571469: $OrphanFiles/TAGIHA~1.XLS > > 2. then, using istat to see the metadata of the last file listed before (this is the part that I got wrong the last time) > > Code: > istat -o 63 imagename 1571469 > > Directory Entry: 1571469 > Not Allocated > File Attributes: File, Archive > Size: 24064 > Name: TAGIHA~1.XLS > > Directory Entry Times: > Written: Mon Aug 24 14:26:16 2009 > Accessed: Tue Aug 7 00:00:00 2012 > Created: Tue Aug 7 09:40:58 2012 > > Sectors: > 20896 20897 20898 20899 20900 20901 20902 20903 > 20904 20905 20906 20907 20908 20909 20910 20911 > 20912 20913 20914 20915 20916 20917 20918 20919 > 20920 20921 20922 20923 20924 20925 20926 20927 > 20928 20929 20930 20931 20932 20933 20934 20935 > 20936 20937 20938 20939 20940 20941 20942 20943 > > it means that the directory entry still points to the FAT entries and in the end points to the sectors used by that file. > > 3. now I don't get how to recover the TAGIHA~1.XLS > > I've tried using dd: > Code: > dd if=imagefile of=outputfile bs=4096 skip=20896 count=6 > and > also icat > > icat -o 63 imagename.001 1571496 > TAGI~1.xls > > again to no avail. > > I've tried recovering with foremost, and it does recover some files, but I need the name of the files, that's why I'm trying to use this method. > Please correct me if I'm wrong, and give me the hint where to go from here. I really appriciate your help, thank you. > > > > > -- > Regards, > Ewaldo Simon > ------------------------------------------------------------------------------ > Managing the Performance of Cloud-Based Applications > Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. > Read the Whitepaper. > http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
