Antoine Jacoutot <aja...@lp...> said:
> Hi !
>
> I am new to data recovery.
> I stupidly "rm" the content of an entire partition under FreeBSD.
> Of course, the data was very important, so I decided using the
> sleuthkit+autopsy.
> Now, after issuing the command:
> "bin/dls -be -f freebsd /dev/ad5s1e > /mnt/image.dd",
> I have after a couple of hours, an image.dd file that's 28Go big.
Until
> that, no problem.
> After that, I want to use autopsy to search the image content, but
when
> I tell him to add /mnt/image.dd it tells me this is not a freebsd
> filesystem image ...
> What did I do wrong ?
Antoine,
The 'dls -e' should be equivalent to using 'dd'. So, I would expect
it to work. What happens if you use 'dd' and grab the first 100 MB
and run the sleuth kit tools on that:
# dd if=/dev/ad5s1e of=/mnt/image2.dd bs=1m count=100
# bin/fls -f freebsd /mnt/image2.dd
It will likely report a read error, but it should pass the initial
sanity check. If so, then the 'dls' did not make the right image.
You may want to run 'fls' on the image.dd file as well because there
could be an error in the autopsy check (It was just added to the last
release).
thanks,
brian
|
