[sleuthkit-users] Bad Superblock and tsk versus foremost
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Bad Superblock and tsk versus foremost
|
From: esrkq y. <es...@ya...> - 2006-03-06 23:51:41
|
Hi, Had a disk failure in windows. There are some MS Office files I would like to retrieve in particular one Excel spreadsheet. I tried to mount the relevant partition under linux but got a bad superblock message. The partition type is vfat. I imaged the partion under linux using dd and ran foremost against it and it recovered 399 MS Office files but unfortunately the one that I really wanted wasn't amongst them. Quite a few of the files it recovered were corrupt. It seemed to have more success with Word Docs than Excel. I tried mounting the dd image with the loop back driver but got the same error 'bad superblock'. Is there any point trying to find the info using sleuthkit / autopsy. If I could search for and find a relevant string using autopsy could I recover the file any better than foremost (which didn't even locate this particular document). Foremost finds office documents by looking for ole objects which is obviously a different search strategy than my typing in a particular string to search for in Autopsy. Also, would the fact that the image has a bad superblock preclude me from using sleuthkit/autopsy. I tried a couple of windows utilities (old version of Norton and a version of Paragon) to see if they could ressurect the partition but no joy. Any advice much appreciated, Cheers, JP. ___________________________________________________________ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com |
