Re: [sleuthkit-users] Examining RAID-5 with only 1 drive
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Examining RAID-5 with only 1 drive
|
From: DePriest, J. R. <jrd...@gm...> - 2006-11-19 23:00:58
|
On 11/15/06, Simson Garfinkel wrote: > > > > So I am extracting strings from the partition labeled 'Hibernation' > > and hopefully that will be good enough. > > > Why are you extracting from the Hibernation partition and not from > the entire physical device? > Oversight. I have extracted the entire thing. I have been told by my boss that the lawyers say the FBI found evidence of file deletion on the drive. My question is this: how can such evidence be found when the file system is not mountable? If there is not a recognized file system to provide the references and pointers to files and file names, how can you know what was deleted and what was still a file? I see large sections of the disk that are just 0x00, but that is normal for areas that have never been written to. Other areas have suspicious patterns such as 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 00, etc. I honestly don't know what would cause that naturally. But since I cannot mount the drive and look at the file system directly, I can only make inferences. I imagine the disk was inside a Windows server, so the original file system was likely NTFS. Is there anyway I can force any of the sleuthkit tools to see it as such and extract a real file list from it? Or am I completely out of luck? I cannot search for file names, only strings. What would be the best way to search for the MFT by strings alone? -Jason -- + + + NO CARRIER |
