Thread: [sleuthkit-users] Undeleting files on ext3
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Andrass Z. D. <az...@li...> - 2004-10-06 12:45:19
|
Dear sleuthkit-users,
I have a disk image from which I need to recover deleted files. The
system is ext3fs. I have The Sleuth Kit and Autopsy up and running.
(I would like to excuse my bad knowledge of the terminology.)
I am aware that inode pointers are nulled at deletion, therefore I have
no info on how the blocks are (were) joined.
I have made a timeline around when the files were deleted. The entries
are like in the following excerpt (might look bad due to word wrapping):
0 .a. drwxrwxrwx 115 100 12451900 <sdb1.img-dead-12451900>
0 .a. drwxrwxrwx 509 100 2998404 <sdb1.img-dead-2998404>
0 .a. d/drwxrwxrwx 115 100 5554256 /home/samba/pub/Projects/0412/doc/Memo (deleted)
0 .a. d/drwxrwxrwx 115 100 8257636 /home/samba/pub/Projects/0331/NONLIN (deleted)
0 .a. drwxrwxrwx 524 100 13877367 <sdb1.img-dead-13877367>
0 .a. drwxrwxrwx 115 100 8257636 <sdb1.img-dead-8257636>
0 .a. drwxrwxrwx 504 100 12812364 <sdb1.img-dead-12812364>
0 .a. drwxrwxrwx 505 100 12255345 <sdb1.img-dead-12255345>
0 .a. drwxrwxrwx 504 100 11223152 <sdb1.img-dead-11223152>
Fri Oct 01 2004 11:42:36 0 .a. drwxrwxrwx 505 100 7553144 <sdb1.img-dead-7553144>
0 .a. drwxrwxrwx 507 100 4423788 <sdb1.img-dead-4423788>
0 .a. drwxrwxrwx 510 100 12812405 <sdb1.img-dead-12812405>
0 .a. drwxrwxrwx 505 100 11534455 <sdb1.img-dead-11534455>
0 .a. drwxrwxrwx 504 100 12812410 <sdb1.img-dead-12812410>
0 .a. drwxrwxrwx 505 100 6733944 <sdb1.img-dead-6733944>
0 .a. drwxrwxrwx 505 100 6389880 <sdb1.img-dead-6389880>
0 .a. drwxrwxrwx 505 100 3981345 <sdb1.img-dead-3981345>
0 .a. drwxrwxrwx 505 100 11305068 <sdb1.img-dead-11305068>
0 .a. drwxrwxrwx 507 100 7913597 <sdb1.img-dead-7913597>
0 .a. drwxrwxrwx 505 100 9732192 <sdb1.img-dead-9732192>
0 .a. drwxrwxrwx 505 100 12206157 <sdb1.img-dead-12206157>
0 .a. drwxrwxrwx 504 100 2867317 <sdb1.img-dead-2867317>
0 .a. drwxrwxrwx 505 100 3162206 <sdb1.img-dead-3162206>
0 .a. drwxrwxrwx 504 100 2621515 <sdb1.img-dead-2621515>
0 .a. d/drwxrwxrwx 511 100 3899448 /home/samba/pub/Projects/0412/etc/0412 Clamp (deleted)
0 .a. drwxrwxrwx 505 100 12468314 <sdb1.img-dead-12468314>
0 .a. d/drwxrwxrwx 507 100 4423788 /home/samba/pub/Projects/0416/dwg/Refs (deleted)
0 .a. drwxrwxrwx 505 100 8683640 <sdb1.img-dead-8683640>
0 .a. drwxrwxrwx 500 500 5046321 <sdb1.img-dead-5046321>
0 .a. drwxrwxrwx 505 100 6094953 <sdb1.img-dead-6094953>
My question is then: Is there any guarantee for that the inodes are deleted sequentially and in the same order as in the log?
Or: Is it possible that the inodes from line 5 to 24 all belong to the same dir (...0331/NONLIN or ...etc/0412 Clamp)?
(The log is from rsync stdout which caused the deletion (due to my misunderstanding of some flags))
At least I know that the incident happened somewhere between 11:42 and 11:46, but the number of files is 10000+. The backup procedures have been off for some time, but we have recovered around 9000 of the files. I need to get the last 1000 as well, and they were only stored on that disk.
Should I from the information in the timeline use `dls` to extract the blocks mentioned between 11:42 and 11:46 and then try to analyse the blocks with `foremost` (or similar)? Or should I do a
dls -f ext3fs /mnt/image.dd start-stop
where start is, say, lowest block number (7th column) within window and stop is highest block number within window?
Please give me som advice, as this is my first (and last)?
regards
andrass
--
Andrass Ziska Davidsen
LICengineering A/S
Ehlersvej 24
DK-2900 Hellerup
DENMARK
tel. (+45) 39 62 16 42
fax. (+45) 39 62 54 80
|
|
From: Brian C. <ca...@sl...> - 2004-10-06 15:54:39
|
On Oct 6, 2004, at 7:45 AM, Andrass Ziska Davidsen wrote: > Dear sleuthkit-users, > > I have a disk image from which I need to recover deleted files. The > system is ext3fs. I have The Sleuth Kit and Autopsy up and running. > My question is then: Is there any guarantee for that the inodes are > deleted sequentially and in the same order as in the log? Nope. They are deleted in the order that they are in the directory and the timeline is accurate to only the second. The ordering in the timeline in that second is based on how Perl sorts them in the internal 'mactime' data structure. There is nano-second resolution in the inode, but TSK currently ignores that. > Or: Is it possible that the inodes from line 5 to 24 all belong to the > same dir (...0331/NONLIN or ...etc/0412 Clamp)? I would say that it is unlikely. The inode value (the number before the name) of files in the same directory should be somewhat close (inodes are allocated in the same block group as their parent directory). So, based on the above range I would guess that there are a few directories (I would need the 'fsstat' output though that contains the block group sizes). > Should I from the information in the timeline use `dls` to extract the > blocks mentioned between 11:42 and 11:46 and then try to analyse the > blocks with `foremost` (or similar)? Or should I do a > dls -f ext3fs /mnt/image.dd start-stop Well, you don't know which blocks were allocated by those files... You can identify the block groups that were used by those files (using the inode numbers and the 'fsstat' output) and extract the unallocated blocks from those groups. Then run 'foremost'. If your files do not have a known header and footer though, 'foremost' will not help. brian |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X