Re: [sleuthkit-users] Bad Superblock and tsk versus foremost
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Bad Superblock and tsk versus foremost
|
From: Brian C. <ca...@sl...> - 2006-03-07 01:30:54
|
TSK / Autopsy may be able to analyze the corrupt image, but it is hard to say without knowing what is corrupt. Some tools are more picky about some things than others. Keyword searching isn't going to help you much if foremost didn't find it. Keyword searching may show you a sector from the file, but you still need to group the sectors together. Presumably, foremost would have found the corresponding header if it existed. You may need to manually choose which sectors are from the file and which ones aren't ..... Not an easy task. brian On Mar 6, 2006, at 6:51 PM, esrkq yahoo wrote: > Hi, > > Had a disk failure in windows. There are some MS > Office files I would like to retrieve in particular > one Excel spreadsheet. > > I tried to mount the relevant partition under linux > but got a bad superblock message. The partition type > is vfat. > > I imaged the partion under linux using dd and ran > foremost against it and it recovered 399 MS Office > files but unfortunately the one that I really wanted > wasn't amongst them. Quite a few of the files it > recovered were corrupt. It seemed to have more > success with Word Docs than Excel. > > I tried mounting the dd image with the loop back > driver but got the same error 'bad superblock'. > > Is there any point trying to find the info using > sleuthkit / autopsy. If I could search for and find a > relevant string using autopsy could I recover the file > any better than foremost (which didn't even locate > this particular document). > > Foremost finds office documents by looking for ole > objects which is obviously a different search strategy > than my typing in a particular string to search for in > Autopsy. > > Also, would the fact that the image has a bad > superblock preclude me from using sleuthkit/autopsy. > > I tried a couple of windows utilities (old version of > Norton and a version of Paragon) to see if they could > ressurect the partition but no joy. > > Any advice much appreciated, > > Cheers, > JP. > > > > > > > > > ___________________________________________________________ > To help you stay safe and secure online, we've developed the all > new Yahoo! Security Centre. http://uk.security.yahoo.com > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the > live webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
