Re: [sleuthkit-users] Examining RAID-5 with only 1 drive
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Examining RAID-5 with only 1 drive
|
From: Brian C. <ca...@sl...> - 2006-11-21 05:06:40
|
Simson Garfinkel wrote: > > On Nov 19, 2006, at 6:00 PM, DePriest, Jason R. wrote: > >> >> My question is this: how can such evidence be found when the file >> system is not mountable? If there is not a recognized file system to >> provide the references and pointers to files and file names, how can >> you know what was deleted and what was still a file? > > Depends on what the file system is. If it is FAT32, then the first > character of filenames will be changed when they are deleted. You might > recover directory entries even if the file system is not recoverable. Similarly with NTFS, but it will require you to look at the allocation status in the MFT entry flags. If you know the type of source code, you could do a UTF-16 search for ".cpp" (or similar) to get the file name entries. >> Is there anyway I can force any of the sleuthkit tools to see it as >> such and extract a real file list from it? No, I think you are out of luck. TSK requires at least a minimal amount of basic information from a boot sector / super block and you may not even have that in this case since you are missing two of the RAID drives. You may consider looking into testdisk or gpart to see if they can scavenge any file system traces from the image. brian |
