Thread: [sleuthkit-users] How to simply undelete files ?
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: <te...@me...> - 2006-01-24 10:55:02
|
Hello everybody, I'm new to sleuthkit,and I've got a problem which might seem very basic to most og you but I can't resolve it : I recently burned some files from my hard-disk to a CD / RW, then I deleted these files from my hard-disk. When I tried to read the CD, there seems to be nothing on it. I wasn't able to dd an image of the cd, so I can't recover my files this way. Then I launched autopsy on my hard-disk. Using File analysis, I can see all the deleted files, but now, I don't know how to recover them. I don't want to use the sorter tool from autopsy because I don't have enough free space to copy all the recovered files, only enough for the 700Mb of my deleted files. I would like to know what is the simple procedure to recover one by one a few files which seems I good state to recover (as the partition where I deleted files wasn't mounted since the deletion). |
|
From: Barry J. G. <bg...@im...> - 2006-01-24 14:43:26
|
On Tue, 2006-01-24 at 11:56 +0100, te...@me... wrote: > I would like to know what is the simple procedure to recover one by one a few files which seems I good state to recover > (as the partition where I deleted files wasn't mounted since the deletion). The ease of this will depend on the filesystem these files are on. For starters, have a look at the man page for icat (with the -r option). use fls to find the inodes of deleted files, then pass the inode as an argument to icat to recover the file. Again, the sucess of this will depend on the FS type. -- /*************************************** Special Agent Barry J. Grundy NASA Office of Inspector General Computer Crimes Division Goddard Space Flight Center Code 190 Greenbelt Rd. Greenbelt, MD 20771 (301)286-3358 **************************************/ |
|
From: <te...@me...> - 2006-01-24 15:44:10
|
Is it possible to get some datas on the CD / RW even if it seems unreadable with dd not working ? |
|
From: farmer d. <far...@ya...> - 2006-01-25 00:24:17
|
Hi, Your success will depend largely on the file system type the deleted files reside on. What type? Using The Sleuth Kit you can use 'icat' to undelete deleted files. Other utilities are available that can assist, depending upon the file system type. regards, farmerdude THE FARMER'S BOOT CD --- "te...@me..." <te...@me...> wrote: > Hello everybody, > I'm new to sleuthkit,and I've got a problem which > might seem very basic to most og you but I can't > resolve it : > I recently burned some files from my hard-disk to a > CD / RW, then I deleted these files from my > hard-disk. > When I tried to read the CD, there seems to be > nothing on it. > I wasn't able to dd an image of the cd, so I can't > recover my files this way. > Then I launched autopsy on my hard-disk. Using File > analysis, I can see all the deleted files, but now, > I don't know how > to recover them. I don't want to use the sorter tool > from autopsy because I don't have enough free space > to copy all the > recovered files, only enough for the 700Mb of my > deleted files. > I would like to know what is the simple procedure to > recover one by one a few files which seems I good > state to recover > (as the partition where I deleted files wasn't > mounted since the deletion). > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do > you grep through log files > for problems? Stop! Download the new AJAX search > engine that makes > searching your log files as easy as surfing the > web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
|
From: <te...@me...> - 2006-01-25 07:36:58
|
Hello, I think my problem is that the files were deleted on an EXT3 filesystem, it's certainly why icat doesn't find anything. farmer dude wrote: > Hi, > > Your success will depend largely on the file system > type the deleted files reside on. What type? > > Using The Sleuth Kit you can use 'icat' to undelete > deleted files. > > Other utilities are available that can assist, > depending upon the file system type. > > regards, > > farmerdude > > THE FARMER'S BOOT CD |
|
From: farmer d. <far...@ya...> - 2006-01-30 03:53:40
|
With ext3 you will have to carve for headers/footers -OR- search for what you're looking for (IE, a key word or phrase, hopefully unique :) ) due to how deletion is handled. regards, farmerdude --- "te...@me..." <te...@me...> wrote: > Hello, > I think my problem is that the files were deleted on > an EXT3 filesystem, it's certainly why icat doesn't > find anything. > > farmer dude wrote: > > Hi, > > > > Your success will depend largely on the file > system > > type the deleted files reside on. What type? > > > > Using The Sleuth Kit you can use 'icat' to > undelete > > deleted files. > > > > Other utilities are available that can assist, > > depending upon the file system type. > > > > regards, > > > > farmerdude > > > > THE FARMER'S BOOT CD > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do > you grep through log files > for problems? Stop! Download the new AJAX search > engine that makes > searching your log files as easy as surfing the > web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X