sleuthkit-users

[sleuthkit-users] Recovery under ext3 after overwriting with same data tree

[Marc M. <mar...@we...>]

Hello,

when intending to backup my data on /dev/sdc1 (mounted on /home/marc) , I =
errorneously entered
mount /dev/sdc1 /media/jaz
instead of
mount /dev/sdd1 /media/jaz

Then I drag&dropped with the Konqueror from /home/marc/work to /media/jaz.=
 I don`t know why it worked, but it did. Mayby because the Konquerer has b=
een open at /home/marc/work prior to the false mounting.=20

The result is that I now have the complete directory structure of my data =
on /dev/sdc1, but without any bit of data (all files are 0 B).

Is there any chance to recover the data=3F Filesystem is ext3 (SuSE 8.1)

Thanks & best regards,

--=20
Marc=A0Mausch


=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
Verschicken Sie romantische, coole und witzige Bilder per SMS!
Jetzt neu bei WEB.DE FreeMail: http://freemail.web.de/=3Fmc=3D021193

Re: [sleuthkit-users] Recovery under ext3 after overwriting with same data tree

[Brian C. <ca...@sl...>]

I'm still not quite sure what you did.  Was /dev/sdc1 mounted on both 
/home/marc and /media/jaz?  If so, you basically copied files from the 
'work' folder to the root directory and now all directories have the 
corresponding files with a size of 0?  Did you try to run fsck and 
check lost+found?

It would seem that Linux would put the data somewhere instead of just 
losing it.   If the files were deleted, then you will need to rely on a 
tool like foremost to recover the files ....  I would make an image of 
the disk and then run fsck on it though...

brian



On Oct 16, 2004, at 2:16 PM, Marc Mausch wrote:

> Hello,
>
> when intending to backup my data on /dev/sdc1 (mounted on /home/marc) 
> , I errorneously entered
> mount /dev/sdc1 /media/jaz
> instead of
> mount /dev/sdd1 /media/jaz
>
> Then I drag&dropped with the Konqueror from /home/marc/work to 
> /media/jaz. I don`t know why it worked, but it did. Mayby because the 
> Konquerer has been open at /home/marc/work prior to the false 
> mounting.
>
> The result is that I now have the complete directory structure of my 
> data on /dev/sdc1, but without any bit of data (all files are 0 B).
>
> Is there any chance to recover the data? Filesystem is ext3 (SuSE 8.1)
>

[sleuthkit-users] Unusual behavior

[Eagle I. S. I. <in...@ea...>]

I'm using the latest Sluthkit and Autopsy. 

I separated out the partition from a raw image file and symlinked it into
Autopsy. It's an NTFS partition. 

(The extracted partition sits on a Firewire drive, if that matters)

Anyway, when I choose File Type and the choose to save only the graphic
images and make thumbnails, and hi OK, the sorter immediately executes and
almost immediately produces a result: 

Images:

/evidence/brew/Compaq/images/brewpart.dd

Files (3)

Allocated (0)
Unallocated (3)

Files Skipped (3)

Non Files (3) 

 - all subsequent entries are 0. 

I've used this many times before and fully expected it to take a few
hours.....it returned these results in less than 1 second. 

Any idea what's going on here. I've viewed hundreds of images on this
partition with another tool...I was looking for a one step way to thumnail
them.......

Niall. 

Re: [sleuthkit-users] Unusual behavior

[Brian C. <ca...@sl...>]

On Oct 23, 2004, at 9:44 PM, Eagle Investigative Services, Inc. wrote:

> I'm using the latest Sluthkit and Autopsy.
>
> I separated out the partition from a raw image file and symlinked it 
> into
> Autopsy. It's an NTFS partition.
>
> ...
>
> Any idea what's going on here. I've viewed hundreds of images on this
> partition with another tool...I was looking for a one step way to 
> thumnail
> them.......

Are there more files and directories that are shown in the normal file 
analysis view?  Or does that have only a few files as well?

brian

RE: [sleuthkit-users] Unusual behavior

[Eagle I. S. I. <in...@ea...>]

Brian, 

Actually, the File Analysis window shows no files at all.  

I switched to a 2.4.27 kernel to make sure it wasn't any with the 2.6
kernel, and even tried a fresh install of TSK, but the same results
occurred. 

Before I opened this email, I started a search for an ascii string that I
know exists, to see how it would fare. I'll report back when it completes. 

If there's anything else you'd like me to check, I'm happy to. 

Niall. 



-----Original Message-----
From: Brian Carrier [mailto:ca...@sl...] 
Sent: Sunday, October 24, 2004 9:28 AM
To: Eagle Investigative Services, Inc. 
Cc: sle...@li...
Subject: Re: [sleuthkit-users] Unusual behavior


On Oct 23, 2004, at 9:44 PM, Eagle Investigative Services, Inc. wrote:

> I'm using the latest Sluthkit and Autopsy.
>
> I separated out the partition from a raw image file and symlinked it 
> into Autopsy. It's an NTFS partition.
>
> ...
>
> Any idea what's going on here. I've viewed hundreds of images on this 
> partition with another tool...I was looking for a one step way to 
> thumnail them.......

Are there more files and directories that are shown in the normal file
analysis view?  Or does that have only a few files as well?

brian