Re: [sleuthkit-users] Bad Superblock and tsk versus foremost
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Bad Superblock and tsk versus foremost
|
From: youcef b. <ybi...@ya...> - 2006-03-07 23:06:19
|
Hi, foremost is mostly suited where the files were allocated in consecutive clusters. if a file was defragmented than foremost will not retrieve it (thus the corruption that you may experience in some files). I am not sure what filessytem you have on that disk. depending in where the corruption occurs, if you have a FAT file system then you may be lucky to retrieve it using a winhex and of course some knowledge of how the FAT filesystem is layed out (Brian Book is the best in this topic). I've mentioned FAT because it's the easiet to work with using a manual process as I described above, NTFS is is a kill to follow with a hexeditor. regards youcef --- esrkq yahoo <es...@ya...> wrote: > Hi, > > Had a disk failure in windows. There are some MS > Office files I would like to retrieve in particular > one Excel spreadsheet. > > I tried to mount the relevant partition under linux > but got a bad superblock message. The partition > type > is vfat. > > I imaged the partion under linux using dd and ran > foremost against it and it recovered 399 MS Office > files but unfortunately the one that I really wanted > wasn't amongst them. Quite a few of the files it > recovered were corrupt. It seemed to have more > success with Word Docs than Excel. > > I tried mounting the dd image with the loop back > driver but got the same error 'bad superblock'. > > Is there any point trying to find the info using > sleuthkit / autopsy. If I could search for and find > a > relevant string using autopsy could I recover the > file > any better than foremost (which didn't even locate > this particular document). > > Foremost finds office documents by looking for ole > objects which is obviously a different search > strategy > than my typing in a particular string to search for > in > Autopsy. > > Also, would the fact that the image has a bad > superblock preclude me from using sleuthkit/autopsy. > > I tried a couple of windows utilities (old version > of > Norton and a version of Paragon) to see if they > could > ressurect the partition but no joy. > > Any advice much appreciated, > > Cheers, > JP. > > > > > > > > > ___________________________________________________________ > > To help you stay safe and secure online, we've > developed the all new Yahoo! Security Centre. > http://uk.security.yahoo.com > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a > groundbreaking scripting language > that extends applications into web and mobile media. > Attend the live webcast > and join the prime developer group breaking into > this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > ___________________________________________________________ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com |
